Revise Codacy workflow for CLI v2 and error handling #119
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Codacy Security Scan (revised: replaced docker action with codacy-cli-v2 install+analyze) | |
| # - Uses codacy-cli-v2 installer to run analyze when the docker image pre-pull succeeds | |
| # Codacy security scan action usage and parameters, see | |
| # https://github.com/codacy/codacy-analysis-cli-action. | |
| # For more information on Codacy Analysis CLI in general, see | |
| # https://github.com/codacy/codacy-analysis-cli. | |
| name: Codacy Security Scan | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '44 7 * * 0' | |
| permissions: | |
| contents: read | |
| jobs: | |
| codacy-security-scan: | |
| name: Codacy Security Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| CLI_VERSION: "4.0.0" | |
| CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} | |
| MAX_PULL_RETRIES: "6" | |
| PULL_RETRY_BASE: "5" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Check for non-UTF-8 files | |
| run: | | |
| find . -type f -exec file --mime {} + | grep -v 'charset=utf-8' || true | |
| - name: Pre-pull Codacy CLI Docker image (with exponential backoff + jitter) | |
| run: | | |
| set -euo pipefail | |
| IMAGE="codacy/codacy-analysis-cli:${CLI_VERSION}" | |
| MAX_RETRIES=${MAX_PULL_RETRIES} | |
| RETRY_BASE=${PULL_RETRY_BASE} | |
| echo "CODACY_DOCKER_OK=false" >> $GITHUB_ENV | |
| for i in $(seq 1 $MAX_RETRIES); do | |
| echo "Attempt $i to pull $IMAGE" | |
| if docker pull "$IMAGE"; then | |
| echo "Successfully pulled $IMAGE" | |
| echo "CODACY_DOCKER_OK=true" >> $GITHUB_ENV | |
| break | |
| fi | |
| if [ "$i" -lt "$MAX_RETRIES" ]; then | |
| sleep_time=$(( RETRY_BASE * 2 ** (i - 1) )) | |
| jitter=$(( (RANDOM % 5) + 1 )) | |
| total_sleep=$(( sleep_time + jitter )) | |
| if [ "$total_sleep" -gt 300 ]; then | |
| total_sleep=300 | |
| fi | |
| echo "Failed to pull $IMAGE (attempt $i). Retrying in ${total_sleep}s..." | |
| sleep "$total_sleep" | |
| else | |
| echo "Failed to pull $IMAGE after $i attempts." | |
| fi | |
| done | |
| if [ "${CODACY_DOCKER_OK:-}" != "true" ]; then | |
| echo "::warning::Could not pull $IMAGE after $MAX_RETRIES attempts. Fallback will run." | |
| fi | |
| - name: Run Codacy CLI v2 (install & analyze) | |
| if: env.CODACY_DOCKER_OK == 'true' | |
| run: | | |
| set -euo pipefail | |
| echo "Installing codacy-cli-v2 via the official installer script" | |
| bash <(curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh) | |
| echo "Running codacy-cli analyze to produce SARIF (results.sarif)" | |
| if [ -n "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then | |
| TOKEN_ARG="--project-token ${{ secrets.CODACY_PROJECT_TOKEN }}" | |
| else | |
| TOKEN_ARG="" | |
| fi | |
| # Run analyze; keep non-zero exit from analysis from failing the job so SARIF upload can still run | |
| codacy-cli analyze --format sarif --output results.sarif ${TOKEN_ARG} --gh-code-scanning-compat --verbose || true | |
| - name: Run Codacy Analysis CLI (fallback binary/jar) | |
| if: env.CODACY_DOCKER_OK != 'true' | |
| env: | |
| CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} | |
| CLI_VERSION: ${{ env.CLI_VERSION }} | |
| run: | | |
| set -euo pipefail | |
| echo "Fallback: attempt to download Codacy Analysis CLI version ${CLI_VERSION}" | |
| ARCHIVE="codacy-analysis-cli-${CLI_VERSION}.zip" | |
| RELEASE_URL="https://github.com/codacy/codacy-analysis-cli/releases/download/${CLI_VERSION}/${ARCHIVE}" | |
| echo "Checking availability of ${RELEASE_URL}" | |
| if ! curl -fI -sS "$RELEASE_URL" >/dev/null 2>&1; then | |
| echo "Requested release ${CLI_VERSION} not available at ${RELEASE_URL}." | |
| echo "Attempting to determine latest release via GitHub API..." | |
| latest_tag=$(curl -sS "https://api.github.com/repos/codacy/codacy-analysis-cli/releases/latest" \ | |
| | grep -m1 '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/' || true) | |
| if [ -n "$latest_tag" ]; then | |
| echo "Found latest release tag: ${latest_tag}. Will try that instead." | |
| CLI_VERSION="$latest_tag" | |
| ARCHIVE="codacy-analysis-cli-${CLI_VERSION}.zip" | |
| RELEASE_URL="https://github.com/codacy/codacy-analysis-cli/releases/download/${CLI_VERSION}/${ARCHIVE}" | |
| if ! curl -fI -sS "$RELEASE_URL" >/dev/null 2>&1; then | |
| echo "::error::Latest release ${CLI_VERSION} does not expose ${ARCHIVE}. Aborting." | |
| exit 1 | |
| fi | |
| else | |
| echo "::error::Could not determine latest release via GitHub API. Aborting fallback." | |
| exit 1 | |
| fi | |
| fi | |
| echo "Downloading Codacy Analysis CLI ${CLI_VERSION} from ${RELEASE_URL}" | |
| curl -fSL "$RELEASE_URL" -o "$ARCHIVE" || { echo "::error::Failed to download ${RELEASE_URL}"; exit 1; } | |
| echo "Extracting ${ARCHIVE}" | |
| unzip -q "$ARCHIVE" | |
| if [ -x "./codacy-analysis-cli" ]; then | |
| CMD="./codacy-analysis-cli" | |
| elif ls codacy-analysis-cli-* 2>/dev/null | grep -q '\.jar$'; then | |
| JAR="$(ls codacy-analysis-cli-*.jar | head -n1)" | |
| CMD="java -jar ${JAR}" | |
| else | |
| echo "::error::Could not find the codacy CLI executable or jar after extracting ${ARCHIVE}" | |
| exit 1 | |
| fi | |
| echo "Running Codacy CLI fallback via: $CMD" | |
| if [ -n "${CODACY_PROJECT_TOKEN:-}" ]; then | |
| TOKEN_ARG="--project-token ${CODACY_PROJECT_TOKEN}" | |
| else | |
| TOKEN_ARG="" | |
| fi | |
| $CMD analyze --format sarif --output results.sarif ${TOKEN_ARG} --gh-code-scanning-compat --verbose || true | |
| - name: Upload SARIF results file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: results.sarif |