Is it possible to scan the code in pull request to save time

taojintianxia · May 4, 2023, 9:11am

hi, there
this is nianjun from Apache ShardingSphere community, ShardingSphere is an opensource project located on github and coded by Java.

recently I tried to create a new workflow for sornarcloud to analysis. the soarcloud URL for this project is : SonarCloud

and scan command by maven looks like following :

      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
        run: ./mvnw -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=apache_shardingsphere -Dmaven.javadoc.skip=true -Drat.skip=true -Djacoco.skip=true -DskipTests

this job will takes about 13 mins to scan the whole project… 13 mins, it’s too long for a pull request to wait. what I expected is sonar scanner only scan the java code in the pull request, and then the result of quality gate for “New Code” in pull request to decide is it possible to merge that PR.

after read the document of “defination new code” and the scanner example , I’m not sure if it’s possible to refactor the workflow as I expected. hope the sonar community give me some tips on this. thanks

Colin · May 5, 2023, 6:29am

Hey there.

Subsequent analyses should take less time.

Looking at analysis logs, where did the scanner take most of it’s time?

taojintianxia · May 5, 2023, 6:42am

these are the action triggered for sonarcloud : Actions · apache/shardingsphere · GitHub

and most of the scan step will take more than 10 mins.

Colin · May 5, 2023, 8:16am

Thanks.

It looks like the SonarQube analysis only takes 4.5 minutes.

2023-05-05T07:14:49.4036810Z [INFO] Analysis total time: 4:28.672 s

The rest of the time is spent actually building the code, which you would need to do anyway.

A few things to note:

It looks like you only run SonarCloud analysis in the context of a nightly check, not on pull requests events. Is that right? Pull Request Analysis can take advantage of a server-side (SonarCloud) sensor cache to speed up analysis.
We might extend this SonarCloud sensor cache to branch analyses (including the main branch) in the future, but no ETA to share.
If you are building your code again in this action (with another action also building your code), you could consolidate them. There’s no need to build more than one time to get SonarCloud analysis, you just need to add the sonar task.

taojintianxia · May 5, 2023, 10:41am

If you are building your code again in this action (with another action also building your code), you could consolidate them. There’s no need to build more than one time to get SonarCloud analysis, you just need to add the sonar task.

wow, that’s cool, would you please share some tutorials on how to do that.

Colin · May 5, 2023, 1:26pm

I don’t know how the CI works specifically for this project, and given this nightly-ci.yml file…

github.com

apache/shardingsphere/blob/master/.github/workflows/nightly-ci.yml

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: Nightly - CI

on:

This file has been truncated. show original

It could just be added to the existing maven command, or a new maven comand after the build/tests are done (it looks like they’re split into two)

However, like I said, it’s a great idea to run SonarCloud analysis on pull requests. Right now the ci.yml…

github.com

apache/shardingsphere/blob/master/.github/workflows/ci.yml

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: CI

on:

This file has been truncated. show original

Builds, runs tests…

  - name: Build prod with Maven
    run: ./mvnw -T1C -B -ntp clean install
  - name: Setup JDK 8 for Test
    uses: actions/setup-java@v3
    with:
      distribution: 'temurin'
      java-version: 8
  - name: Run tests with JDK 8
    run: ./mvnw -T1C -B -ntp -fae test

And could be easily modified to run Sonar Analysis right after (something like this, I don’t know what some of the maven options are doing so it might not work exactly like this)

  - name: Build prod with Maven
    run: ./mvnw -T1C -B -ntp clean install
  - name: Setup JDK 8 for Test
    uses: actions/setup-java@v3
    with:
      distribution: 'temurin'
      java-version: 8
  - name: Run tests with JDK 8
    run: ./mvnw -T1C -B -ntp -fae test

- name: Setup JDK 11 for Sonar
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: 11
      - name: Run tests with JDK 8
        run: ./mvnw -T1C -B -ntp -fae sonar:sonar