GithubHelp home page GithubHelp logo

jwgmeligmeyling / spotbugs-github-action Goto Github PK

View Code? Open in Web Editor NEW
10.0 1.0 13.0 1.25 MB

Push SpotBugs results as check run annotations

License: MIT License

TypeScript 97.63% JavaScript 2.37%
static-analysis spotbugs findbugs github-actions github-actions-java

spotbugs-github-action's Introduction

build-test

SpotBugs GitHub Action

This action pushes results from SpotBugs (or FindBugs) as check run annotations. ๐Ÿš€

The action can also be used for any other static analysis tools that produce reports in the SpotBugs XML format. The report itself must be generated in a former build step, for example a Maven build.

example

Input

path

Required. A file, directory or wildcard pattern that describes where to find the reports. Multiple files can be processed through a glob expression, for example: '**/spotbugsXml.xml'.

name

Optional. Name for the check run to create. Defaults to spotbugs.

title

Optional. Title for the check run to create. Defaults to SpotBugs Source Code Analyzer report.

token

Optional. GitHub API access token. Defaults to ${{ github.token }}, which is set by actions/checkout@v2 minimally.

Example usage

name: Java CI

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up JDK 1.8
      uses: actions/setup-java@v1
      with:
        java-version: 1.8
    - uses: actions/cache@v1
      with:
        path: ~/.m2/repository
        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
        restore-keys: |
          ${{ runner.os }}-maven-
    - name: Build with Maven
      run: mvn -B verify spotbugs:spotbugs
    - uses: jwgmeligmeyling/spotbugs-github-action@master
      with:
        path: '**/spotbugsXml.xml'

And do not forget to enable XML output for the Maven plugin:

<build>
  <plugins>
    <plugin>
      <groupId>com.github.spotbugs</groupId>
      <artifactId>spotbugs-maven-plugin</artifactId>
      <version>4.0.0</version>
      <configuration>
        <xmlOutput>true</xmlOutput>
        <failOnError>false</failOnError>
      </configuration>
    </plugin>
  </plugins>
</build>

Please note that by default workflows on pull_request events checkout refs/pull/:prNumber/merge instead of the head of the pull request. Due to this, line numbers for the generated violations may not align with the actual line numbers to which they are displayed on the HEAD. As it is, there is not really a sensible way to run this action on the merge commit of the pull request, because the result would be posted to an unnamed workflow for an otherwise invisible commit. Even for pull_request events there is the possibility to checkout the pull request head instead. In order to do so, change your checkout action accordingly:

- uses: actions/checkout@v2
  with:
    ref: ${{ github.event.pull_request.head.sha }}

Other relevant actions

This is a Github Action in a series of other GitHub Actions. Similar actions include:

Known limitations

Due to GitHub API limitations, we cannot specify to which Workflow Run (or underlying Check Suite) a newly created Check Run should be associated. As a result, workflows that trigger on several types of events, might push results under another event than the action was run in. For more information, see: #3

Contributing

Install the dependencies

$ npm install

Build the typescript and package it for distribution

$ npm run build && npm run package

Run the tests โœ”๏ธ

$ npm test

 PASS  ./index.test.js
  โœ“ throws invalid number (3ms)
  โœ“ wait 500 ms (504ms)
  โœ“ test runs (95ms)

...

spotbugs-github-action's People

Contributors

jakobdoc avatar jwgmeligmeyling avatar mchenryc avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

etklus rasmusmutate arolfes jakobdoc mchenryc iosmanthus averios lluzza kooltra kpresler saptarshir lcollins

spotbugs-github-action's Issues

Possibility to mark the job as failure?

Hi @jwgmeligmeyling ,

At first thank you for the Action

I started using your GHA in the micronaut-camunda-bpm project.
so far it works as I understood from your readme
arolfes/micronaut-camunda-bpm@5753bec

image

I personally miss a possibility to mark the job as failure run when there was at least one violation found.

Did I configure something wrong? Or will it always be green when upload succeed?
What other chance do I have to mark the build as failure?

Best Regards

Error: HttpError: Resource not accessible by integration

I used spotbugs-githuib-action in udig-platform project worklow right after the maven build:

    - name: Run uDig product & sdk build (parallel)
      run: mvn install -B -Pproduct,sdk,test -DskipTests spotbugs:check --fail-at-end -T4
    - uses: jwgmeligmeyling/[email protected]
      with:
        path: '**/spotbugsXml.xml'

spotbugsXml.xml are generated (checked locally) but I get http-errors. Proviously I testetd with version from master uses: jwgmeligmeyling/spotbugs-github-action@master but sometimes I got the same errors

see https://github.com/locationtech/udig-platform/pull/550/checks?check_run_id=3847205371#step:10:243

Any ideas whats going wrong?

