GOSS/.github/workflows/code-quality.yml at master · GridOPTICS/GOSS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Code Quality Checks

on:
  push:
    branches: [ main, master, develop, upstream_develop ]
  pull_request:
    branches: [ main, master, develop ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  checkstyle:
    name: Code Style Check
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Set up JDK 21
      uses: actions/setup-java@v5
      with:
        java-version: 21
        distribution: 'temurin'
        cache: gradle

    - name: Make gradlew executable
      run: chmod +x gradlew

    - name: Run Checkstyle
      run: ./gradlew checkstyleMain checkstyleTest --no-daemon || true
      env:
        GRADLE_OPTS: -Xmx2g -Dorg.gradle.daemon=false

    - name: Upload Checkstyle results
      if: always()
      uses: actions/upload-artifact@v6
      with:
        name: checkstyle-results
        path: |
          **/reports/checkstyle/
        retention-days: 30

  spotless:
    name: Code Formatting Check
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Set up JDK 21
      uses: actions/setup-java@v5
      with:
        java-version: 21
        distribution: 'temurin'
        cache: gradle

    - name: Make gradlew executable
      run: chmod +x gradlew

    - name: Check code formatting
      run: ./gradlew spotlessCheck --no-daemon || true
      env:
        GRADLE_OPTS: -Xmx2g -Dorg.gradle.daemon=false

    - name: Show formatting differences
      if: failure()
      run: |
        echo "Code formatting issues found. Run './gradlew spotlessApply' to fix them."
        ./gradlew spotlessDiffMain spotlessDiffTest --no-daemon || true

  pmd:
    name: PMD Static Analysis
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Set up JDK 21
      uses: actions/setup-java@v5
      with:
        java-version: 21
        distribution: 'temurin'
        cache: gradle

    - name: Make gradlew executable
      run: chmod +x gradlew

    - name: Run PMD analysis
      run: ./gradlew pmdMain pmdTest --no-daemon || true
      env:
        GRADLE_OPTS: -Xmx2g -Dorg.gradle.daemon=false

    - name: Upload PMD results
      if: always()
      uses: actions/upload-artifact@v6
      with:
        name: pmd-results
        path: |
          **/reports/pmd/
        retention-days: 30

  dependency-check:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Set up JDK 21
      uses: actions/setup-java@v5
      with:
        java-version: 21
        distribution: 'temurin'
        cache: gradle

    - name: Make gradlew executable
      run: chmod +x gradlew

    - name: Run OWASP Dependency Check
      run: ./gradlew dependencyCheckAnalyze --no-daemon || true
      env:
        GRADLE_OPTS: -Xmx3g -Dorg.gradle.daemon=false

    - name: Upload dependency check results
      if: always()
      uses: actions/upload-artifact@v6
      with:
        name: dependency-check-results
        path: |
          **/reports/dependency-check-report.html
          **/reports/dependency-check-report.json
        retention-days: 30

  quality-gate:
    name: Quality Gate
    runs-on: ubuntu-latest
    needs: [checkstyle, spotless, pmd, dependency-check]
    if: always()

    steps:
    - name: Check quality gate
      run: |
        echo "Checkstyle: ${{ needs.checkstyle.result }}"
        echo "Spotless: ${{ needs.spotless.result }}"
        echo "PMD: ${{ needs.pmd.result }}"
        echo "Dependency Check: ${{ needs.dependency-check.result }}"

        # Allow some checks to fail without failing the entire pipeline
        # Focus on critical security issues
        if [[ "${{ needs.dependency-check.result }}" == "failure" ]]; then
          echo "❌ Critical: Dependency vulnerabilities found!"
          exit 1
        fi

        echo "✅ Quality gate passed (with warnings allowed)"