This project created purpose of creating a pipeline and learning GitHub actions.
Project cloned from kotlin-http4k-realworld-example-app public repo.
src code is not modified or changed! Changes done only on gradle.build.kts
Check the latest run and results from Actions Tab of the repository.
- Project build with Gradle
- Code with Kotlin
- Test with Kotest
- Code static analysis performed with SonarCloud
- Dependency checks performed with OWASP Dependency-Check
- Code coverage performed with Jacoco
Basically, workflow has 4 main jobs:
-
dependency-check: OWASP Dependency-Check identifies project dependencies on open-source code and checks if there are known vulnerabilities associated with that code.
-
test: Unit tests and Integration tests executed and results send to artifacts.
2.1. Test Coverage: Code coverage calculated with Jacoco.
2.2. Integration Tests: -
sonarcloud: Code static analysis performed
3.1. Test Coverage results published to the sonarCloud
3.2. Integration test result published to the sonarCloud. (SonarCloud Kotlin Integratin Test Bug reported via Jira, After reported bug fixed, task expected to import results successfully.) -
build: gradle task build
dependency-check task generate OWASP dependency check report under the path: ./build/reports
in ALL format
./gradlew --stacktrace dependencyCheckAnalyze
command is creating the report- Then created reports uploaded to the artifact. Check the github.com/user/repo/artifacts/latest for created reports and outputs.
Add dependencycheck plugin to the build.gradle.kts :
id("org.owasp.dependencycheck") version "6.1.5"
dependencyCheck {
failOnError=false
format=org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL
}
test job has 3 steps:
- For the code coverage run
./gradlew test jacocoTestReport
. Created code coverage report uploaded to the artifact.
Add jacoco plugin to the build.gradle.kts and enable xml report for further uses. xml format of report needed to publishing the results from SonarCube.
jacoco
tasks.jacocoTestReport {
reports {
xml.isEnabled = true
}
}
- Run
./gradlew test
to run all tests. Then created test report uploaded to the artifact. - Code Coverage Verification option
./gradlew test jacocoTestCoverageVerification
.
Add jacocoTestCoverageVerification task to the build.gradle.kts and define minimum coverage limit:
tasks.jacocoTestCoverageVerification {
violationRules {
rule {
limit {
minimum = "0.8".toBigDecimal()
}
}
}
}
- To perform code static analysis run
sonarsource/sonarcloud-github-action@master
. Results directlypublished on SonarCloud.
sonar.project.properties file added to project working directory.
sonar.organization=ozlemgulp
sonar.projectKey=ozlemgulp_create-pipeline
# relative paths to source directories. More details and properties are described
# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/
sonar.sources=.
sonar.dependencyCheck.reportPath=/home/runner/work/create-pipeline/create-pipeline/build/reports/dependency-check-report.xml
sonar.coverage.jacoco.xmlReportPaths=/home/runner/work/create-pipeline/create-pipeline/build/reports/jacoco/test/jacocoTestReport.xml
sonar.junit.reportPaths=/home/runner/work/create-pipeline/create-pipeline/build/test-results
Jococo test coverage report published via SonarCloud by defining jacoco xml Report path. Download the artifacts to the defined
sonar.coverage.jacoco.xmlReportPaths
path
- name: Download JococoTestReportArtifact
uses: actions/download-artifact@v2
with:
name: jacocoTestReport.xml
path: ./build/reports/jacoco/test/
sonar.coverage.jacoco.xmlReportPaths=/home/runner/work/create-pipeline/create-pipeline/build/reports/jacoco/test/jacocoTestReport.xml
- To build the project
./gradlew clean build
.
- After each job runs generated files or reports able to upload to the artifacts
actions/upload-artifact@v2
with defined name and path. - User able to download generated reports or files by clicking them.
- name: 'Publish Test Report'
if: always()
uses: actions/upload-artifact@v2
with:
name: 'test-report'
path: ./build/reports/tests/test/
To more information about github actions and generated pipeline please check blank.yml