fix workflow: remove github dependency + duplicate scan
All checks were successful
SonarQube Code Quality Scan / scan (push) Successful in 32s
All checks were successful
SonarQube Code Quality Scan / scan (push) Successful in 32s
This commit is contained in:
ShaoHua
@@ -9,138 +9,74 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
scan:
|
scan:
|
||||||
runs-on: windows-latest
|
runs-on: windows-latest
|
||||||
fail-fast: true
|
|
||||||
env:
|
env:
|
||||||
|
# PROXY_HOST: 127.0.0.1
|
||||||
|
# PROXY_PORT: 7890
|
||||||
DC_VERSION: 11.0.0
|
DC_VERSION: 11.0.0
|
||||||
DC_OUTPUT: ${{ github.workspace }}\depcheck
|
DC_OUTPUT: ./depcheck
|
||||||
SONAR_HOST_URL: http://127.0.0.1:9000
|
|
||||||
PROJECT_KEY: vectordbdemo
|
|
||||||
# 强制关闭所有代理(关键:避免代理残留导致网络问题)
|
|
||||||
HTTP_PROXY: ""
|
|
||||||
HTTPS_PROXY: ""
|
|
||||||
NO_PROXY: "*"
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
# 替换 GitHub 的 actions/checkout,改用 Gitea 原生的代码检出(核心修复)
|
- name: Checkout Code (Gitea Direct)
|
||||||
- name: Checkout Code (Gitea Native)
|
|
||||||
uses: gitea/checkout@v4 # 使用 Gitea 官方 checkout 组件,而非 GitHub 的
|
|
||||||
with:
|
|
||||||
fetch-depth: 0 # 保留完整提交历史,满足 SonarQube 分析
|
|
||||||
|
|
||||||
- name: 清理系统代理环境变量(确保无残留)
|
|
||||||
run: |
|
run: |
|
||||||
# 清空系统级代理变量
|
git clone https://git.we965.cn/learning/VectorDBDemo.git .
|
||||||
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "", "Machine")
|
git fetch --depth=0
|
||||||
[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "", "Machine")
|
git checkout ${{ github.ref_name }}
|
||||||
[Environment]::SetEnvironmentVariable("http_proxy", "", "User")
|
|
||||||
[Environment]::SetEnvironmentVariable("https_proxy", "", "User")
|
|
||||||
# 验证代理已关闭
|
|
||||||
Write-Host "HTTP_PROXY: $env:HTTP_PROXY"
|
|
||||||
Write-Host "HTTPS_PROXY: $env:HTTPS_PROXY"
|
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
- name: Add Sonar Scanner to PATH
|
- name: Add Sonar Scanner to PATH
|
||||||
run: |
|
run: |
|
||||||
$sonarScannerPath = "D:\Paths\sonar-scanner-cli\bin"
|
echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
||||||
if (-not (Test-Path $sonarScannerPath)) {
|
|
||||||
Write-Error "Sonar Scanner 路径不存在: $sonarScannerPath"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
echo "$sonarScannerPath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Verify .NET SDK
|
- name: Verify .NET SDK
|
||||||
run: |
|
run: |
|
||||||
dotnet --list-sdks
|
dotnet --list-sdks
|
||||||
dotnet --version
|
dotnet --version
|
||||||
if (-not (dotnet --list-sdks | Select-String -Pattern "8.0.")) {
|
|
||||||
Write-Error "未找到 .NET 8.0 SDK,请确认 Runner 环境配置"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Run OWASP Dependency Check
|
- name: Run OWASP Dependency Check
|
||||||
|
env:
|
||||||
|
# HTTP_PROXY: http://127.0.0.1:7890
|
||||||
|
# HTTPS_PROXY: http://127.0.0.1:7890
|
||||||
run: |
|
run: |
|
||||||
New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force -ErrorAction Stop
|
New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force
|
||||||
$depCheckPath = "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat"
|
& "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat" `
|
||||||
if (-not (Test-Path $depCheckPath)) {
|
--project "VectorDBDemo" `
|
||||||
Write-Error "Dependency Check 脚本不存在: $depCheckPath"
|
--scan "." `
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
& $depCheckPath `
|
|
||||||
--project "${{ env.PROJECT_KEY }}" `
|
|
||||||
--scan "${{ github.workspace }}" `
|
|
||||||
--format "XML" `
|
--format "XML" `
|
||||||
--out "$env:DC_OUTPUT" `
|
--out "$env:DC_OUTPUT"
|
||||||
--failOnCVSS 9
|
|
||||||
if ($LASTEXITCODE -ne 0) {
|
|
||||||
Write-Error "OWASP 依赖检查失败"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
- name: Install dotnet-sonarscanner (本地源/无缓存)
|
|
||||||
run: |
|
|
||||||
