feat: overhaul codebase checks

.github/workflows/checks.detekt.yml

@@ -0,0 +1,110 @@
+name: Detekt
+
+"on":
+  workflow_dispatch:
+    inputs:
+      ## Input: Artifact Name
+      artifact:
+        description: "Artifact"
+        required: false
+        type: string
+        default: "elide-framework"
+
+  workflow_call:
+    inputs:
+      artifact:
+        description: "Artifact"
+        required: false
+        type: string
+        default: "elide-framework"
+
+    secrets:
+      BUILDLESS_APIKEY:
+        description: "Buildless API key"
+        required: false
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+
+permissions:
+  contents: "read"
+
+jobs:
+  sonar:
+    name: "Detekt"
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: elide-framework-v1-build-${{ hashFiles('gradle/elide.versions.toml') }}
+          restore-keys: |
+            elide-framework-v1-build-${{ hashFiles('gradle/elide.versions.toml') }}
+            elide-framework-v1-build-
+            elide-framework-v1-
+            elide-framework-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            packages/*/build/bin
+            packages/*/build/classes
+            packages/*/build/kotlin
+            packages/*/build/klib
+            packages/*/build/generated
+            packages/*/build/generated-sources
+            packages/proto/*/build/bin
+            packages/proto/*/build/classes
+            packages/proto/*/build/kotlin
+            packages/proto/*/build/klib
+            packages/proto/*/build/generated
+            packages/proto/*/build/generated-sources
+            tools/elide-build/build/bin
+            tools/elide-build/build/classes
+            tools/elide-build/build/kotlin
+            tools/elide-build/build/klib
+            tools/elide-build/build/generated
+            tools/elide-build/build/generated-sources
+      - name: "Setup: GraalVM (Java 21)"
+        uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5
+        with:
+          distribution: "graalvm"
+          java-version: 21
+          check-for-updates: false
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Setup: Artifacts"
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        continue-on-error: true
+        with:
+          merge-multiple: true
+      - name: "Setup: Git History"
+        run: git fetch --unshallow || exit 0
+      - name: "Analysis: Detekt"
+        uses: gradle/actions/setup-gradle@v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            detekt
+            -x nativeCompile
+            -x nativeOptimizedCompile
+      - name: "Report: SARIF Upload"
+        uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
+        with:
+          sarif_file: build/reports/detekt/detekt.sarif

.github/workflows/checks.sonar.yml

@@ -108,20 +108,32 @@ jobs:
           merge-multiple: true
       - name: "Setup: Git History"
         run: git fetch --unshallow || exit 0
-      - name: "Analysis: Sonar"
+      - name: "Build: Verify Coverage"
         uses: gradle/actions/setup-gradle@v3.1.0
         continue-on-error: true
         env:
           CI: true
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
           arguments: |
             koverVerify
             koverBinaryReport
             koverXmlReport
+            -x nativeCompile
+            -x nativeOptimizedCompile
+      - name: "Analysis: Sonar"
+        uses: gradle/actions/setup-gradle@v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
             sonar
             -x nativeCompile
             -x nativeOptimizedCompile

.github/workflows/job.test.yml

@@ -114,6 +114,9 @@ name: Tests
       GRADLE_CONFIGURATION_KEY:
         required: false
         description: "Gradle cache key"
+      SONAR_TOKEN:
+        required: true
+        description: "Sonar token"
 
 env:
   BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
@@ -185,6 +188,7 @@ jobs:
         with:
           key: elide-framework-v1-tests-${{ hashFiles('gradle/elide.versions.toml') }}
           path: |
+            build/reports/kover/**/*.*
             packages/*/test-results/
             packages/proto/*/test-results/
             tools/elide-build/test-results/
@@ -233,12 +237,14 @@ jobs:
         env:
           CI: true
           BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           TEST_EXCEPTIONS: true
         with:
           cache-read-only: false
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
           dependency-graph: disabled
-          gradle-home-cache-includes: binaryen
+          gradle-home-cache-includes:
+            binaryen
             caches
             jdks
             native
@@ -254,6 +260,92 @@ jobs:
             koverBinaryReport
             koverVerify
             copyCoverageReports
+            sonar
+            -x wasmJsTest
+            -x wasmWasiTest
+            -x wasmWasiNodeTest
+            -x detekt
+            --scan
+            --build-cache
+            --configuration-cache
+            --no-daemon
+            --warning-mode=none
+            --dependency-verification=lenient
+            -x apiCheck
+            -Pelide.ci=true
+            -PbuildSamples=false
+            -PbuildDocs=false
+            -PbuildDocsSite=false
+      - name: "Analysis: Sonar"
+        uses: gradle/actions/setup-gradle@v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          TEST_EXCEPTIONS: true
+        with:
+          cache-read-only: false
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          dependency-graph: disabled
+          gradle-home-cache-includes: binaryen
+            caches
+            jdks
+            native
+            native-build-tools
+            nodejs
+            notifications
+            wrapper
+            yarn
+          arguments: |
+            detekt
+            koverXmlReport
+            koverBinaryReport
+            koverVerify
+            sonar
+            -x wasmJsTest
+            -x wasmWasiTest
+            -x wasmWasiNodeTest
+            -x detekt
+            --scan
+            --build-cache
+            --configuration-cache
+            --no-daemon
+            --warning-mode=none
+            --dependency-verification=lenient
+            -x apiCheck
+            -Pelide.ci=true
+            -PbuildSamples=false
+            -PbuildDocs=false
+            -PbuildDocsSite=false
+      - name: "Analysis: Sonar"
+        uses: gradle/actions/setup-gradle@v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          TEST_EXCEPTIONS: true
+        with:
+          cache-read-only: false
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          dependency-graph: disabled
+          gradle-home-cache-includes:
+            binaryen
+            caches
+            jdks
+            native
+            native-build-tools
+            nodejs
+            notifications
+            wrapper
+            yarn
+          arguments: |
+            detekt
+            koverXmlReport
+            koverBinaryReport
+            koverVerify
+            sonar
             -x wasmJsTest
             -x wasmWasiTest
             -x wasmWasiNodeTest
@@ -326,6 +418,7 @@ jobs:
         with:
           key: ${{ steps.cache-restore.outputs.cache-primary-key }}
           path: |
+            build/reports/kover/**/*.*
             packages/*/test-results/
             packages/proto/*/test-results/
             tools/elide-build/test-results/

.github/workflows/on.pr.yml

@@ -244,31 +244,16 @@ jobs:
       security-events: "write"
 
   ##
-  ## Job: Checks with Sonar
+  ## Job: Checks with Detekt
   ##
-  check-sonar:
+  check-detekt:
     name: "Checks"
-    uses: ./.github/workflows/checks.sonar.yml
+    uses: ./.github/workflows/checks.detekt.yml
     needs: [triage, preflight-checks, pr-build, pr-test]
     if: fromJson(needs.triage.outputs.srcs)
     secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
     permissions:
       contents: "read"
-
-  ##
-  ## Job: Checks with Qodana
-  ##
-  check-qodana:
-    name: "Checks"
-    uses: ./.github/workflows/checks.qodana.yml
-    needs: [triage, preflight-checks, pr-build, pr-test]
-    if: false # disabled
-    secrets:
-      QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
-      BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
-      GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
-    permissions:
-      contents: "read"
+      security-events: "write"