Analyze Repository with Jacoco and SonarQube #178
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Analyze Repository with Jacoco and SonarQube | |
| permissions: | |
| # checkout only reads the repo; cancel-workflow-action needs to cancel | |
| # previous in-flight runs. Nothing here writes commits, releases, or | |
| # exchanges an OIDC token. | |
| contents: read | |
| actions: write | |
| on: | |
| schedule: | |
| - cron: '19 7 * * *' # Daily at 7:19 AM UTC | |
| workflow_dispatch: | |
| env: | |
| # GitHub deprecated Node 20 actions on 2025-09-19; default flips to | |
| # Node 24 on 2026-06-16. Opt in early so a default change never silently | |
| # breaks this workflow. | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| jobs: | |
| analyze: | |
| name: analysis | |
| runs-on: self-hosted | |
| timeout-minutes: 180 | |
| steps: | |
| - name: Cancel previous runs | |
| uses: styfle/cancel-workflow-action@0.12.1 | |
| with: | |
| access_token: ${{ github.token }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check if Nix is installed | |
| id: check_nix | |
| run: | | |
| if command -v nix >/dev/null 2>&1; then | |
| echo "nix is installed" | |
| echo "nix_installed=true" >> $GITHUB_ENV | |
| else | |
| echo "nix is not installed" | |
| echo "nix_installed=false" >> $GITHUB_ENV | |
| fi | |
| - name: Install Flox | |
| if: env.nix_installed == 'false' | |
| uses: flox/install-flox-action@v2 | |
| - name: Create google-services.json | |
| env: | |
| GOOGLE_SERVICES_JSON: ${{ secrets.GOOGLE_SERVICES_JSON }} | |
| run: | | |
| echo "$GOOGLE_SERVICES_JSON" > app/google-services.json | |
| echo "google-services.json created successfully" | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| # Exclude ~/.gradle/caches/build-cache-1 (Gradle's task-output build | |
| # cache) — it ballooned the stage-branch entry to ~26 GB. | |
| path: | | |
| ~/.gradle/caches/modules-2 | |
| ~/.gradle/caches/jars-* | |
| ~/.gradle/caches/transforms-* | |
| ~/.gradle/wrapper | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle', '**/*.gradle.kts', '**/gradle-wrapper.properties', '**/libs.versions.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gradle- | |
| - name: Assemble V8 Debug | |
| env: | |
| # Build-time secrets consumed by the Gradle build (Sentry plugin, | |
| # Firebase config). Scoped to this step so SonarCloud and other | |
| # third-party actions never see them. | |
| FIREBASE_CONSOLE_URL: ${{ secrets.FIREBASE_CONSOLE_URL }} | |
| SENTRY_DSN_DEBUG: ${{ secrets.SENTRY_DSN_DEBUG }} | |
| run: | | |
| echo "gradle_time_start=$(date +%s)" >> $GITHUB_ENV | |
| flox activate -d flox/base -- ./gradlew :app:assembleV8Debug --no-daemon | |
| echo "gradle_time_end=$(date +%s)" >> $GITHUB_ENV | |
| - name: Cache SonarQube packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.sonar/cache | |
| # Branch-scoped + content-hashed so the key rolls over and old | |
| # entries age out under GitHub's 7-day LRU instead of pinning forever. | |
| key: ${{ runner.os }}-sonar-${{ github.ref_name }}-${{ hashFiles('**/*.gradle', '**/*.gradle.kts', '**/libs.versions.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-sonar-${{ github.ref_name }}- | |
| ${{ runner.os }}-sonar- | |
| - name: Build and analyze | |
| timeout-minutes: 60 | |
| env: | |
| GRADLE_OPTS: "-Xmx10g -XX:MaxMetaspaceSize=512m" | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # The Gradle build also drives Sentry/Firebase configuration during | |
| # the unit-test compile path. | |
| FIREBASE_CONSOLE_URL: ${{ secrets.FIREBASE_CONSOLE_URL }} | |
| SENTRY_DSN_DEBUG: ${{ secrets.SENTRY_DSN_DEBUG }} | |
| run: flox activate -d flox/base -- ./gradlew :testing:tooling:assemble :testing:common:assemble sonarqube --info --no-build-cache -x lint --continue | |
| - name: Upload JaCoCo report | |
| # Coverage data is written even when :sonarqube fails (e.g. a bad | |
| # SONAR_TOKEN) -- keep the artifact recoverable from any outcome. | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: jacoco-report | |
| path: build/reports/jacoco/jacocoAggregateReport/ | |
| retention-days: 7 | |
| - name: Cleanup google-services.json | |
| if: always() | |
| run: | | |
| rm -f app/google-services.json | |
| echo "google-services.json cleaned up successfully" |