Skip to content

ci: migrate lint reporting to SARIF and remove Danger #1061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mikepenz merged 4 commits into from
Apr 9, 2026
Merged

ci: migrate lint reporting to SARIF and remove Danger #1061

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5e199a5
ci: migrate lint reporting to SARIF and remove Danger
mikepenz Apr 9, 2026
a0637b3
ci: pin Java 17 and harden SARIF collection
mikepenz Apr 9, 2026
197e34a
ci: address review feedback on SARIF lint setup
mikepenz Apr 9, 2026
6d110bf
ci: upload lint SARIF per module to satisfy unique-category rule
mikepenz Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 28 additions & 22 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,25 +11,30 @@ jobs:
build:
name: Build
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v6
with:
fetch-depth: 100

- uses: actions/setup-java@v3
- uses: actions/setup-java@v5
with:
java-version: '11'
distribution: 'zulu'
java-version: |
17
21
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/setup-java does not reliably support installing multiple JDKs via a multi-line java-version, and this workflow also requests JDK 21 while the repo is pinned to Gradle 7.5.1 (which is not compatible with running on Java 21). Use a single supported JDK (e.g., 11/17), or switch to a matrix and/or upgrade the Gradle wrapper (and AGP) if Java 21 is required.

Suggested change
java-version: |
17
21
java-version: '17'

Copilot uses AI. Check for mistakes.

- name: Validate gradle wrapper
uses: gradle/wrapper-validation-action@v1
uses: gradle/actions/wrapper-validation@v6

- name: Copy CI gradle.properties
run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties

- name: Gradle Build Cache
uses: gradle/gradle-build-action@v2
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v6

- name: Build Debug
run: ./gradlew clean app:assembleDebug
Expand All @@ -38,24 +43,25 @@ jobs:
if: github.event_name == 'pull_request'
run: ./gradlew lintDebug

- name: Detekt
if: github.event_name == 'pull_request'
run: ./gradlew detekt

- name: Setup Ruby
if: github.event_name == 'pull_request'
uses: ruby/setup-ruby@v1
- name: Collect Lint SARIF reports
if: github.event_name == 'pull_request'
run: |
mkdir -p sarif-reports
find . -name "lint-results-debug.sarif" | while read f; do
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If ./gradlew lintDebug fails (which is exactly when we most want SARIF), the job will stop and this collection step will be skipped because it is not gated with always(). Consider making SARIF collection/upload resilient (e.g., if: always() && ... and/or continue-on-error on lint with a later explicit failure) so lint findings still get uploaded on failures.

Copilot uses AI. Check for mistakes.
module=$(echo "$f" | sed 's|^\./||' | sed 's|/build/reports/.*||' | sed 's|/|-|g')
cp "$f" "sarif-reports/${module}-lint.sarif"
done

- name: Upload Lint SARIF
if: always() && github.event_name == 'pull_request'
uses: github/codeql-action/upload-sarif@v4
with:
ruby-version: '3.0'
bundler-cache: true
sarif_file: 'sarif-reports'
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On pull_request events from forks, security-events: write is not granted to GITHUB_TOKEN, so upload-sarif can fail and break CI for external contributors. Consider guarding this step (and the SARIF collection) to only run when github.event.pull_request.head.repo.fork == false, or otherwise make the step non-blocking for forked PRs.

Copilot uses AI. Check for mistakes.
category: android-lint

- name: Run Danger
- name: Detekt
if: github.event_name == 'pull_request'
run: |
gem install danger
bundle exec danger --dangerfile=Dangerfile --danger_id=danger-pr
env:
DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew detekt

- name: Prepare Keystore and Local.
if: startsWith(github.ref, 'refs/tags/')
Expand Down Expand Up @@ -105,7 +111,7 @@ jobs:
find . -name "*.aab" -type f -exec cp {} "artifacts" \;

- name: Archive Artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v7
with:
name: "App-Artifacts"
path: artifacts/*
Expand Down
29 changes: 29 additions & 0 deletions .github/workflows/pr-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: PR Checks

on:
pull_request:

permissions:
pull-requests: read

jobs:
quality-gates:
name: Quality Gates
runs-on: ubuntu-latest
steps:
- name: PR Quality Gates
uses: actions/github-script@v8
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
const labels = pr.labels.map(l => l.name);
if (labels.some(l => l.includes('DO NOT MERGE')))
core.setFailed('PR specifies label DO NOT MERGE');
if (labels.some(l => l.includes('Engineers at work')) || pr.title.includes('[WIP]'))
core.warning('PR is marked as Work in Progress');
if (pr.additions + pr.deletions > 5000)
core.warning('Big PR');
48 changes: 0 additions & 48 deletions Dangerfile
View file
Open in desktop

This file was deleted.

9 changes: 0 additions & 9 deletions Gemfile
View file
Open in desktop

This file was deleted.

101 changes: 0 additions & 101 deletions Gemfile.lock
View file
Open in desktop

This file was deleted.

15 changes: 15 additions & 0 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,5 +63,20 @@ subprojects {
dependencies {
detektPlugins "io.gitlab.arturbosch.detekt:detekt-formatting:${versions.detekt}"
}

plugins.withId('com.android.library') {
android {
lintOptions {
sarifReport true
}
}
}
plugins.withId('com.android.application') {
android {
lintOptions {
sarifReport true
}
}
}
}

Loading