This GitHub Action performs static analysis on Traefik Hub Custom Resource Definitions (CRD) manifests.
It allows you to lint the manifests and generate a diff report between commits.
If you run this action in a public repository or if you are a GitHub Enterprise customer, you can leverage the SARIF output format to submit a code scanning artifact.
name: Traefik Hub Static Analysis
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Traefik Hub Static Analyzer
uses: traefik/hub-static-analyzer-action@main
env:
GH_TOKEN: # <== Required GitHub Token here.
with:
# Version of hub-static-analyzer to use.
# By default, the latest supported version will be used.
version: "latest"
# Path to the directory containing the manifests to analyze.
# By default, the current directory will be used.
path: "path/to/manifests"
## Linting options:
# Enable linting.
# By default, "false".
lint: "true"
# Configure the output format of the linter. One of `unix`, `checkstyle` or `json`.
# By default, `unix` format will be used.
lint-format: "unix"
# Path where to store the linting results. The file will be overwritten if it exists.
# By default, in "traefik-hub-static-analyzer-lint.out".
lint-output-file: "/path/to/output.lint.out"
# Comma-separated list of rules to disable.
lint-disabled-rules: ""
## Diff report options:
# Enable the generation of a diff report.
# By default, "false".
diff: "true"
# Range of commits on which to run the analysis.
# This could be a strict range: 5f6b21d...cff824e
# Or use relative references: HEAD~3...HEAD~1
# Or from a specific commit to HEAD: 5f6b21d
# By default, diff with unstaged changes.
diff-range: "HEAD~1"
# The file will be overwritten if it exists.
# By default, in "traefik-hub-static-analyzer-diff.out".
diff-output-file: "/path/to/output.lint.out"
The following example shows a fully configured workflow using this action and git hub token set in GH_TOKEN secret variable. The token is required to download public release of hub-static-analyzer with gh
cli, see here.
name: Traefik Hub Static Analyzer
on:
pull_request:
jobs:
lint:
runs-on: ubuntu-latest
permissions:
checks: write
contents: write
steps:
- uses: actions/checkout@v4
- name: Lint Traefik Hub CRs with hub-static-analyzer
uses: traefik/hub-static-analyzer-action@main
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
exclude: "apps/overlays/local/*"
lint: true
lint-format: checkstyle
lint-output-file: ./output.xml
- name: Annotate code
if: ${{ !cancelled() }}
uses: Juuxel/publish-checkstyle-report@v1
with:
reports: |
./output.xml
diff:
runs-on: ubuntu-latest
permissions:
checks: write
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Diff Traefik Hub CRs with hub-static-analyzer
uses: traefik/hub-static-analyzer-action@main
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
diff: true
diff-range: "origin/${{ github.base_ref }}...pull/${{ github.ref_name }}"
diff-output-file: ./output.md
- name: Prepare report
shell: bash
run: |
# Prepare report
set -u
echo "# Traefik Hub Report" > header.md
echo "" >> header.md
echo "The following changes have been detected." >> header.md
echo "" >> header.md
- name: Write report
if: ${{ hashFiles('./output.md') != ''}}
uses: mshick/add-pr-comment@v2
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
with:
message-path: |
header.md
output.md
- Lint your manifests and display linting errors in the PR
- Generate a diff report and add the report to the PR
This is an example of how to configure this GitHub action to lint your manifests in checkstyle
format.
The Publish Checkstyle Report Action is used to display the checkstyle
errors
as inline code annotations.
name: Traefik Hub Static Analyzer
on:
pull_request:
jobs:
lint:
runs-on: ubuntu-latest
permissions:
checks: write
contents: write
steps:
- uses: actions/checkout@v4
- name: Lint Traefik Hub CRDs with hub-static-analyzer
uses: traefik/hub-static-analyzer-action@main
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
exclude: "apps/overlays/local/*"
lint: true
lint-format: checkstyle
lint-output-file: ./output.xml
- name: Annotate code
if: ${{ !cancelled() }}
uses: Juuxel/publish-checkstyle-report@v1
with:
reports: |
./output.xml
This is an example of how to configure this GitHub action to generate a diff report to show the changes between Git commits.
The add-pr-comment action is used to add the report as a comment to the PR.
name: Traefik Hub Static Analyzer
on:
pull_request:
jobs:
diff:
runs-on: ubuntu-latest
permissions:
checks: write
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Lint Traefik Hub CRDs with hub-static-analyzer
uses: traefik/hub-static-analyzer-action@main
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
diff: true
diff-range: "origin/${GITHUB_BASE_REF}...origin/${GITHUB_HEAD_REF}"
diff-output-file: ./output.md
- name: Prepare report
shell: bash
run: |
set -u
echo "# Traefik Hub Report" > header.md
echo "" >> header.md
echo "The following changes have been detected." >> header.md
echo "" >> header.md
- name: Write report
if: ${{ hashFiles('./output.md') != ''}}
uses: mshick/add-pr-comment@v2
with:
message-path: |
header.md
output.md
The content in this repository is licensed under the Apache 2 License.