ci: migrate lint reporting to SARIF and remove Danger#1061
Conversation
- Upload Android lint results via github/codeql-action/upload-sarif - Replace Danger-based PR checks with a direct github-script PR quality gate workflow - Modernize CI action versions (checkout@v6, setup-java@v5 with JDK 17/21, gradle/actions@v6, upload-artifact@v7) - Enable sarifReport in lintOptions for all Android subprojects - Remove Dangerfile, Gemfile, Gemfile.lock Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR removes the Ruby/Danger-based PR reporting and migrates Android lint reporting to GitHub-native Code Scanning by uploading SARIF, while adding a lightweight “PR Checks” workflow to enforce label/WIP/big-PR gates.
Changes:
- Remove Danger tooling (
Dangerfile,Gemfile,Gemfile.lock) and the Ruby setup/run from CI. - Enable Android Lint SARIF output across Android subprojects and upload collected SARIF reports via
github/codeql-action/upload-sarif. - Add a
pr-checks.ymlworkflow usingactions/github-scriptto replicate label/WIP/big-PR checks.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
Gemfile.lock |
Removes bundler lockfile as Danger is dropped. |
Gemfile |
Removes Ruby gem dependencies for Danger and its plugins. |
Dangerfile |
Removes Danger-based PR quality gates and inline lint/detekt reporting. |
build.gradle |
Enables sarifReport for Android lint across library/application subprojects. |
.github/workflows/pr-checks.yml |
Adds GitHub Script-based PR label/WIP/big-PR quality gates. |
.github/workflows/ci.yml |
Updates CI to upload lint SARIF and removes Danger/Ruby steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| java-version: | | ||
| 17 | ||
| 21 |
There was a problem hiding this comment.
actions/setup-java does not reliably support installing multiple JDKs via a multi-line java-version, and this workflow also requests JDK 21 while the repo is pinned to Gradle 7.5.1 (which is not compatible with running on Java 21). Use a single supported JDK (e.g., 11/17), or switch to a matrix and/or upgrade the Gradle wrapper (and AGP) if Java 21 is required.
| java-version: | | |
| 17 | |
| 21 | |
| java-version: '17' |
| @@ -38,24 +43,25 @@ jobs: | |||
| if: github.event_name == 'pull_request' | |||
| run: ./gradlew lintDebug | |||
|
|
|||
| - name: Detekt | |||
| if: github.event_name == 'pull_request' | |||
| run: ./gradlew detekt | |||
|
|
|||
| - name: Setup Ruby | |||
| if: github.event_name == 'pull_request' | |||
| uses: ruby/setup-ruby@v1 | |||
| - name: Collect Lint SARIF reports | |||
| if: github.event_name == 'pull_request' | |||
| run: | | |||
| mkdir -p sarif-reports | |||
| find . -name "lint-results-debug.sarif" | while read f; do | |||
There was a problem hiding this comment.
If ./gradlew lintDebug fails (which is exactly when we most want SARIF), the job will stop and this collection step will be skipped because it is not gated with always(). Consider making SARIF collection/upload resilient (e.g., if: always() && ... and/or continue-on-error on lint with a later explicit failure) so lint findings still get uploaded on failures.
| - name: Upload Lint SARIF | ||
| if: always() && github.event_name == 'pull_request' | ||
| uses: github/codeql-action/upload-sarif@v4 | ||
| with: | ||
| ruby-version: '3.0' | ||
| bundler-cache: true | ||
| sarif_file: 'sarif-reports' |
There was a problem hiding this comment.
On pull_request events from forks, security-events: write is not granted to GITHUB_TOKEN, so upload-sarif can fail and break CI for external contributors. Consider guarding this step (and the SARIF collection) to only run when github.event.pull_request.head.repo.fork == false, or otherwise make the step non-blocking for forked PRs.
Gradle 7.5.1 doesn't support Java 21, so the build was failing because setup-java made JAVA_HOME point at JDK 21. Pin to JDK 17. Also broaden the SARIF find pattern to match any lint-results*.sarif under build/reports, and only run upload-sarif when at least one file was collected (so the step doesn't fail noisily on empty input). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Make SARIF collection resilient by also running on lint failure (success() || failure()) and gating upload on actual file presence - Skip SARIF upload for forked PRs where security-events:write is not granted, so external contributor PRs aren't broken - Trigger pr-checks workflow on labeled/unlabeled/edited so DO NOT MERGE / WIP gates can't be bypassed by editing the PR after the last push Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
GitHub Code Scanning rejects multiple SARIF runs uploaded under the same category in a single call. Switch to one upload-sarif step per Android module with a module-scoped category, gated by hashFiles so the step is skipped when a module produced no SARIF report. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
Heads up on CI status: The This is a pre-existing dependency resolution failure on The SARIF lint changes in this PR are otherwise complete:
The MaterialDrawer counterpart (mikepenz/MaterialDrawer#2848) is fully green and shows the same workflow uploading 4 SARIF files end-to-end. 🤖 Generated with Claude Code |
Summary
github/codeql-action/upload-sarif, and a newpr-checks.ymlworkflow handles label/WIP/big-PR quality gates withactions/github-script.sarifReportinlintOptionsfor all Android library/application subprojects solint-results-debug.sarifis produced.checkout@v6,setup-java@v5(JDK 17 + 21),gradle/actions/*@v6,upload-artifact@v7. Addsecurity-events: writepermission for SARIF upload.Dangerfile,Gemfile,Gemfile.lockand the Ruby setup step.Modeled on
multiplatform-markdown-renderer's CI setup.Test plan
PR Checksworkflow runs and surfaces label/WIP warnings🤖 Generated with Claude Code