fix CI build on master (#2417)

finos · Oct 31, 2023 · dc46b1a · dc46b1a
1 parent 5437582
commit dc46b1a
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -17,7 +17,6 @@ name: Build CI
 env:
   CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
   CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}
-  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   MAVEN_OPTS: "-Xmx6g"
 
 on: [push, pull_request]
@@ -40,7 +39,19 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-mvn-deps
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ env.cache-name }}-
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
 
       - name: Set up JDK
         uses: actions/setup-java@v1
@@ -68,13 +79,12 @@ jobs:
         with:
           theme: dark
 
-      - name: Build + Test
+      - name: Build (PR)
         if: github.ref != 'refs/heads/master'
         run: |
           mvn -B -e -DskipTests=true install
-          mvn -B -e surefire:test -DargLine="-XX:MaxRAMPercentage=70.0" -Dsurefire.reports.directory=${GITHUB_WORKSPACE}/surefire-reports-aggregate
 
-      - name: Build + Test + Maven Deploy + Sonar + Docker Snapshot
+      - name: Build (with Maven Deploy + Docker Snapshot)
         if: github.ref == 'refs/heads/master'
         env:
           DOCKER_USERNAME: finos
@@ -86,7 +96,10 @@ jobs:
         # and can cause problem with some code generators
         # See https://github.com/finos/legend-engine/pull/924
         run: |
-          mvn -B -e -DskipTests=true deploy -P docker-snapshot,sonar
+          mvn -B -e -DskipTests=true deploy -P docker-snapshot
+
+      - name: Test
+        run: |
           mvn -B -e surefire:test -DargLine="-XX:MaxRAMPercentage=70.0" -Dsurefire.reports.directory=${GITHUB_WORKSPACE}/surefire-reports-aggregate
 
       - name: Upload Test Results

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -0,0 +1,80 @@
+# Copyright 2022 Goldman Sachs
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Code Quality Check
+
+on:
+  # Analysis done to check for security and quality are often taken care of by vendor tools, such as SonarCloud, CodeQL, etc.
+  # We will not run these in PR pipelins for the following reasons:
+  # 1. In terms of quality checks, these analysis are often already covered by code checks (e.g. eslint) already set to run
+  #    for PRs
+  # 2. Security checks are included meaning that these checks will have to go through a huge libraries of vulnerability checks
+  #    from vendor, which could take up huge amount of time to run, which is not suitable to have in PR unless absolutely necessary.
+  #    However, most of the problems detected by these checks are often security warnings and some other niche problems that we might
+  #    or might not necessarily have to deal with (false positive, or belongs to test-only codepath)
+  push:
+    branches:
+      - master
+
+env:
+  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  MAVEN_OPTS: "-Xmx6g"
+
+# Cancel running jobs from previous pipelines of the same workflow on PR to save resource when commits are pushed quickly
+# NOTE: we don't want this behavior on default branch
+# See https://stackoverflow.com/a/68422069
+concurrency:
+  group: ${{ github.ref == 'refs/heads/master' && format('ci-default-branch-{0}-{1}', github.sha, github.workflow) || format('ci-pr-{0}-{1}', github.ref, github.workflow) }}
+  cancel-in-progress: true
+
+jobs:
+  sonar-code-check:
+    name: Sonar Code Quality Check
+    # NOTE: we cannot run this action in PR anyway because secrets are not accessible from forks
+    # See https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request
+    # See https://community.sonarsource.com/t/github-action-ci-build-fail-with-set-the-sonar-token-env-variable/38997
+    if: github.repository == 'finos/legend-engine'
+    # NOTE: larger runner is required to run this build
+    runs-on: ubuntu-latest-4-cores
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-mvn-deps
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ env.cache-name }}-
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
+
+      - name: Set up JDK
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+
+      - name: Check Java version
+        run: java -version
+
+      - name: Download deps and plugins
+        run: mvn de.qaware.maven:go-offline-maven-plugin:resolve-dependencies
+
+      - name: Check Code Quality
+        run: |
+          mvn -B -e -DskipTests=true install -P sonar