team-devtools/.github/workflows/finalize.yml at main · ansible/team-devtools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
name: finalize
on:
  workflow_call:
    inputs:
      run-id:
        description: "The workflow run ID to download artifacts from (for workflow_run triggers)"
        required: false
        type: string
        default: ""
      workflow-event:
        description: "The event that triggered the workflow (pull_request or push)"
        required: false
        type: string
        default: ""
      head-sha:
        description: "The head SHA of the workflow run (for workflow_run triggers)"
        required: false
        type: string
        default: ""
      head-branch:
        description: "The head branch of the workflow run (for workflow_run triggers)"
        required: false
        type: string
        default: ""
      head-repository:
        description: "The head repository full name (for workflow_run triggers)"
        required: false
        type: string
        default: ""
    secrets:
      CICD_ORG_SONAR_TOKEN_CICD_BOT:
        required: true

permissions: read-all

jobs:
  finalize:
    name: finalize
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          show-progress: false

      # Download coverage artifacts from the test job (same workflow run)
      - name: Download artifacts
        uses: actions/download-artifact@v8
        with:
          name: logs.zip
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ inputs.run-id }}

      # For PRs: Extract PR number from artifact file
      - name: Fetch PR Number artifact
        if: inputs.workflow-event == 'pull_request'
        uses: actions/download-artifact@v8
        with:
          name: pr_number
          path: .
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ inputs.run-id }}

      - name: Extract PR Number
        if: inputs.workflow-event == 'pull_request'
        run: |
          cat pr_number.txt
          PR_NUM=$(head -n1 pr_number.txt | awk '{print $3}')
          echo "Found PR number: $PR_NUM"
          echo "PR_NUMBER=$PR_NUM" >> $GITHUB_ENV

      - name: Get Additional PR Information
        if: inputs.workflow-event == 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_DATA=$(gh api "repos/${{ github.repository }}/pulls/${{ env.PR_NUMBER }}")
          echo "PR_BASE=$(echo "$PR_DATA" | jq -r '.base.ref')" >> $GITHUB_ENV
          echo "PR_HEAD=$(echo "$PR_DATA" | jq -r '.head.ref')" >> $GITHUB_ENV

      - name: Checkout PR branch
        if: inputs.workflow-event == 'pull_request'
        run: |
          gh pr checkout ${{ env.PR_NUMBER }} || echo "::warning::Failed to checkout PR branch ${{ env.PR_NUMBER }}, this can happen if it was already merged and deleted."
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Prepare SonarCloud args
        if: hashFiles('**/coverage.xml') != ''
        shell: bash
        run: |
          REPO_NAME="${{ github.repository }}"
          COMMIT_SHA="${{ inputs.head-sha }}"

          # Split repo name into owner and repo
          IFS="/" read -r REPO_OWNER REPO_NAME_ONLY <<< "$REPO_NAME"

          SONAR_ARGS="-Dsonar.projectKey=${REPO_OWNER}_${REPO_NAME_ONLY} -Dsonar.organization=${REPO_OWNER}"
          SONAR_ARGS="${SONAR_ARGS} -Dsonar.scm.revision=$COMMIT_SHA"

          # Add PR-specific args if this is a pull request
          WORKFLOW_EVENT="${{ inputs.workflow-event }}"
          if [[ "$WORKFLOW_EVENT" == "pull_request" && -n "$PR_NUMBER" ]]; then
            SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.key=$PR_NUMBER"
            SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.branch=$PR_HEAD"
            SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.base=$PR_BASE"
          fi

          echo "SONAR_ARGS=$SONAR_ARGS" >> $GITHUB_ENV

      - name: Check for coverage files
        run: |
          COVERAGE_FILES=$(find . -name "coverage.xml" -type f 2>/dev/null | wc -l)
          if [ "$COVERAGE_FILES" -gt 0 ]; then
            echo "Coverage Data: Available ($COVERAGE_FILES file(s) found)"
            find . -name "coverage.xml" -type f | sed 's/^/│   /'
          else
            echo "Coverage Data: Not available - exiting"
            exit 1
          fi

          echo "Running SonarCloud analysis..."

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@v7
        env:
          SONAR_TOKEN: ${{ secrets.CICD_ORG_SONAR_TOKEN_CICD_BOT }}
        with:
          args: ${{ env.SONAR_ARGS }}