Copilot commented on code in PR #13322: URL: https://github.com/apache/cloudstack/pull/13322#discussion_r3343903218
########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 Review Comment: This workflow uses a floating ref for `actions/checkout` and omits `persist-credentials: false`, which is inconsistent with other workflows in this repo (most pin to a commit SHA and disable persisted credentials) and increases supply-chain risk. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' Review Comment: The reusable workflow replaces the repo’s existing `setup-env` composite action (which installs required APT deps/Python and pins `setup-java`) with a floating `actions/setup-java@v5` step. This is both a supply-chain hardening regression and risks missing build dependencies compared to the previous sonar workflows. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Cache SonarCloud packages + uses: actions/cache@v5 Review Comment: `actions/cache` is referenced via a floating major tag here; other workflows in this repo pin actions to a commit SHA. Pinning avoids supply-chain surprises. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Cache SonarCloud packages + uses: actions/cache@v5 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - name: Cache local Maven repository + uses: actions/cache@v5 Review Comment: `actions/cache` is referenced via a floating major tag here; other workflows in this repo pin actions to a commit SHA. Pinning avoids supply-chain surprises. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 Review Comment: This reusable workflow runs on `ubuntu-22.04`, while the prior sonar workflows (and most other workflows in this repo) run on `ubuntu-24.04`. If the intent is only deduplication, keep the runner version consistent to avoid subtle environment differences in CI results. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Cache SonarCloud packages + uses: actions/cache@v5 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - name: Cache local Maven repository + uses: actions/cache@v5 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-m2-${{ hashFiles('pom.xml', '*/pom.xml', '*/*/pom.xml', '*/*/*/pom.xml') }} + restore-keys: | + ${{ runner.os }}-m2 + + - name: Install Non-OSS + run: | + git clone https://github.com/shapeblue/cloudstack-nonoss.git nonoss + cd nonoss && bash -x install-non-oss.sh && cd .. + + - name: Run Build and Tests with Coverage (PR) + if: inputs.is_pr + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + PR_ID: ${{ github.event.pull_request.number }} + HEADREF: ${{ github.event.pull_request.head.ref }} + run: > + mvn -T$(nproc) -P quality -Dsimulator -Dnoredist clean install + org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + -Dsonar.projectKey=apache_cloudstack + -Dsonar.pullrequest.key="$PR_ID" + -Dsonar.pullrequest.branch="$HEADREF" + -Dsonar.pullrequest.github.repository=apache/cloudstack + -Dsonar.pullrequest.provider=GitHub + -Dsonar.pullrequest.github.summary_comment=true + + - name: Run Tests with Coverage (Main) + if: "!inputs.is_pr" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: > + mvn -T$(nproc) -P quality -Dsimulator -Dnoredist clean install Review Comment: The main-branch Sonar run now builds with only `-P quality` and without `-B`, whereas the previous `main-sonar-check.yml` built with `-P developer,systemvm,quality`. This changes CI behavior beyond workflow deduplication and may affect build/test/coverage results. ########## .github/workflows/main-sonar-check.yml: ########## @@ -16,50 +16,25 @@ # under the License. name: Sonar Quality Check (Main) -permissions: - contents: read + on: push: branches: - main + +permissions: + contents: read + pull-requests: write + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + jobs: - build: + sonar: if: github.repository == 'apache/cloudstack' - name: Sonar JaCoCo Coverage - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - persist-credentials: false - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - install-python: 'true' - install-apt-deps: 'true' - - name: Cache SonarCloud packages - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Install Non-OSS - uses: ./.github/actions/install-nonoss - - name: Run Build and Tests with Coverage - run: mvn -B -T$(nproc) -P developer,systemvm,quality -Dsimulator -Dnoredist clean install - - name: Upload to SonarQube - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: mvn -B -P quality org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=apache_cloudstack -Dsonar.branch.name=${{ github.ref_name }} - - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 - with: - files: ./client/target/site/jacoco-aggregate/jacoco.xml - fail_ci_if_error: true - flags: unittests - verbose: true - name: codecov - token: ${{ secrets.CODECOV_TOKEN }} + uses: ./.github/workflows/sonar-reusable.yml + with: + is_pr: false + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} Review Comment: If the reusable workflow restores the previous Codecov upload behavior, the caller needs to pass through `CODECOV_TOKEN` (it was previously used directly in this workflow). Otherwise the Codecov step will fail or stop reporting coverage. