fix workflow: remove github dependency + duplicate scan
Some checks failed
SonarQube Code Quality Scan / scan (push) Has been cancelled
Some checks failed
SonarQube Code Quality Scan / scan (push) Has been cancelled
This commit is contained in:
@@ -8,136 +8,70 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
scan:
|
scan:
|
||||||
runs-on: windows-latest
|
runs-on: self-hosted
|
||||||
timeout-minutes: 30 # 延长超时时间,适配依赖下载/扫描
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
PROXY_HOST: 127.0.0.1
|
PROXY_HOST: 127.0.0.1
|
||||||
PROXY_PORT: 7890
|
PROXY_PORT: 7890
|
||||||
DC_VERSION: 11.0.0
|
DC_VERSION: 11.0.0
|
||||||
DC_OUTPUT: ./depcheck
|
DC_OUTPUT: ./depcheck
|
||||||
SONAR_HOST: http://127.0.0.1:9000
|
|
||||||
PROJECT_KEY: vectordbdemo
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Set Global Proxy (PowerShell)
|
- name: Checkout Code (Gitea)
|
||||||
run: |
|
uses: actions/checkout@v4
|
||||||
# 全局配置代理,适配所有网络请求
|
|
||||||
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://$env:PROXY_HOST:$env:PROXY_PORT", "Process")
|
|
||||||
[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://$env:PROXY_HOST:$env:PROXY_PORT", "Process")
|
|
||||||
[Environment]::SetEnvironmentVariable("NO_PROXY", "localhost,127.0.0.1", "Process")
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Checkout Code (适配 PR/Push 场景)
|
|
||||||
run: |
|
|
||||||
git clone https://git.we965.cn/learning/VectorDBDemo.git .
|
|
||||||
git fetch --depth=0
|
|
||||||
# 适配 PR 触发时的 ref 格式(refs/pull/<num>/merge)
|
|
||||||
$ref = "${{ github.ref }}" -replace 'refs/heads/','' -replace 'refs/pull/(\d+)/merge','pull/$1/head'
|
|
||||||
git checkout $ref
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Add Sonar Scanner to PATH
|
- name: Add Sonar Scanner to PATH
|
||||||
run: |
|
run: |
|
||||||
$sonarPath = "D:\Paths\sonar-scanner-cli\bin"
|
echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
||||||
if (-not (Test-Path $sonarPath)) {
|
|
||||||
Write-Error "Sonar Scanner 路径不存在: $sonarPath"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
echo $sonarPath | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Verify .NET SDK
|
- name: Verify .NET SDK
|
||||||
run: |
|
run: |
|
||||||
dotnet --list-sdks
|
dotnet --list-sdks
|
||||||
$dotnetVersion = dotnet --version
|
dotnet --version
|
||||||
echo "使用 .NET SDK 版本: $dotnetVersion"
|
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: Run OWASP Dependency Check
|
- name: Run OWASP Dependency Check
|
||||||
run: |
|
run: |
|
||||||
# 确保输出目录存在,处理路径空格
|
New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force
|
||||||
$dcOutput = Resolve-Path $env:DC_OUTPUT -ErrorAction SilentlyContinue
|
"D:\Paths\Gitea\dependency-check\bin\dependency-check.bat" `
|
||||||
if (-not $dcOutput) { New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force | Out-Null }
|
--project "VectorDBDemo" `
|
||||||
|
--scan "." `
|
||||||
$dcBatPath = "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat"
|
--format "XML" `
|
||||||
if (-not (Test-Path $dcBatPath)) {
|
--out "$env:DC_OUTPUT" `
|
||||||
Write-Error "Dependency Check 脚本不存在: $dcBatPath"
|
-Dproxy.host=$env:PROXY_HOST `
|
||||||
exit 1
|
-Dproxy.port=$env:PROXY_PORT `
|
||||||
}
|
-DconnectionTimeout=30000 `
|
||||||
|
-DreadTimeout=30000
|
||||||
# 核心修复:用 & 显式调用 bat 文件,行继续符后无多余空格
|
|
||||||
& $dcBatPath `
|
|
||||||
--project "VectorDBDemo" `
|
|
||||||
--scan "." `
|
|
||||||
--format "XML" `
|
|
||||||
--out $env:DC_OUTPUT `
|
|
||||||
-Dproxy.host=$env:PROXY_HOST `
|
|
||||||
-Dproxy.port=$env:PROXY_PORT `
|
|
||||||
-DconnectionTimeout=60000 `
|
|
||||||
-DreadTimeout=60000 `
|
|
||||||
-Dproxy.type=HTTP
|
|
||||||
|
|
||||||
# 校验报告是否生成
|
|
||||||
