This project created purpose of creating a pipeline and learning GitHub actions.
Project cloned from kotlin-http4k-realworld-example-app public repo.
src code is not modified or changed! Changes done only on gradle.build.kts
Check the latest run and results from Actions Tab of the repository.

• Project build with Gradle
• Code with Kotlin
• Test with Kotest
• Code static analysis performed with SonarCloud
• Dependency checks performed with OWASP Dependency-Check
• Code coverage performed with Jacoco

Basically, workflow has 4 main jobs:

1. dependency-check: OWASP Dependency-Check identifies project dependencies on open-source code and checks if there are known vulnerabilities associated with that code.
   

2. test: Unit tests and Integration tests executed and results send to artifacts.
   2.1. Test Coverage: Code coverage calculated with Jacoco.
   2.2. Integration Tests:
   

3. sonarcloud: Code static analysis performed
   3.1. Test Coverage results published to the sonarCloud
   3.2. Integration test result published to the sonarCloud. (SonarCloud Kotlin Integratin Test Bug reported via Jira, After reported bug fixed, task expected to import results successfully.)
   

4. build: gradle task build
   

dependency-check task generate OWASP dependency check report under the path: ./build/reports in ALL format

• ./gradlew --stacktrace dependencyCheckAnalyze command is creating the report
• Then created reports uploaded to the artifact. Check the github.com/user/repo/artifacts/latest for created reports and outputs.

Add dependencycheck plugin to the build.gradle.kts :

	id("org.owasp.dependencycheck") version "6.1.5"

dependencyCheck {
    failOnError=false
	format=org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL
}

test job has 3 steps:

1. For the code coverage run ./gradlew test jacocoTestReport. Created code coverage report uploaded to the artifact.

Add jacoco plugin to the build.gradle.kts and enable xml report for further uses. xml format of report needed to publishing the results from SonarCube.

     jacoco

     tasks.jacocoTestReport {
    reports {
        xml.isEnabled = true
    }
}

2. Run ./gradlew test to run all tests. Then created test report uploaded to the artifact.
3. Code Coverage Verification option ./gradlew test jacocoTestCoverageVerification.

Add jacocoTestCoverageVerification task to the build.gradle.kts and define minimum coverage limit:

tasks.jacocoTestCoverageVerification {
    violationRules {
        rule {
            limit {
                minimum = "0.8".toBigDecimal()
            }
        }
    }
}

• To perform code static analysis run sonarsource/sonarcloud-github-action@master. Results directlypublished on SonarCloud.

sonar.project.properties file added to project working directory.

sonar.organization=ozlemgulp
sonar.projectKey=ozlemgulp_create-pipeline

# relative paths to source directories. More details and properties are described
# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ 
sonar.sources=.
sonar.dependencyCheck.reportPath=/home/runner/work/create-pipeline/create-pipeline/build/reports/dependency-check-report.xml
sonar.coverage.jacoco.xmlReportPaths=/home/runner/work/create-pipeline/create-pipeline/build/reports/jacoco/test/jacocoTestReport.xml
sonar.junit.reportPaths=/home/runner/work/create-pipeline/create-pipeline/build/test-results

Jococo test coverage report published via SonarCloud by defining jacoco xml Report path. Download the artifacts to the defined sonar.coverage.jacoco.xmlReportPaths path

    - name: Download JococoTestReportArtifact
      uses: actions/download-artifact@v2
      with:
        name: jacocoTestReport.xml
        path: ./build/reports/jacoco/test/

sonar.coverage.jacoco.xmlReportPaths=/home/runner/work/create-pipeline/create-pipeline/build/reports/jacoco/test/jacocoTestReport.xml

• To build the project ./gradlew clean build.
  

• After each job runs generated files or reports able to upload to the artifacts actions/upload-artifact@v2 with defined name and path.
  
• User able to download generated reports or files by clicking them.
  

      - name: 'Publish Test Report'
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: 'test-report'
          path: ./build/reports/tests/test/

To more information about github actions and generated pipeline please check blank.yml