fix workflow: remove github dependency + duplicate scan

2025-12-02 23:46:23 +08:00
parent b8422398f7
commit f3bf23e289
1 changed files with 41 additions and 50 deletions
--- a/.gitea/workflows/sonar-scan.yml
+++ b/.gitea/workflows/sonar-scan.yml
@@ -1,91 +1,82 @@
 name: SonarQube Code Quality Scan
+
 on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
+
 jobs:
  scan:
    runs-on: windowsx64
+
    steps:
+      # ============================
+      # STEP 1: Checkout from Gitea
+      # ============================
      - name: Checkout Code (Gitea Direct)
        run: |
          git clone https://git.we965.cn/learning/VectorDBDemo.git .
          git fetch --depth=0
          git checkout ${{ github.ref_name }}

+      # ============================
+      # STEP 2: Setup Sonar Scanner
+      # ============================
      - name: Add Sonar Scanner to PATH
        run: |
-          $scannerPath = "D:\Paths\sonar-scanner-cli\bin"
-          echo "$scannerPath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
+          echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8

+      # ============================
+      # STEP 3: Check .NET SDK
+      # ============================
      - name: Verify .NET SDK (Local)
        run: |
          dotnet --list-sdks
          dotnet --version

+      # ============================
+      # STEP 4: Dependency Check (CVE)
+      # ============================
+      - name: Run OWASP Dependency Check
+        run: |
+          dependency-check.bat --project "VectorDBDemo" --scan "." --format "XML" --out "./depcheck"
+
+      # ============================
+      # STEP 5: Build .NET
+      # ============================
      - name: Build .NET Project
        run: |
          dotnet restore
          dotnet build --configuration Release

-      # 步骤2：SonarQube 扫描（含代码+依赖漏洞）
+      # ============================
+      # STEP 6: SonarQube Scan
+      # ============================
      - name: SonarQube Full Scan
        run: |
          dotnet tool install --global dotnet-sonarscanner
+
          dotnet sonarscanner begin `
-            /k:"${{ secrets.SONAR_TOKEN }}" `
+            /k:"vectordbdemo" `
            /d:sonar.host.url="http://127.0.0.1:9000" `
            /d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
            /d:sonar.sources="./" `
-            /d:sonar.language="csharp" `
-            /d:sonar.exclusions="**/obj/**,**/bin/Debug/**" `
-            /d:sonar.dependencyCheck.enabled=true
-          dotnet build --configuration Release
-          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
+            /d:sonar.exclusions="**/obj/**,**/bin/**" `
+            /d:sonar.dependencyCheck.xmlReportPath="depcheck/dependency-check-report.xml"

-      # 步骤3：拉取 SonarQube Blocker 级问题（PowerShell 脚本）
+          dotnet build --configuration Release
+
+          dotnet sonarscanner end `
+            /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
+
+      # ============================
+      # STEP 7: Fetch Blocker Issues
+      # ============================
      - name: Fetch SonarQube Blocker Issues
        id: fetch_issues
        run: |
-          # SonarQube API 地址（获取 Blockeer 级问题）
-          $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?project=${{ secrets.SONAR_TOKEN }}&severities=BLOCKER&statuses=OPEN"
-          # 调用 API 拉取数据
-          $response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{
-            "Authorization" = "Bearer ${{ secrets.SONAR_API_TOKEN }}"
-          }
-          # 输出问题数量
-          Write-Host "发现 Blocker 级问题：$($response.total) 个"
-          # 将问题数据存入环境变量（供下一步使用）
-          $issuesJson = $response.issues | ConvertTo-Json -Compress
-          echo "ISSUES_JSON=$issuesJson" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          $projectKey = "vectordbdemo"
+          $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?projectKeys=$projectKey&severities=BLOCKER&statuses=OPEN"

-      # 步骤4：自动创建 Gitea Bug 议题
-      - name: Create Gitea Bug Issues
-        if: fromJson(env.ISSUES_JSON).Count -gt 0  # 有 Blocker 问题才执行
-        run: |
-          $issues = $env:ISSUES_JSON | ConvertFrom-Json
-          $giteaApiUrl = "https://git.we965.cn/api/v1/repos/learning/VectorDBDemo/issues"  # Gitea 仓库 API 地址
-          foreach ($issue in $issues) {
-            # 构造 Bug 内容（包含 SonarQube 问题详情）
-            $issueBody = @"
-          ## SonarQube Blocker 级问题自动创建
-          - **问题 ID**：$($issue.key)
-          - **问题类型**：$($issue.type)
-          - **影响文件**：$($issue.component -replace '.*:', '')
-          - **行号**：$($issue.line)
-          - **问题描述**：$($issue.message)
-          - **修复建议**：$($issue.actions.fixNewValue ?? '无明确修复建议，请查看 SonarQube 详情')
-          - **SonarQube 链接**：http://127.0.0.1:9000/project/issues?id=${{ secrets.SONAR_TOKEN }}&open=$($issue.key)
-          "@
-            # 调用 Gitea API 创建议题（标签设为 Bug）
-            Invoke-RestMethod -Uri $giteaApiUrl -Method Post -Headers @{
-              "Authorization" = "token ${{ secrets.GITEAAPITOKEN }}"
-              "Content-Type" = "application/json"
-            } -Body (@{
-              title = "[BUG] SonarQube Blocker: $($issue.message.Substring(0, [Math]::Min(50, $issue.message.Length)))"  # 标题截取前 50 字
-              body = $issueBody
-              labels = @("Bug")  # 自动添加 Bug 标签
-            } | ConvertTo-Json)
-            Write-Host "已创建 Gitea Bug：$($issue.key)"
-          }
+          $response = Invoke-R