$reportPath = Join-Path $env:DC_OUTPUT "dependency-check-report.xml"
|
|
||||||
if (-not (Test-Path $reportPath)) {
|
|
||||||
Write-Error "OWASP 依赖检查报告未生成: $reportPath"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
shell: pwsh
|
|
||||||
continue-on-error: false
|
|
||||||
|
|
||||||
- name: Build .NET Project
|
- name: Build .NET Project
|
||||||
run: |
|
run: |
|
||||||
dotnet restore --verbosity normal
|
dotnet restore
|
||||||
dotnet build --configuration Release --no-restore --verbosity normal
|
dotnet build --configuration Release --no-restore
|
||||||
shell: pwsh
|
|
||||||
|
|
||||||
- name: SonarQube Full Scan
|
- name: SonarQube Full Scan
|
||||||
run: |
|
run: |
|
||||||
# 安装 Sonar Scanner(忽略已安装)
|
dotnet tool install --global dotnet-sonarscanner --no-cache
|
||||||
dotnet tool install --global dotnet-sonarscanner --no-cache --ignore-failed-sources
|
|
||||||
|
|
||||||
# 开始 Sonar 扫描(传递代理参数)
|
|
||||||
dotnet sonarscanner begin `
|
dotnet sonarscanner begin `
|
||||||
/k:"$env:PROJECT_KEY" `
|
/k:"vectordbdemo" `
|
||||||
/d:sonar.host.url="$env:SONAR_HOST" `
|
/d:sonar.host.url="http://127.0.0.1:9000" `
|
||||||
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
||||||
/d:sonar.sources="./" `
|
/d:sonar.sources="./" `
|
||||||
/d:sonar.exclusions="**/obj/**,**/bin/**,dc/**,depcheck/**" `
|
/d:sonar.exclusions="**/obj/**,**/bin/**,depcheck/**" `
|
||||||
/d:sonar.dependencyCheck.xmlReportPath="$((Resolve-Path $env:DC_OUTPUT).Path)\dependency-check-report.xml" `
|
/d:sonar.dependencyCheck.xmlReportPath="$env:DC_OUTPUT\dependency-check-report.xml" `
|
||||||
/d:sonar.verbose=true `
|
/d:sonar.verbose=true
|
||||||
/d:http.proxyHost=$env:PROXY_HOST `
|
|
||||||
/d:http.proxyPort=$env:PROXY_PORT `
|
|
||||||
/d:https.proxyHost=$env:PROXY_HOST `
|
|
||||||
/d:https.proxyPort=$env:PROXY_PORT
|
|
||||||
|
|
||||||
dotnet build --configuration Release --no-restore
|
dotnet build --configuration Release --no-restore
|
||||||
dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
dotnet sonarscanner end `
|
||||||
shell: pwsh
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
||||||
|
|
||||||
- name: Fetch SonarQube Blocker Issues
|
- name: Fetch SonarQube Blocker Issues
|
||||||
id: fetch_issues
|
id: fetch_issues
|
||||||
run: |
|
run: |
|
||||||
$sonarApiUrl = "$env:SONAR_HOST/api/issues/search?projectKeys=$env:PROJECT_KEY&severities=BLOCKER&statuses=OPEN"
|
$projectKey = "vectordbdemo"
|
||||||
$headers = @{
|
$sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?componentKeys=$projectKey&severities=BLOCKER&statuses=OPEN"
|
||||||
"Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:")))"
|
$auth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:"))
|
||||||
}
|
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{ Authorization = "Basic $auth" }
|
||||||
|
$blockerCount = $response.total
|
||||||
try {
|
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
||||||
# 增加 API 请求超时,重试机制
|
if ($blockerCount -gt 0) {
|
||||||
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers $headers -Method Get -TimeoutSec 30 -MaximumRetryCount 2 -RetryIntervalSec 5
|
Write-Error "Found $blockerCount Blocker issues in SonarQube"
|
||||||
$blockerCount = $response.total
|
|
||||||
echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
|
|
||||||
|
|
||||||
if ($blockerCount -gt 0) {
|
|
||||||
Write-Error "SonarQube 检测到 $blockerCount 个 BLOCKER 级别的问题"
|
|
||||||
exit 1
|
|
||||||
} else {
|
|
||||||
Write-Host "✅ 未检测到 BLOCKER 级别的 SonarQube 问题"
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Error "获取 SonarQube 问题失败: $_"
|
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
shell: pwsh
|
|
||||||
Reference in New Issue
Block a user