-
Notifications
You must be signed in to change notification settings - Fork 33
ci-cd improvements #614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
ci-cd improvements #614
Changes from all commits
bcefb11
e89fe5b
e7440f4
6ff9081
6684239
fd6cede
4aba281
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: diffguard | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - '**' | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| concurrency: | ||
| group: diffguard-${{ github.event.pull_request.number || github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| diffguard: | ||
| name: Quality metrics | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
Check warning on line 17 in .github/workflows/diffguard.yml
|
||
|
Comment on lines
+14
to
+17
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 The new Extended reasoning...What the finding is
jobs:
diffguard:
name: Quality metrics
runs-on: ubuntu-latest
steps:There is no
A repo-wide scan shows the pattern is established elsewhere too ( Why it matters Without an explicit Realized impact Small. This workflow triggers on Step-by-step example
Suggested fix Add two lines between diffguard:
name: Quality metrics
runs-on: ubuntu-latest
permissions:
contents: read
steps: |
||
| - uses: actions/checkout@v6 | ||
| with: | ||
| # diffguard needs full history for merge-base and file history checks. | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version-file: go.mod | ||
|
|
||
| - uses: actions/cache@v4 | ||
| with: | ||
| path: | | ||
| ~/.cache/go-build | ||
| ~/go/pkg/mod | ||
| key: ${{ runner.os }}-diffguard-${{ hashFiles('**/go.sum') }} | ||
| restore-keys: ${{ runner.os }}-diffguard- | ||
|
|
||
| - name: Install diffguard | ||
| run: go install github.com/0xPolygon/diffguard/cmd/diffguard@latest | ||
|
Comment on lines
+35
to
+36
vbhattaccmu marked this conversation as resolved.
vbhattaccmu marked this conversation as resolved.
Comment on lines
+35
to
+36
|
||
|
|
||
| - name: Run diffguard | ||
| id: diffguard | ||
| shell: bash | ||
| run: | | ||
| # Keep diffguard's exit code when tee writes the step summary. | ||
| set -o pipefail | ||
| diffguard \ | ||
| --base origin/${{ github.base_ref }} \ | ||
| --complexity-threshold 15 \ | ||
| --complexity-delta-tolerance 5 \ | ||
| --function-size-threshold 80 \ | ||
| --function-size-delta-tolerance 15 \ | ||
| --file-size-threshold 800 \ | ||
| --file-size-delta-tolerance-pct 10 \ | ||
| --file-size-delta-tolerance-floor 20 \ | ||
| --tier1-threshold 80 \ | ||
| --tier2-threshold 60 \ | ||
| --mutation-sample-rate 20 \ | ||
| --test-timeout 5m \ | ||
| --output text \ | ||
| --fail-on error \ | ||
| . | tee "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| - name: Upload JSON report | ||
| # The text report above contains mutation results; this second run is | ||
| # only for a cheap machine-readable shape report. | ||
| if: always() | ||
| run: | | ||
| diffguard \ | ||
| --base origin/${{ github.base_ref }} \ | ||
| --skip-mutation \ | ||
| --output json \ | ||
| --fail-on none \ | ||
| . > diffguard-report.json | ||
|
|
||
| - uses: actions/upload-artifact@v6 | ||
| if: always() | ||
| with: | ||
| name: diffguard-report | ||
| path: diffguard-report.json | ||
| retention-days: 14 | ||
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| name: Nightly Govulncheck | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 2 * * *' | ||
| workflow_dispatch: | ||
|
Check warning on line 6 in .github/workflows/nightly-govulncheck.yml
|
||
|
Comment on lines
+3
to
+6
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 This PR deletes Extended reasoning...What changed. The old |
||
|
|
||
| concurrency: | ||
| group: nightly-govulncheck-develop | ||
| cancel-in-progress: true | ||
|
Copilot marked this conversation as resolved.
|
||
|
|
||
| jobs: | ||
| govulncheck: | ||
| name: Run govulncheck on develop | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: develop | ||
|
|
||
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version-file: go.mod | ||
| check-latest: true | ||
|
Comment on lines
+24
to
+27
|
||
|
|
||
| - uses: actions/cache@v4 | ||
| with: | ||
| path: | | ||
| ~/.cache/go-build | ||
| ~/go/pkg/mod | ||
| key: ${{ runner.os }}-govulncheck-${{ hashFiles('**/go.sum') }} | ||
| restore-keys: ${{ runner.os }}-govulncheck- | ||
|
|
||
| - name: Run govulncheck | ||
| run: make vulncheck | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where would we be notified about outcome? bor nightly race tests for example pushes the results on an internal slack channel. We might want to do the same for nightly checks (vulncheck and sonar) |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| name: Nightly Sonar | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 1 * * *' | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: nightly-sonar-develop | ||
| cancel-in-progress: true | ||
|
Copilot marked this conversation as resolved.
|
||
|
|
||
| jobs: | ||
| sonar: | ||
| name: Run SonarCloud on develop | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: develop | ||
|
|
||
| - name: Run SonarCloud analysis | ||
| id: sonar | ||
| if: env.SONAR_TOKEN != '' | ||
| continue-on-error: true | ||
| uses: SonarSource/sonarqube-scan-action@c7ee0f9df90b7aa20e8dcf9695dcfe2e7da5b4f2 # v7 | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
|
|
||
| - name: Report informational status | ||
| if: always() | ||
| run: | | ||
| { | ||
| echo "## Nightly Sonar" | ||
| case "${{ steps.sonar.outcome }}" in | ||
| success) | ||
| echo "SonarCloud analysis completed successfully." | ||
| ;; | ||
| skipped) | ||
| echo "SonarCloud analysis was skipped because SONAR_TOKEN is not available." | ||
| ;; | ||
| *) | ||
| echo "SonarCloud analysis did not complete successfully. This check is informational and does not fail CI." | ||
| ;; | ||
| esac | ||
| } >> "$GITHUB_STEP_SUMMARY" | ||
This file was deleted.
Uh oh!
There was an error while loading. Please reload this page.