Check run result is pushed to any workflow, rather than the executing workflow

Github Actions run within a Workflow Run. Each Workflow Run is associated with its own Check Suite. Whenever we post a Check Run, a Check Suite is created unless a Check Suite for that application already exists. However, when multiple workflows are triggered for an event (or multiple events trigger multiple runs of the same workflow) , multiple possible Check Runs will be available. Unfortunately, there is no way for us to pick a Check Suite when creating a new Check Run. This is a limitation in the Github Checks API. As a result, currently results generated during workflows on a pull_request event might end up at the push workflow, if both events are used together.

84824386-2423f600-b020-11ea-9adb-b5ca28894442

(The interesting part about this image is that the "build-test PMD" run was created during "build-test on: pull request".

See also: https://github.community/t/specify-check-suite-when-creating-a-checkrun/118380?u=jwgmeligmeyling
Copy of: jwgmeligmeyling/pmd-github-action#4

Feature Request: Ability to specify commit (support workflow_run)

To support the workflow_run use case it is necessary to specify the commit to upload annotations against.

Here is an example of an action that provides this capability: https://github.com/ScaCap/action-surefire-report and here is the relevant code https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L28

const commit = core.getInput('commit');
...
const head_sha = commit || (pullRequest && pullRequest.head.sha) || github.context.sha;
...
const createCheckRequest = {
        ...github.context.repo,
        name,
        head_sha,
        status,
        conclusion,
        output: {
            title,
            summary: '',
            annotations: annotations.slice(0, 50)
        }
    };

Here is an example usage of this feature: https://github.com/apache/spark/blob/master/.github/workflows/test_report.yml#L24

I think this should be relatively straight forward to add to this action, and would impact this area of code:
https://github.com/jwgmeligmeyling/spotbugs-github-action/blob/master/src/main.ts#L59

  let sha = context.sha

  if (context.payload.pull_request) {
    sha = context.payload.pull_request.head.sha
  }

When action is triggered for a PR event, an unnamed workflow is created

When an action is triggered for a PR event, the results are pushed to a check run on the merge commit checked out by the actions/checkout action. Because no workflow exists for this run, an unnamed one is created: "(Unknown event), (unnamed workflow)" and the results also do not appear under the pull request.

This plugin should probably only be used on push events. We should document that. But possibly we can get some inspiration from how other actions deal with this situation.

image

HttpError: Resource not accessible by integration

Running the action in Pull Request raise an error on with my configuration. The error seems related to permission. ๐Ÿ˜• I'm not sure what needs to be fix.

> Run jwgmeligmeyling/spotbugs-github-action@master
With the provided path, there will be 1 results uploaded
Creating annotations for /home/runner/work/find-sec-bugs/find-sec-bugs/findsecbugs-plugin/target/spotbugsXml.xml
/home/runner/work/find-sec-bugs/find-sec-bugs/findsecbugs-plugin/target/spotbugsXml.xml has 12 violations
##[error]HttpError: Resource not accessible by integration

Configuration:

# CI Task using https://github.com/jwgmeligmeyling/spotbugs-github-action

name: Java CI with SpotBugs

on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up JDK 1.8
      uses: actions/setup-java@v1
      with:
        java-version: 1.8
    - uses: actions/cache@v1
      with:
        path: ~/.m2/repository
        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
        restore-keys: |
          ${{ runner.os }}-maven-
    - name: Build with Maven
      run: mvn clean install -DskipTests com.github.spotbugs:spotbugs-maven-plugin:3.1.12:spotbugs
    - uses: jwgmeligmeyling/spotbugs-github-action@master
      with:
        path: '**/spotbugsXml.xml'

Error: TypeError: Cannot read property 'sourcepath' of undefined

I'm trying to setup this action without success, this is the output I get:

Run jwgmeligmeyling/spotbugs-github-action@master
  with:
    path: **/spotbugs-josm.xml
    name: spotbugs
    title: SpotBugs Source Code Analyzer report
    token: ***
With the provided path, there will be 1 results uploaded
Creating annotations for /home/runner/work/josm/josm/spotbugs-josm.xml
/home/runner/work/josm/josm/spotbugs-josm.xml has 208 violations
Error: TypeError: Cannot read property 'sourcepath' of undefined

You can check our workflow here:
https://github.com/openstreetmap/josm/actions/workflows/spotbugs-analysis.yml

The spotbugs report is uploaded as an artifact.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.