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Cache SonarCloud packages + uses: actions/cache@v5 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - name: Cache local Maven repository + uses: actions/cache@v5 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-m2-${{ hashFiles('pom.xml', '*/pom.xml', '*/*/pom.xml', '*/*/*/pom.xml') }} + restore-keys: | + ${{ runner.os }}-m2 + + - name: Install Non-OSS + run: | + git clone https://github.com/shapeblue/cloudstack-nonoss.git nonoss + cd nonoss && bash -x install-non-oss.sh && cd .. + + - name: Run Build and Tests with Coverage (PR) + if: inputs.is_pr + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + PR_ID: ${{ github.event.pull_request.number }} + HEADREF: ${{ github.event.pull_request.head.ref }} + run: > + mvn -T$(nproc) -P quality -Dsimulator -Dnoredist clean install Review Comment: The PR Sonar run now builds with only `-P quality` and without `-B`, whereas the previous `sonar-check.yml` built with `-P developer,systemvm,quality`. This is a functional CI behavior change (not just deduplication) and may change what gets built/tested and what coverage is produced. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + +permissions: + contents: read + pull-requests: write + +jobs: + build: + name: Sonar JaCoCo Coverage + runs-on: ubuntu-22.04 + steps: + # PR callers check out the merge commit; branch callers use the pushed SHA. + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.is_pr && format('refs/pull/{0}/merge', github.event.number) || github.sha }} + fetch-depth: 0 + + - name: Set up JDK17 + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Cache SonarCloud packages + uses: actions/cache@v5 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - name: Cache local Maven repository + uses: actions/cache@v5 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-m2-${{ hashFiles('pom.xml', '*/pom.xml', '*/*/pom.xml', '*/*/*/pom.xml') }} + restore-keys: | + ${{ runner.os }}-m2 + + - name: Install Non-OSS + run: | + git clone https://github.com/shapeblue/cloudstack-nonoss.git nonoss + cd nonoss && bash -x install-non-oss.sh && cd .. + Review Comment: This duplicates the existing `./.github/actions/install-nonoss` composite action and also leaves the cloned `nonoss` directory behind. Using the shared action keeps behavior consistent (shallow clone + cleanup) and reduces CI disk usage. ########## .github/workflows/sonar-reusable.yml: ########## @@ -0,0 +1,98 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Sonar Quality Check (Reusable) + +on: + workflow_call: + inputs: + is_pr: + description: 'true when called from a pull_request trigger' + type: boolean + required: true + secrets: + SONAR_TOKEN: + required: false + Review Comment: The previous sonar workflows uploaded JaCoCo coverage to Codecov using `CODECOV_TOKEN`, but this reusable workflow doesn't accept that secret (and the Codecov upload step is gone). If coverage reporting is still required, declare `CODECOV_TOKEN` as an optional secret for this reusable workflow so callers can pass it through. ########## .github/workflows/sonar-check.yml: ########## @@ -16,52 +16,22 @@ # under the License. name: Sonar Quality Check + +on: [pull_request] + permissions: contents: read pull-requests: write -on: - pull_request: + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + jobs: - build: - name: Sonar JaCoCo Coverage - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - persist-credentials: false - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - install-python: 'true' - install-apt-deps: 'true' - - name: Cache SonarCloud packages - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Install Non-OSS - uses: ./.github/actions/install-nonoss - - name: Run Build and Tests with Coverage - run: mvn -B -T$(nproc) -P developer,systemvm,quality -Dsimulator -Dnoredist clean install - - name: Upload to SonarQube - if: github.repository == 'apache/cloudstack' && github.event.pull_request.head.repo.full_name == github.repository - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - PR_ID: ${{ github.event.pull_request.number }} - HEADREF: ${{ github.event.pull_request.head.ref }} - run: | - mvn -B -P quality org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=apache_cloudstack -Dsonar.pullrequest.key="$PR_ID" -Dsonar.pullrequest.branch="$HEADREF" -Dsonar.pullrequest.github.repository=apache/cloudstack -Dsonar.pullrequest.provider=GitHub -Dsonar.pullrequest.github.summary_comment=true - - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 - with: - files: ./client/target/site/jacoco-aggregate/jacoco.xml - fail_ci_if_error: true - flags: unittests - verbose: true - name: codecov - token: ${{ secrets.CODECOV_TOKEN }} + sonar: + if: github.repository == 'apache/cloudstack' && github.event.pull_request.head.repo.full_name == github.repository + uses: ./.github/workflows/sonar-reusable.yml + with: + is_pr: true + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} Review Comment: If the reusable workflow restores the previous Codecov upload behavior, the caller needs to pass through `CODECOV_TOKEN` (it was previously used directly in this workflow). Otherwise the Codecov step will fail or silently stop reporting coverage. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
