fix workflow: remove github dependency + duplicate scan
Some checks failed
SonarQube Code Quality Scan / scan (push) Failing after 26s
Some checks failed
SonarQube Code Quality Scan / scan (push) Failing after 26s
This commit is contained in:
ShaoHua
@@ -8,20 +8,16 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
scan:
|
scan:
|
||||||
runs-on: windows-latest # 修正:原 windowsx64 不是官方支持的 runner 标签
|
runs-on: windows-latest
|
||||||
|
|
||||||
env:
|
env:
|
||||||
# 配置代理(根据你的网络环境修改,若无需代理可删除)
|
|
||||||
PROXY_HOST: 127.0.0.1
|
PROXY_HOST: 127.0.0.1
|
||||||
PROXY_PORT: 7890
|
PROXY_PORT: 7890
|
||||||
# Dependency-Check 配置
|
# 升级到 11.0.0 版本(适配 SAFETY 枚举值)
|
||||||
DC_VERSION: 10.0.3
|
DC_VERSION: 11.0.0
|
||||||
DC_OUTPUT: ./depcheck
|
DC_OUTPUT: ./depcheck
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
# ============================
|
|
||||||
# STEP 1: Checkout from Gitea
|
|
||||||
# ============================
|
|
||||||
- name: Checkout Code (Gitea Direct)
|
- name: Checkout Code (Gitea Direct)
|
||||||
run: |
|
run: |
|
||||||
git clone https://git.we965.cn/learning/VectorDBDemo.git .
|
git clone https://git.we965.cn/learning/VectorDBDemo.git .
|
||||||
@@ -29,74 +25,50 @@ jobs:
|
|||||||
git checkout ${{ github.ref_name }}
|
git checkout ${{ github.ref_name }}
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 2: Setup Sonar Scanner
|
|
||||||
# ============================
|
|
||||||
- name: Add Sonar Scanner to PATH
|
- name: Add Sonar Scanner to PATH
|
||||||
run: |
|
run: |
|
||||||
echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 3: Check .NET SDK
|
|
||||||
# ============================
|
|
||||||
- name: Verify .NET SDK (Local)
|
- name: Verify .NET SDK (Local)
|
||||||
run: |
|
run: |
|
||||||
dotnet --list-sdks
|
dotnet --list-sdks
|
||||||
dotnet --version
|
dotnet --version
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 4: Install & Run OWASP Dependency Check
|
|
||||||
# ============================
|
|
||||||
- name: Install OWASP Dependency Check
|
- name: Install OWASP Dependency Check
|
||||||
run: |
|
run: |
|
||||||
# 下载指定版本的 Dependency-Check
|
# 下载 11.0.0 版本(修复 SAFETY 枚举问题)
|
||||||
Invoke-WebRequest -Uri "https://github.com/jeremylong/DependencyCheck/releases/download/v${env:DC_VERSION}/dependency-check-${env:DC_VERSION}-release.zip" -OutFile "dc.zip" -UseBasicParsing
|
Invoke-WebRequest -Uri "https://github.com/jeremylong/DependencyCheck/releases/download/v${env:DC_VERSION}/dependency-check-${env:DC_VERSION}-release.zip" -OutFile "dc.zip" -UseBasicParsing
|
||||||
# 解压并添加到 PATH
|
|
||||||
Expand-Archive -Path "dc.zip" -DestinationPath "./dc" -Force
|
Expand-Archive -Path "dc.zip" -DestinationPath "./dc" -Force
|
||||||
echo "$(Get-Location)/dc/dependency-check/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
|
echo "$(Get-Location)/dc/dependency-check/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
- name: Run OWASP Dependency Check
|
- name: Run OWASP Dependency Check
|
||||||
run: |
|
run: |
|
||||||
# 创建输出目录
|
|
||||||
New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force
|
New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force
|
||||||
# 运行 Dependency-Check,配置代理+禁用不必要的数据源(减少失败概率)
|
# 修正:移除参数前的空格,避免 PowerShell 语法错误
|
||||||
dependency-check.bat `
|
dependency-check.bat `
|
||||||
--project "VectorDBDemo" `
|
--project "VectorDBDemo" `
|
||||||
--scan "." `
|
--scan "." `
|
||||||
--format "XML" `
|
--format "XML" `
|
||||||
--out $env:DC_OUTPUT `
|
--out $env:DC_OUTPUT `
|
||||||
# 配置代理(关键:解决 RetireJS/NVD 下载问题)
|
|
||||||
-Dproxy.host=$env:PROXY_HOST `
|
-Dproxy.host=$env:PROXY_HOST `
|
||||||
