GitHub Action to run PMD Analyser based on the ruleset defined. This action generates a SARIF report which can be uploaded to GitHub.
Features of this action include:
- Set the severity level you want rules reported at. Levels include error, warning and note (default level is warning).
- Run PMD Analyser on the files changed. File comparison can be done either based on a git diff or based on the files changed specified on the GitHub pull request.
Note that when you are running this action and making use of the SARIF uploader in the example below, if you are looking to get pull request comments then you will need to run the analyser on push events for the target branch that pull requests are targetting. Also note that the PMD analyser needs to be run in the same workflow file, as GitHub's upload SARIF action also checks both the commits and the workflow file they were run from. It's recommended you run a full analysis when pushing on the main branch and an incremental on pull requests (as if you run an incremental on push, it assumes that you may have fixed some errors).
name: PMD Static Code Analysis
on:
pull_request:
branches:
- main
push:
branches:
- main
workflow_dispatch:
jobs:
pmd-analyser-check:
name: PMD Static Code Analysis
permissions:
security-events: write
actions: read
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v2
with:
# Incremental diffs require fetch depth to be at 0 to grab the target branch
fetch-depth: '0'
- name: Run Full PMD Analysis
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
id: pmd-full-analysis
uses: synergy-au/pmd-analyser-action@v2.1
with:
analyse-all-code: 'true'
pmd-version: 'latest'
file-path: './src'
rules-path: './pmd-ruleset.xml'
error-rules: 'AvoidDirectAccessTriggerMap,AvoidDmlStatementsInLoops,AvoidHardcodingId'
note-rules: 'ApexDoc'
- name: Run PMD Analysis on Files Changed
id: pmd-partial-analysis
if: github.event.pull_request != null
uses: synergy-au/pmd-analyser-action@v2.1
with:
pmd-version: 'latest'
file-path: './src'
rules-path: './pmd-ruleset.xml'
error-rules: 'AvoidDirectAccessTriggerMap,AvoidDmlStatementsInLoops,AvoidHardcodingId'
note-rules: 'ApexDoc'
- name: Upload results to GitHub
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: pmd-output.sarif
- name: No PMD Errors?
run: |
if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }}
then
exit 3
fi
Used to determine whether you just want to analyse the files changed or the whole repository. Note that if you wish to analyse the files changed, you will need to set the fetch-depth in the checkout action in the workflow to '0'.
- required: false
- default: 'false'
If you are looking to compare the file difference based on the GitHub pull request, you will need to specify the GitHub secrets token'
- required: false
If you wish to define rules that log as an error, enter each rule name separated with a comma and no spaces. Note that if an error is identified the run will fail. e.g. ClassNamingConventions,GuardLogStatement
- required: false
Choose whether you want the file comparison to be based on a git diff or based on the files changed specified on the GitHub pull request. Note that if you use the GitHub pull request option, this action will only work on a pull request event. Options to set this are either git or github.
- required: false
- default: 'git'
Path to the sources to analyse. This can be a file name, a directory, or a jar or zip file containing the sources.
- required: true
If you wish to define rules that log as a note, enter each rule name separated with a comma and no spaces. Note that if a note is identified the run will not fail. e.g. ClassNamingConventions,GuardLogStatement
- required: false
The version of PMD you would like to run. You can either specify latest to always get the newest version, or you can specify a version number like 6.37.0.
- required: false
- default: 'latest'
The ruleset file you want to use. PMD uses xml configuration files, called rulesets, which specify which rules to execute on your sources. You can also run a single rule by referencing it using its category and name (more details here). For example, you can check for unnecessary modifiers on Java sources with -R category/java/codestyle.xml/UnnecessaryModifier.
- required: true
Identifies whether an error has been found based on the error ruleset. If an error is found 'true' is returned.