diff --git a/.gitea/workflows/sonar-scan.yml b/.gitea/workflows/sonar-scan.yml index ca651a9..35e962c 100644 --- a/.gitea/workflows/sonar-scan.yml +++ b/.gitea/workflows/sonar-scan.yml @@ -9,83 +9,135 @@ on: jobs: scan: runs-on: windows-latest + timeout-minutes: 30 # 延长超时时间,适配依赖下载/扫描 env: PROXY_HOST: 127.0.0.1 PROXY_PORT: 7890 - # 升级到 11.0.0 版本(适配 SAFETY 枚举值) DC_VERSION: 11.0.0 DC_OUTPUT: ./depcheck + SONAR_HOST: http://127.0.0.1:9000 + PROJECT_KEY: vectordbdemo steps: - - name: Checkout Code (Gitea Direct) + - name: Set Global Proxy (PowerShell) + run: | + # 全局配置代理,适配所有网络请求 + [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://$env:PROXY_HOST:$env:PROXY_PORT", "Process") + [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://$env:PROXY_HOST:$env:PROXY_PORT", "Process") + [Environment]::SetEnvironmentVariable("NO_PROXY", "localhost,127.0.0.1", "Process") + shell: pwsh + + - name: Checkout Code (适配 PR/Push 场景) run: | git clone https://git.we965.cn/learning/VectorDBDemo.git . git fetch --depth=0 - git checkout ${{ github.ref_name }} + # 适配 PR 触发时的 ref 格式(refs/pull//merge) + $ref = "${{ github.ref }}" -replace 'refs/heads/','' -replace 'refs/pull/(\d+)/merge','pull/$1/head' + git checkout $ref shell: pwsh - name: Add Sonar Scanner to PATH run: | - echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 + $sonarPath = "D:\Paths\sonar-scanner-cli\bin" + if (-not (Test-Path $sonarPath)) { + Write-Error "Sonar Scanner 路径不存在: $sonarPath" + exit 1 + } + echo $sonarPath | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 shell: pwsh - - name: Verify .NET SDK (Local) + - name: Verify .NET SDK run: | dotnet --list-sdks - dotnet --version + $dotnetVersion = dotnet --version + echo "使用 .NET SDK 版本: $dotnetVersion" shell: pwsh - name: Run OWASP Dependency Check run: | - New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force - # 修正:移除参数前的空格,避免 PowerShell 语法错误 - "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat" ` - --project "VectorDBDemo" ` - --scan "." ` - --format "XML" ` - --out $env:DC_OUTPUT ` - -Dproxy.host=$env:PROXY_HOST ` - -Dproxy.port=$env:PROXY_PORT ` - -DconnectionTimeout=30000 ` - -DreadTimeout=30000 + # 确保输出目录存在,处理路径空格 + $dcOutput = Resolve-Path $env:DC_OUTPUT -ErrorAction SilentlyContinue + if (-not $dcOutput) { New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force | Out-Null } + + $dcBatPath = "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat" + if (-not (Test-Path $dcBatPath)) { + Write-Error "Dependency Check 脚本不存在: $dcBatPath" + exit 1 + } + + # 核心修复:用 & 显式调用 bat 文件,行继续符后无多余空格 + & $dcBatPath ` + --project "VectorDBDemo" ` + --scan "." ` + --format "XML" ` + --out $env:DC_OUTPUT ` + -Dproxy.host=$env:PROXY_HOST ` + -Dproxy.port=$env:PROXY_PORT ` + -DconnectionTimeout=60000 ` + -DreadTimeout=60000 ` + -Dproxy.type=HTTP + + # 校验报告是否生成 + $reportPath = Join-Path $env:DC_OUTPUT "dependency-check-report.xml" + if (-not (Test-Path $reportPath)) { + Write-Error "OWASP 依赖检查报告未生成: $reportPath" + exit 1 + } shell: pwsh continue-on-error: false - name: Build .NET Project run: | - dotnet restore - dotnet build --configuration Release --no-restore + dotnet restore --verbosity normal + dotnet build --configuration Release --no-restore --verbosity normal shell: pwsh - name: SonarQube Full Scan run: | - dotnet tool install --global dotnet-sonarscanner --no-cache + # 安装 Sonar Scanner(忽略已安装) + dotnet tool install --global dotnet-sonarscanner --no-cache --ignore-failed-sources + + # 开始 Sonar 扫描(传递代理参数) dotnet sonarscanner begin ` - /k:"vectordbdemo" ` - /d:sonar.host.url="http://127.0.0.1:9000" ` - /d:sonar.login="${{ secrets.SONAR_TOKEN }}" ` - /d:sonar.sources="./" ` - /d:sonar.exclusions="**/obj/**,**/bin/**,dc/**,depcheck/**" ` - /d:sonar.dependencyCheck.xmlReportPath="${env:DC_OUTPUT}/dependency-check-report.xml" ` - /d:sonar.verbose=true + /k:"$env:PROJECT_KEY" ` + /d:sonar.host.url="$env:SONAR_HOST" ` + /d:sonar.login="${{ secrets.SONAR_TOKEN }}" ` + /d:sonar.sources="./" ` + /d:sonar.exclusions="**/obj/**,**/bin/**,dc/**,depcheck/**" ` + /d:sonar.dependencyCheck.xmlReportPath="$((Resolve-Path $env:DC_OUTPUT).Path)\dependency-check-report.xml" ` + /d:sonar.verbose=true ` + /d:http.proxyHost=$env:PROXY_HOST ` + /d:http.proxyPort=$env:PROXY_PORT ` + /d:https.proxyHost=$env:PROXY_HOST ` + /d:https.proxyPort=$env:PROXY_PORT + dotnet build --configuration Release --no-restore - dotnet sonarscanner end ` - /d:sonar.login="${{ secrets.SONAR_TOKEN }}" + dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" shell: pwsh - name: Fetch SonarQube Blocker Issues id: fetch_issues run: | - $projectKey = "vectordbdemo" - $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?projectKeys=$projectKey&severities=BLOCKER&statuses=OPEN" - $response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{ + $sonarApiUrl = "$env:SONAR_HOST/api/issues/search?projectKeys=$env:PROJECT_KEY&severities=BLOCKER&statuses=OPEN" + $headers = @{ "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:")))" - } -Method Get - $blockerCount = $response.total - echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 - if ($blockerCount -gt 0) { - Write-Error "Found $blockerCount Blocker issues in SonarQube" + } + + try { + # 增加 API 请求超时,重试机制 + $response = Invoke-RestMethod -Uri $sonarApiUrl -Headers $headers -Method Get -TimeoutSec 30 -MaximumRetryCount 2 -RetryIntervalSec 5 + $blockerCount = $response.total + echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 + + if ($blockerCount -gt 0) { + Write-Error "SonarQube 检测到 $blockerCount 个 BLOCKER 级别的问题" + exit 1 + } else { + Write-Host "✅ 未检测到 BLOCKER 级别的 SonarQube 问题" + } + } catch { + Write-Error "获取 SonarQube 问题失败: $_" exit 1 } shell: pwsh \ No newline at end of file