OJ-1495: Add SonarCloud workflows

Add a SonarCloud workflow. Generate a test coverage report and submit it to SonarCloud. Modularise GitHub workflows and use shared actions Use shared actions to reduce duplication and boilerplate. Apply standard GitHub Actions patterns from other repos.
govuk-one-login · Jan 18, 2024 · 79f3337 · 79f3337
1 parent 9104f06
commit 79f3337
Show file tree

Hide file tree

Showing 9 changed files with 162 additions and 188 deletions.
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
@@ -0,0 +1,17 @@
+name: Check PR
+
+on: pull_request
+permissions: {}
+
+jobs:
+  code-quality:
+    name: Code quality
+    uses: ./.github/workflows/code-quality.yml
+
+  unit-tests:
+    name: Run tests
+    uses: ./.github/workflows/run-unit-tests.yml
+
+  browser-tests:
+    name: Run tests
+    uses: ./.github/workflows/run-browser-tests.yml
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -0,0 +1,35 @@
+name: Code quality
+
+on: workflow_call
+permissions: {}
+
+concurrency:
+  group: code-quality-${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  pre-commit:
+    name: pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run pre-commit
+        uses: govuk-one-login/github-actions/code-quality/run-pre-commit@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          install-dependencies: true
+          package-manager: yarn
+          all-files: true
+
+  translation-checks:
+    name: i18n
+    runs-on: ubuntu-latest
+    steps:
+      - name: Translation checks
+        uses: govuk-one-login/github-actions/env/run-script@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          node-version: 18.x
+          package-manager: yarn
+          script: yarn run check-translation
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/i18n.yml b/.github/workflows/i18n.yml
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
diff --git a/.github/workflows/run-browser-tests.yml b/.github/workflows/run-browser-tests.yml
@@ -0,0 +1,25 @@
+name: Browser tests
+
+on: workflow_call
+
+concurrency:
+  group: browser-tests-${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  run-tests:
+    name: Browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run tests
+        uses: govuk-one-login/github-actions/env/run-script@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          node-version: 18.x
+          package-manager: yarn
+          script: yarn run test:browser:ci
diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml
@@ -0,0 +1,40 @@
+name: Unit tests
+
+on:
+  workflow_call:
+    inputs:
+      coverage-report: { type: boolean, required: false, default: false }
+      coverage-artifact: { type: string, required: false, default: coverage }
+    outputs:
+      coverage-artifact:
+        value: ${{ inputs.coverage-artifact }}
+
+concurrency:
+  group: unit-tests-${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  run-tests:
+    name: Unit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run tests
+        uses: govuk-one-login/github-actions/env/run-script@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          node-version: 18.x
+          package-manager: yarn
+          script: yarn run test:coverage
+
+      - name: Archive coverage results
+        if: ${{ inputs.coverage-report }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ inputs.coverage-artifact }}
+          retention-days: 3
+          path: reports/coverage/lcov.info
diff --git a/.github/workflows/scan-repo.yml b/.github/workflows/scan-repo.yml
@@ -0,0 +1,45 @@
+name: Scan repository
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  schedule:
+    # Every Monday at 9am
+    - cron: "0 9 * * 1"
+
+concurrency:
+  group: scan-repo-${{ github.head_ref || github.ref_name }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  unit-tests:
+    name: Test coverage
+    uses: ./.github/workflows/run-unit-tests.yml
+    with:
+      coverage-report: true
+
+  sonarcloud:
+    name: SonarCloud
+    needs: unit-tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run SonarCloud scan
+        uses: govuk-one-login/github-actions/code-quality/sonarcloud@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          coverage-artifact: ${{ needs.unit-tests.outputs.coverage-artifact }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sonar-token: ${{ secrets.SONAR_TOKEN }}
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Run CodeQL scan
+        uses: govuk-one-login/github-actions/code-quality/codeql@145049ebd9a33e57da9a852847c4ee2c8970ea51
+        with:
+          languages: javascript