-Dproxy.port=$env:PROXY_PORT `
|
-Dproxy.port=$env:PROXY_PORT `
|
||||||
# 可选:禁用暂时无法访问的数据源(若代理仍无法访问)
|
|
||||||
# -DdisableRetireJs=true `
|
|
||||||
# -DnvdApiEnabled=false `
|
|
||||||
# 增加超时时间
|
|
||||||
-DconnectionTimeout=30000 `
|
-DconnectionTimeout=30000 `
|
||||||
-DreadTimeout=30000
|
-DreadTimeout=30000
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
continue-on-error: false # 若 Dependency-Check 失败则终止流程
|
continue-on-error: false
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 5: Build .NET Project
|
|
||||||
# ============================
|
|
||||||
- name: Build .NET Project
|
- name: Build .NET Project
|
||||||
run: |
|
run: |
|
||||||
dotnet restore
|
dotnet restore
|
||||||
dotnet build --configuration Release --no-restore
|
dotnet build --configuration Release --no-restore
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 6: SonarQube Scan
|
|
||||||
# ============================
|
|
||||||
- name: SonarQube Full Scan
|
- name: SonarQube Full Scan
|
||||||
run: |
|
run: |
|
||||||
# 安装 SonarScanner for .NET
|
|
||||||
dotnet tool install --global dotnet-sonarscanner --no-cache
|
dotnet tool install --global dotnet-sonarscanner --no-cache
|
||||||
# 开始扫描
|
|
||||||
dotnet sonarscanner begin `
|
dotnet sonarscanner begin `
|
||||||
/k:"vectordbdemo" `
|
/k:"vectordbdemo" `
|
||||||
/d:sonar.host.url="http://127.0.0.1:9000" `
|
/d:sonar.host.url="http://127.0.0.1:9000" `
|
||||||
@@ -104,31 +76,22 @@ jobs:
|
|||||||
/d:sonar.sources="./" `
|
/d:sonar.sources="./" `
|
||||||
/d:sonar.exclusions="**/obj/**,**/bin/**,dc/**,depcheck/**" `
|
/d:sonar.exclusions="**/obj/**,**/bin/**,dc/**,depcheck/**" `
|
||||||
/d:sonar.dependencyCheck.xmlReportPath="${env:DC_OUTPUT}/dependency-check-report.xml" `
|
/d:sonar.dependencyCheck.xmlReportPath="${env:DC_OUTPUT}/dependency-check-report.xml" `
|
||||||
/d:sonar.cs.vscoveragexml.reportsPaths="**/*.coveragexml" `
|
|
||||||
/d:sonar.verbose=true
|
/d:sonar.verbose=true
|
||||||
# 重新构建(确保 Sonar 捕获构建信息)
|
|
||||||
dotnet build --configuration Release --no-restore
|
dotnet build --configuration Release --no-restore
|
||||||
# 结束扫描
|
|
||||||
dotnet sonarscanner end `
|
dotnet sonarscanner end `
|
||||||
/d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
|
||||||
# ============================
|
|
||||||
# STEP 7: Fetch Blocker Issues (补全代码)
|
|
||||||
# ============================
|
|
||||||
- name: Fetch SonarQube Blocker Issues
|
- name: Fetch SonarQube Blocker Issues
|
||||||
id: fetch_issues
|
id: fetch_issues
|
||||||
run: |
|
run: |
|
||||||
$projectKey = "vectordbdemo"
|
$projectKey = "vectordbdemo"
|
||||||
$sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?projectKeys=$projectKey&severities=BLOCKER&statuses=OPEN"
|
$sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?projectKeys=$projectKey&severities=BLOCKER&statuses=OPEN"
|
||||||
# 调用 SonarQube API 获取阻断级问题
|
|
||||||
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{
|
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{
|
||||||
"Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:")))"
|
"Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:")))"
|
||||||
} -Method Get
|
} -Method Get
|
||||||
# 输出问题数量
|
|
||||||
$blockerCount = $response.total
|
$blockerCount = $response.total
|
||||||
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
||||||
# 若有阻断级问题则输出详情并终止流程
|
|
||||||
if ($blockerCount -gt 0) {
|
if ($blockerCount -gt 0) {
|
||||||
Write-Error "Found $blockerCount Blocker issues in SonarQube"
|
Write-Error "Found $blockerCount Blocker issues in SonarQube"
|
||||||
exit 1
|
exit 1
|
||||||
|
|||||||
Reference in New Issue
Block a user