Scan with Detekt #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow performs a static analysis of your Kotlin source code using Detekt. | |
| # It scans on push, PR, scheduled cron, or manual trigger. | |
| name: Scan with Detekt | |
| permissions: | |
| contents: read | |
| security-events: write | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '42 23 * * 6' | |
| workflow_dispatch: | |
| env: | |
| # Release tag associated with version of Detekt to be installed | |
| DETEKT_RELEASE_TAG: v1.15.0 | |
| jobs: | |
| scan: | |
| name: Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get Detekt download URL | |
| id: detekt_info | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' | |
| query getReleaseAssetDownloadUrl($tagName: String!) { | |
| repository(name: "detekt", owner: "detekt") { | |
| release(tagName: $tagName) { | |
| releaseAssets(name: "detekt", first: 1) { | |
| nodes { | |
| downloadUrl | |
| } | |
| } | |
| tagCommit { | |
| oid | |
| } | |
| } | |
| } | |
| } | |
| ' > gh_response.json | |
| # Corrected parsing path for tagCommit SHA | |
| DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.tagCommit.oid' gh_response.json) | |
| echo "Detekt Release SHA: $DETEKT_RELEASE_SHA" | |
| # Replace this with your actual expected SHA if you want to lock to a specific commit | |
| EXPECTED_SHA="37f0a1d006977512f1f216506cd695039607c3e5" | |
| if [ "$DETEKT_RELEASE_SHA" != "$EXPECTED_SHA" ]; then | |
| echo "❌ Release tag doesn't match expected commit SHA" | |
| exit 1 | |
| fi | |
| DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) | |
| echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT | |
| - name: Setup Detekt | |
| run: | | |
| dest=$(mktemp -d) | |
| curl --request GET \ | |
| --url ${{ steps.detekt_info.outputs.download_url }} \ | |
| --silent \ | |
| --location \ | |
| --output $dest/detekt | |
| chmod +x $dest/detekt | |
| echo $dest >> $GITHUB_PATH | |
| - name: Run Detekt | |
| continue-on-error: true | |
| run: | | |
| detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json | |
| - name: Make artifact location URIs relative | |
| continue-on-error: true | |
| run: | | |
| jq \ | |
| --arg github_workspace ${{ github.workspace }} \ | |
| '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= | |
| if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ | |
| ${{ github.workspace }}/detekt.sarif.json \ | |
| > temp.json && mv temp.json ${{ github.workspace }}/detekt.sarif.json | |
| - uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ github.workspace }}/detekt.sarif.json | |
| checkout_path: ${{ github.workspace }} |