ci(GitHub): fix permissions for Detekt sarif report uploading #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**-check.yml' | |
| - '**-submission.yml' | |
| - '**-validation.yml' | |
| - '**.*ignore' | |
| - '**.md' | |
| - '**.txt' | |
| - '**benchmark.yml' | |
| - '**dependabot.yml' | |
| push: | |
| paths-ignore: | |
| - '**-check.yml' | |
| - '**-submission.yml' | |
| - '**-validation.yml' | |
| - '**.*ignore' | |
| - '**.md' | |
| - '**.txt' | |
| - '**benchmark.yml' | |
| - '**dependabot.yml' | |
| env: | |
| CI: true | |
| BUILD_NUMBER: ${{ github.run_number }} | |
| SCM_TAG: ${{ github.sha }} | |
| GRADLE_OPTS: "-Dorg.gradle.daemon=false" | |
| jobs: | |
| buildAndCheck: | |
| name: 'Build and check' | |
| timeout-minutes: 25 | |
| runs-on: 'macos-latest' | |
| if: ${{ !contains(github.event.head_commit.message, 'ci skip') }} | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: 'Set up JDK 21' | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| gradle-home-cache-cleanup: true | |
| cache-read-only: ${{ (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev') }} | |
| dependency-graph: generate-and-submit | |
| - name: 'Build and check plugin itself' | |
| run: ./gradlew build assemble check --continue --stacktrace --scan | |
| - name: Upload sarif report (Detekt) | |
| if: (success() || failure()) && (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') | |
| uses: github/codeql-action/upload-sarif@v2 | |
| continue-on-error: true | |
| with: | |
| sarif_file: fluxo-kmp-conf/build/reports/detekt/detekt.sarif | |
| category: detekt | |
| - name: 'Run check-main' | |
| working-directory: checks/main | |
| run: ./gradlew build assemble check --continue --stacktrace --scan | |
| - name: "Add build scan URL as PR comment" | |
| uses: actions/github-script@v6 | |
| if: github.event_name == 'pull_request' && failure() | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: '❌ ${{ github.workflow }} failed: ${{ steps.gradle.outputs.build-scan-url }}' | |
| }) |