Merge pull request #5 from biosustain/fix_flavors_pipeline_v2 #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Code Quality | |
# Workflow to check if project meets the code quality standards of the Biosustain group | |
on: | |
workflow_call: | |
inputs: | |
JSON_ENV: | |
description: | | |
JSON string with environment variables to pass to the mega-linter. | |
To pass all environment variables, use toJson(env) | |
required: false | |
default: "{}" # Empty JSON object | |
type: string | |
workflow_dispatch: | |
inputs: | |
JSON_ENV: | |
description: | | |
JSON string with environment variables to pass to the mega-linter. | |
required: false | |
default: "{}" # Empty JSON object | |
type: string | |
# Trigger the workflow also on push or pull request in this repository | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
# Give the default GITHUB_TOKEN write permission to commit and push, comment | |
# issues & post new PR; remove the ones you do not need | |
permissions: | |
security-events: write | |
actions: read # Needed to run codeql/upload-sarif@v3 | |
contents: write | |
issues: write | |
pull-requests: write | |
statuses: write | |
concurrency: | |
group: ${{ github.ref }}-${{ github.workflow }} | |
cancel-in-progress: true | |
jobs: | |
check-code-quality: | |
name: Run MegaLinter to check code quality | |
runs-on: ubuntu-latest | |
steps: | |
- name: Load configuration | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
repository: biosustain/code-quality-check | |
path: config | |
- name: Checkout Code | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | |
path: code | |
fetch-depth: 0 | |
- name: Set config path environment variables | |
env: | |
JSON_ENV: ${{ inputs.JSON_ENV }} | |
run: | | |
# Set the environment variables for the MegaLinter | |
echo "$JSON_ENV" | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" | tee -a "$GITHUB_ENV" | |
# Extend the configuration file if it exists, else use default | |
if [ -f code/.mega-linter.yml ]; then | |
# This cannot be set is there is no .mega-linter.yml in project | |
echo 'EXTENDS=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV" | |
else | |
echo 'MEGALINTER_CONFIG=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV" | |
fi | |
# MegaLinter | |
- name: MegaLinter | |
uses: oxsecurity/megalinter/flavors/[email protected] | |
id: ml | |
env: | |
# All available variables are described in documentation | |
# https://megalinter.io/configuration/ | |
# Define the reporters used in this action (not overrideable) | |
SARIF_REPORTER: true | |
MARKDOWN_SUMMARY_REPORTER: true | |
GITHUB_WORKSPACE: ${{ github.workspace }}/code | |
DEFAULT_WORKSPACE: ${{ github.workspace }}/code | |
# Validates all source when push on main, else just the git diff with | |
# main. | |
VALIDATE_ALL_CODEBASE: > | |
${{ | |
github.event_name == 'push' && | |
contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) | |
}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Upload MegaLinter artifacts | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed | |
with: | |
name: MegaLinter reports | |
path: | | |
megalinter-reports | |
mega-linter.log | |
- name: Upload MegaLinter scan results to GitHub Security tab | |
continue-on-error: true # This might error if github advanced security is not enabled | |
if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed | |
uses: github/codeql-action/upload-sarif@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1 | |
with: | |
sarif_file: "megalinter-reports/megalinter-report.sarif" | |
- name: Show report in job summary | |
if: always() && (steps.ml.outcome == 'success' || steps.ml.outcome == 'failure') # Only show if MegaLinter ran | |
run: tee "$GITHUB_STEP_SUMMARY" < megalinter-reports/megalinter-report.md |