Merge pull request #39 from entur/fix/reduce-scan-times

feat: Optional caching to reduce autobuild times
entur · Sep 30, 2024 · 2ae5256 · 2ae5256
2 parents 637bdab + 1d37128
commit 2ae5256
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -2,7 +2,12 @@ name: 'Entur/Security/Code Scan'
 
 on:
  workflow_call:
-
+ inputs:
+ use_setup_gradle:
+ description: 'Use "gradle/action/setup-gradle" before running autobuild (Java/Kotlin only). Potentially speeds up build times if cache from main branch is utilized'
+ default: false
+ required: false
+ type: boolean
 env:
  GITHUB_REPOSITORY: ${{ github.repository }}
 
@@ -98,7 +103,7 @@ jobs:
  workflow_runs = workflow_runs.json().get('workflow_runs', [])
  run_id = None
  for workflow_run in workflow_runs:
- if workflow_run.get('path') == '.github/workflows/codeql.yml':
+ if workflow_run.get('path','').startswith('.github/workflows/codeql.yml'):
  run_id = workflow_run.get('id')
  
  with open(env_file, 'a') as f:
@@ -237,6 +242,11 @@ jobs:
  steps:
  - name: "Checkout repository"
  uses: actions/checkout@v4
+ - name: "Set up Gradle for Java/Kotlin"
+ if: ${{ inputs.use_setup_gradle}} && (matrix.language == 'kotlin' || matrix.language == 'java')
+ uses: gradle/actions/[email protected]
+ with: 
+ cache-read-only: true # Force read only, even in main
  - name: "Initialize CodeQL for Java/Kotlin"
  if: matrix.language == 'kotlin' || matrix.language == 'java'
  uses: github/codeql-action/init@v3

diff --git a/README-code-scan.md b/README-code-scan.md
@@ -17,7 +17,11 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your
 ## Inputs
 
 <!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->
-No inputs.
+
+| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
+|----------------------------------------------------------------------------------|---------|----------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean | false | `false` | Use "gradle/action/setup-gradle" before running autobuild <br>(Java/Kotlin only). Potentially speeds up build <br>times if cache from main <br>branch is utilized |
+
 <!-- AUTO-DOC-INPUT:END -->
 
 ## Golden Path
@@ -47,6 +51,36 @@ jobs:
  secrets: inherit
 ```
 
+## Optional Dependency caching for Java/Kotlin
+
+Code vulnerability scans of Java and Kotlin are done by running autobuild, which runs any identified build systems, like Gradle.
+
+If the project is using the [gradle/actions/setup-gradle](https://github.com/gradle/actions/?tab=readme-ov-file#the-setup-gradle-action) action, you can set code scanning to utlize any available cache from the 'main' branch. This potentially speeds up build by acoiding to build or retrieve any dependencies.
+
+
+**Caching is deactivated by default.**
+
+To activate caching, set input `use-setup-gradle` to `true`.
+
+Example:
+
+```yaml
+# codeql.yml
+name: "CodeQL"
+
+...
+
+jobs:
+ code-scan:
+ name: Code Scan
+ uses: entur/gha-security/.github/workflows/code-scan.yml@v1
+ secrets: inherit
+ with:
+ use_setup_gradle: true
+``` 
+
+To activate optional 
+
 ## Allowlisting vulnerabilities
 The reusable workflow uses [CodeQL](https://codeql.github.com/) to scan the codebase for vulnerabilities. Any discovered vulnerabilities will be published to the _Security_ tab of the repository, under the _Code Scanning_ section. If you believe that a found vulnerability is a false positive or otherwise not relevant, you can either manually dimiss the alert, or create a allowlist file (YAML-file) that dismisses all alerts that matches a vulnerability ID.