Skip to content

traefik/hub-static-analyzer-action

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation



Traefik Hub Static Analyzer GitHub Action

About

This GitHub Action performs static analysis on Traefik Hub Custom Resource Definitions (CRD) manifests.
It allows you to lint the manifests and generate a diff report between commits.

If you run this action in a public repository or if you are a GitHub Enterprise customer, you can leverage the SARIF output format to submit a code scanning artifact.

Usage

name: Traefik Hub Static Analysis

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Traefik Hub Static Analyzer
      uses: traefik/hub-static-analyzer-action@main
      env:
        GH_TOKEN: # <== Required GitHub Token here.
      with:
        # Version of hub-static-analyzer to use.
        # By default, the latest supported version will be used.
        version: "latest"

        # Path to the directory containing the manifests to analyze.
        # By default, the current directory will be used.
        path: "path/to/manifests"

        ## Linting options:
        # Enable linting.
        # By default, "false".
        lint: "true"

        # Configure the output format of the linter. One of `unix`, `checkstyle` or `json`.
        # By default, `unix` format will be used.
        lint-format: "unix"

        # Path where to store the linting results. The file will be overwritten if it exists.
        # By default, in "traefik-hub-static-analyzer-lint.out".
        lint-output-file: "/path/to/output.lint.out"

        # Comma-separated list of rules to disable.
        lint-disabled-rules: ""

        ## Diff report options:
        # Enable the generation of a diff report.
        # By default, "false".
        diff: "true"

        # Range of commits on which to run the analysis.
        # This could be a strict range: 5f6b21d...cff824e
        # Or use relative references: HEAD~3...HEAD~1
        # Or from a specific commit to HEAD: 5f6b21d
        # By default, diff with unstaged changes.
        diff-range: "HEAD~1"

        # The file will be overwritten if it exists.
        # By default, in "traefik-hub-static-analyzer-diff.out".
        diff-output-file: "/path/to/output.lint.out"

Example

The following example shows a fully configured workflow using this action and git hub token set in GH_TOKEN secret variable. The token is required to download public release of hub-static-analyzer with gh cli, see here.

name: Traefik Hub Static Analyzer

on:
  pull_request:

jobs:
  lint:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
    steps:
      - uses: actions/checkout@v4

      - name: Lint Traefik Hub CRs with hub-static-analyzer
        uses: traefik/hub-static-analyzer-action@main
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        with:
          exclude: "apps/overlays/local/*"
          lint: true
          lint-format: checkstyle
          lint-output-file: ./output.xml

      - name: Annotate code
        if: ${{ !cancelled() }}
        uses: Juuxel/publish-checkstyle-report@v1
        with:
          reports: |
            ./output.xml

  diff:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Diff Traefik Hub CRs with hub-static-analyzer
        uses: traefik/hub-static-analyzer-action@main
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        with:
          diff: true
          diff-range: "origin/${{ github.base_ref }}...pull/${{ github.ref_name }}"
          diff-output-file: ./output.md

      - name: Prepare report
        shell: bash
        run: |
          # Prepare report
          set -u

          echo "# Traefik Hub Report" > header.md
          echo "" >> header.md
          echo "The following changes have been detected." >> header.md
          echo "" >> header.md

      - name: Write report
        if: ${{ hashFiles('./output.md') != ''}}
        uses: mshick/add-pr-comment@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
        with:
          message-path: |
            header.md
            output.md

Scenarios

  1. Lint your manifests and display linting errors in the PR
  2. Generate a diff report and add the report to the PR

Lint your manifests and display linting errors in the PR

This is an example of how to configure this GitHub action to lint your manifests in checkstyle format.
The Publish Checkstyle Report Action is used to display the checkstyle errors as inline code annotations.

name: Traefik Hub Static Analyzer

on:
  pull_request:

jobs:
  lint:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
    steps:
      - uses: actions/checkout@v4

      - name: Lint Traefik Hub CRDs with hub-static-analyzer
        uses: traefik/hub-static-analyzer-action@main
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        with:
          exclude: "apps/overlays/local/*"
          lint: true
          lint-format: checkstyle
          lint-output-file: ./output.xml

      - name: Annotate code
        if: ${{ !cancelled() }}
        uses: Juuxel/publish-checkstyle-report@v1
        with:
          reports: |
            ./output.xml

Image a linting error

Generate a diff report and display it in the PR

This is an example of how to configure this GitHub action to generate a diff report to show the changes between Git commits.
The add-pr-comment action is used to add the report as a comment to the PR.

name: Traefik Hub Static Analyzer

on:
  pull_request:

jobs:
  diff:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Lint Traefik Hub CRDs with hub-static-analyzer
        uses: traefik/hub-static-analyzer-action@main
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        with:
          diff: true
          diff-range: "origin/${GITHUB_BASE_REF}...origin/${GITHUB_HEAD_REF}"
          diff-output-file: ./output.md

      - name: Prepare report
        shell: bash
        run: |
          set -u

          echo "# Traefik Hub Report" > header.md
          echo "" >> header.md
          echo "The following changes have been detected." >> header.md
          echo "" >> header.md

      - name: Write report
        if: ${{ hashFiles('./output.md') != ''}}
        uses: mshick/add-pr-comment@v2
        with:
          message-path: |
            header.md
            output.md

Image of a diff report

License

The content in this repository is licensed under the Apache 2 License.

About

Github Action for Hub static analyzer

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published