Skip to content

Update TICS workflow #1212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
denisonbarbosa merged 7 commits into from
Feb 3, 2026
Merged

Update TICS workflow #1212

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e13f3e4
Use desktop-engineering/go/generate instead of manual build
denisonbarbosa Jan 23, 2026
a510ae1
Switch to using TICS github action
denisonbarbosa Jan 29, 2026
ff3167f
Fix Rust update step
denisonbarbosa Jan 29, 2026
434a86c
Fix workflow name
denisonbarbosa Jan 29, 2026
0ce6859
Fix command to build authd-msentraid
denisonbarbosa Jan 30, 2026
e5c9ee2
Rename executable for vanilla broker
denisonbarbosa Feb 2, 2026
755f953
Merge authd and brokers coverage reports
denisonbarbosa Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 59 additions & 25 deletions .github/workflows/tics-run.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,25 +11,22 @@ env:
build_dependencies: >-
clang-tools
clang
dotnet8
libglib2.0-dev
libpam-dev
libpwquality-dev
rustup

jobs:
tics:
name: TIOBE TICS Framework
runs-on: ubuntu-latest
runs-on: [self-hosted, amd64, tiobe, noble]
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: go.mod


- name: Update Rust version
run: |
rustup update stable

- uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main
- name: Install dependencies
run: |
Expand All @@ -40,43 +37,80 @@ jobs:

go install honnef.co/go/tools/cmd/staticcheck@latest

- name: Fetch last successful QA run id
- name: Update Rust version
run: |
rustup update stable

- uses: canonical/desktop-engineering/gh-actions/go/generate@main
with:
tools-directory: ./tools

- name: Fetch last successful QA runs ids
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
set -eu
echo "LAST_QA_ID=$(gh run list --workflow 'QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV
echo "LAST_AUTHD_QA_ID=$(gh run list --workflow 'authd QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV
echo "LAST_BROKERS_QA_ID=$(gh run list --workflow 'Brokers QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV

- name: Download coverage artifact
- name: Download coverage artifact from authd QA
uses: actions/download-artifact@v7
with:
github-token: ${{ github.token }}
path: .artifacts/
run-id: ${{ env.LAST_QA_ID }}
path: .artifacts/authd
run-id: ${{ env.LAST_AUTHD_QA_ID }}

- name: TICS Scan
env:
TICSAUTHTOKEN: ${{ secrets.TICSAUTHTOKEN }}
GH_TOKEN: ${{ github.token }}
- name: Download coverage artifact from brokers QA
uses: actions/download-artifact@v7
with:
github-token: ${{ github.token }}
path: .artifacts/brokers
run-id: ${{ env.LAST_BROKERS_QA_ID }}

- name: Merge coverage reports
run: |
set -e
set -eu

dotnet tool install -g dotnet-reportgenerator-globaltool

export PATH="$PATH:/home/ubuntu/.dotnet/tools"

# Move coverage to expected directory
mkdir coverage
mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml
mv .artifacts/authd/coverage/Cobertura.xml .artifacts/authd-coverage.xml
mv .artifacts/brokers/Cobertura.xml .artifacts/broker-coverage.xml

# Install TICS
. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=GoProjects&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
# TICS expects the coverage report to:
# - be in a directory named 'coverage' in the current working directory
mkdir -p coverage

# - have a single report named coverage.xml
reportgenerator -reports:.artifacts/*.xml -targetdir:coverage -reporttypes:Cobertura
mv coverage/Cobertura.xml coverage/coverage.xml

- name: Build artifacts
run: |
set -eu

# TICS needs to build the artifacts in order to run the analysis.
# Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go
# toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also
# helps to speed up the TICS analysis, as we would already have the build cache populated.
find pam -name '*.so' -print -delete
go generate -C pam -x
go build ./cmd/authd
go -C ./authd-oidc-brokers build -o authd-vanilla ./cmd/authd-oidc
go -C ./authd-oidc-brokers build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc
go -C ./authd-oidc-brokers build -o authd-oidc ./cmd/authd-oidc
go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc

TICSQServer -project authd -tmpdir /tmp/tics -branchdir .
# We also need to build libhimmelblau when building the msentraid variant
git submodule update --init
cd ./authd-oidc-brokers
go generate --tags=withmsentraid ./internal/providers/msentraid/...
go build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc

- name: TICS Analysis
uses: tiobe/tics-github-action@v3
with:
mode: qserver
project: authd
branchdir: .
viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=GoProjects
ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
installTics: true
Loading