# 禁用 NuGet 代理,改用本地/内网 NuGet 源(关键:避免访问 nuget.org 超时)
|
|
||||||
dotnet nuget remove source "nuget.org" -ErrorAction SilentlyContinue
|
|
||||||
# 替换为内网 NuGet 源(需根据你的环境配置)
|
|
||||||
dotnet nuget add source "http://your-internal-nuget-server/v3/index.json" -n "InternalNuGet" -p "true"
|
|
||||||
|
|
||||||
if (-not (dotnet tool list --global | Select-String -Pattern "dotnet-sonarscanner")) {
|
|
||||||
dotnet tool install --global dotnet-sonarscanner --no-cache
|
|
||||||
}
|
|
||||||
$sonarToolPath = [Environment]::GetEnvironmentVariable("PATH", "User")
|
|
||||||
echo "$sonarToolPath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Build .NET Project
|
- name: Build .NET Project
|
||||||
run: |
|
run: |
|
||||||
dotnet restore --verbosity minimal
|
dotnet restore
|
||||||
dotnet build --configuration Release --no-restore --verbosity minimal
|
dotnet build --configuration Release --no-restore
|
||||||
if ($LASTEXITCODE -ne 0) {
|
|
||||||
Write-Error ".NET 项目构建失败"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: SonarQube Full Scan
|
- name: SonarQube Full Scan
|
||||||
run: |
|
run: |
|
||||||
|
dotnet tool install --global dotnet-sonarscanner --no-cache
|
||||||
dotnet sonarscanner begin `
|
dotnet sonarscanner begin `
|
||||||
/k:"${{ env.PROJECT_KEY }}" `
|
/k:"vectordbdemo" `
|
||||||
/d:sonar.host.url="${{ env.SONAR_HOST_URL }}" `
|
/d:sonar.host.url="http://127.0.0.1:9000" `
|
||||||
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
||||||
/d:sonar.sources="${{ github.workspace }}" `
|
/d:sonar.sources="./" `
|
||||||
/d:sonar.exclusions="**/obj/**,**/bin/**,${{ env.DC_OUTPUT }}/**" `
|
/d:sonar.exclusions="**/obj/**,**/bin/**,depcheck/**" `
|
||||||
/d:sonar.dependencyCheck.xmlReportPath="${{ env.DC_OUTPUT }}\dependency-check-report.xml" `
|
/d:sonar.dependencyCheck.xmlReportPath="$env:DC_OUTPUT\dependency-check-report.xml" `
|
||||||
/d:sonar.verbose=true
|
/d:sonar.verbose=true
|
||||||
dotnet build --configuration Release --no-restore --verbosity minimal
|
dotnet build --configuration Release --no-restore
|
||||||
dotnet sonarscanner end `/d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
dotnet sonarscanner end `
|
||||||
if ($LASTEXITCODE -ne 0) {
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
||||||
Write-Error "SonarQube 扫描失败"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Fetch SonarQube Blocker Issues
|
- name: Fetch SonarQube Blocker Issues
|
||||||
id: fetch_issues
|
id: fetch_issues
|
||||||
run: |
|
run: |
|
||||||
$sonarApiUrl = "${{ env.SONAR_HOST_URL }}/api/issues/search?componentKeys=${{ env.PROJECT_KEY }}&severities=BLOCKER&statuses=OPEN"
|
$projectKey = "vectordbdemo"
|
||||||
$authToken = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:"))
|
$sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?componentKeys=$projectKey&severities=BLOCKER&statuses=OPEN"
|
||||||
try {
|
$auth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:"))
|
||||||
$response = Invoke-RestMethod -Uri $sonarApiUrl `
|
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{ Authorization = "Basic $auth" }
|
||||||
-Headers @{ Authorization = "Basic $authToken" } `
|
$blockerCount = $response.total
|
||||||
-Method Get `
|
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
||||||
-TimeoutSec 30
|
if ($blockerCount -gt 0) {
|
||||||
$blockerCount = $response.total
|
Write-Error "Found $blockerCount Blocker issues in SonarQube"
|
||||||
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
|
||||||
if ($blockerCount -gt 0) {
|
|
||||||
Write-Error "SonarQube 检测到 $blockerCount 个阻塞级问题,工作流终止"
|
|
||||||
exit 1
|
|
||||||
} else {
|
|
||||||
Write-Host "✅ SonarQube 无阻塞级问题"
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Error "调用 SonarQube API 失败: $_"
|
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
shell: pwsh
|
|
||||||
Reference in New Issue
Block a user