ci: Upload SARIF files with lint results (#1060)

Perform the lint check as normal, saving the exit code and ignoring any error exit codes. Then upload the lint results as SARIF files for display in GitHub. Then exit with whatever exit code lint returned, to ensure that a lint failure causes the CI job to fail too.
pachli · Oct 29, 2024 · f10e125 · f10e125
1 parent 04d98ae
commit f10e125
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 9 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -68,8 +68,8 @@ jobs:
     strategy:
       matrix:
         color: ["orange"]
-        store: ["fdroid", "github", "google"]
-        type: ["debug", "release"]
+        store: [ "Fdroid", "Github", "Google" ]
+        type: [ "Debug", "Release" ]
     name: Android Lint
     runs-on: ubuntu-latest
 
@@ -81,16 +81,37 @@ jobs:
         with:
           gradle-cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 
+      # Run lint. Ignore a failing exit code, but save it for later.
       - name: Regular lint ${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}
-        run: ./gradlew lint${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}
+        id: runlint
+        run: |
+          set +e
+          ./gradlew lint${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}
+          echo "exitcode=$?" >> $GITHUB_OUTPUT
+
+      - name: Merge SARIF files
+        run: |
+          jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }'  */*/build/reports/lint-results-${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}.sarif */build/reports/lint-results-${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}.sarif > merged-${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: ${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}
+          sarif_file: merged-${{ matrix.color }}${{ matrix.store }}${{ matrix.type }}.sarif
+
+      # Exit with whatever exit code the original lint run exited with, to
+      # ensure this job fails if lint fails, *but* the lint reports are still
+      # uploaded.
+      - name: Fail if lint failed
+        run: exit ${{ steps.runlint.outputs.exitcode }}
 
   # Android tests are per variant
   test:
     strategy:
       matrix:
         color: ["orange"]
-        store: ["fdroid", "github", "google"]
-        type: ["debug", "release"]
+        store: [ "Fdroid", "Github", "Google" ]
+        type: [ "Debug", "Release" ]
     name: Android Test
     runs-on: ubuntu-latest
 
@@ -110,8 +131,8 @@ jobs:
     strategy:
       matrix:
         color: ["orange"]
-        store: ["fdroid", "github", "google"]
-        type: ["debug", "release"]
+        store: [ "Fdroid", "Github", "Google" ]
+        type: [ "Debug", "Release" ]
     name: Android Assemble
     runs-on: ubuntu-latest
 

diff --git a/build-logic/convention/src/main/kotlin/AndroidLintConventionPlugin.kt b/build-logic/convention/src/main/kotlin/AndroidLintConventionPlugin.kt
@@ -15,14 +15,13 @@
  * see <http://www.gnu.org/licenses>.
  */
 
-
 import com.android.build.api.dsl.ApplicationExtension
 import com.android.build.api.dsl.LibraryExtension
 import com.android.build.api.dsl.Lint
+import java.io.File
 import org.gradle.api.Plugin
 import org.gradle.api.Project
 import org.gradle.kotlin.dsl.configure
-import java.io.File
 
 class AndroidLintConventionPlugin : Plugin<Project> {
     override fun apply(target: Project) {
@@ -46,4 +45,5 @@ class AndroidLintConventionPlugin : Plugin<Project> {
 private fun Lint.configure(project: Project) {
     lintConfig = File(project.findProject(":app")?.projectDir, "lint.xml")
     baseline = File("lint-baseline.xml")
+    sarifReport = true
 }