ci: scope SpotBugs to a PR's changed modules (per-module skip)#1400
Draft
joaodinissf wants to merge 3 commits into
Draft
ci: scope SpotBugs to a PR's changed modules (per-module skip)#1400joaodinissf wants to merge 3 commits into
joaodinissf wants to merge 3 commits into
Conversation
579cf8d to
fa6f835
Compare
The maven-verify cache never hit in practice, for three compounding reasons
(verified against the live cache inventory):
- actions/cache only restores on an exact key match, and the key embedded
hashFiles('**/pom.xml') - so any pom-touching PR missed outright.
- GitHub isolates caches per PR scope: the open PRs each held a byte-identical
~700 MB cache under their own refs/pull/N/merge, invisible to one another.
The only shareable scope is master, and verify.yml (a pull_request-only
workflow) never saved there.
- The redundant per-PR saves pushed the repo over its 10 GB cache budget
(10+ GB across 14 caches), so LRU eviction also killed same-PR reuse.
Fix, all in the one cache step: switch to actions/cache/restore (PRs stop
saving - ends the duplicate-cache churn and the eviction pressure) and mirror
the producer exactly. master DOES have a producer - snapshot.yml saves
~/.m2/repository as Linux-maven-publish-* on every push - so maven-verify now
adopts that family's exact path spec and key recipe. The mirroring must be
literal: GitHub hashes the path spec into the cache *version* and only serves
a cache whose key AND version both match, so ~/.m2/repository vs
/home/runner/.m2/repository alone makes the producer's caches silently
unmatchable (the repo's cache inventory showed the two path spellings under
distinct version hashes). A PR that touches no pom/target files exact-hits
master's newest cache; any other PR prefix-restores it via restore-keys.
The cache-bust lever is renaming the maven-publish family in snapshot.yml
and here together.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Replace the pmd/checkstyle jobs with a parallel shape that gives early,
inline feedback and stops re-running analysis inside the build:
- lint: compile + pmd:pmd + checkstyle:checkstyle (SARIF) + pmd:cpd-check,
-T 2C, --fail-never; gates by counting the merged SARIF (+ cpd.xml grep).
Fails in ~3-5 min on its own check, independent of the build.
- spotbugs: compile + spotbugs:spotbugs (SARIF), -Xmx4g, own parallel lane
(the slow analysis).
- maven-verify: build + tests only; the redundant checkstyle/pmd/spotbugs
goals are dropped (now owned by lint/spotbugs).
- line-endings: unchanged.
- both new lanes restore the master-produced Linux-maven-publish-* cache,
restore-only, mirroring snapshot.yml's path spec and key recipe exactly
(the path spec is hashed into the cache version, so the mirroring must
be literal).
All three emit SARIF 2.1.0, merged per tool and uploaded to Code Scanning
(security-events: write) for inline annotations on the PR diff + Security tab.
No custom Python annotator.
Count-gate rather than the *:check goals: the check goals @Execute-fork a
second analysis and cannot emit SARIF, and without the full compile classpath
they false-positive on type-resolving rules. Each report goal runs once
(full-reactor compile -> correct + SARIF) and the gate counts the result.
Rationale + tables in docs/ci-static-analysis-design.md; measurement protocol
in docs/ci-measurement-protocol.md.
CPD gating is wired but inert until dsldevkit#1339 lowers the token threshold.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SpotBugs' per-module analysis is the spotbugs job's long pole. A PR only needs its changed modules scanned, so a pre-step injects <spotbugs.skip>true> into every unchanged reactor module's pom — the plugin then skips the goal, and the per-module JVM fork, for them. The full-reactor compile is kept (a changed module keeps its complete aux-classpath); a build/config change falls back to a full scan. pull_request only — master/snapshot run a full scan. -Dspotbugs.onlyAnalyze was the cleaner-looking alternative but screens too late (after the per-module fork), ~17% vs ~88% measured; the script header documents the migration if an upstream SpotBugs early-exit ever lands. - .github/scripts/compute-spotbugs-skip.sh: diff -> changed modules -> inject skip into the unchanged ones (idempotent; build/config change -> full scan). - verify.yml spotbugs job: fetch-depth 0 + a scope step before compile; -Djgit.dirtyWorkingTree=ignore because the scope step dirties poms on purpose and this job releases nothing (releases/maven-verify keep =error); SARIF upload guarded so an empty scan set (no module scanned) doesn't fail the upload. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fa6f835 to
18bdcb4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Stacked on #1396 → #1399. Against
masterthe diff includes those commits (they drop out as they merge) — review only the SpotBugs-scoping commit (compute-spotbugs-skip.sh+ the spotbugs-job edits inverify.yml).Problem
SpotBugs is the
spotbugsjob's long pole (per-module bytecode analysis + a JVM fork per module). A PR only needs its changed modules scanned.What this does
A pre-step injects
<spotbugs.skip>true>into every unchanged reactor module's pom, so the plugin skips the goal — and the per-module fork — for them. The full-reactor compile is kept (a changed module keeps its complete aux-classpath).pull_requestonly; master/snapshot run a full scan. A build/config change → full scan (fail-safe)..github/scripts/compute-spotbugs-skip.sh— diff → changed modules → inject skip into the unchanged ones (idempotent; never touchesddk-parent).verify.ymlspotbugs job —fetch-depth: 0+ the scope step;-Djgit.dirtyWorkingTree=ignore(the scope step intentionally dirties poms and this job releases nothing — releases/maven-verifykeep=error); SARIF upload guarded against an empty scan set.Validated
Fork probe: a one-module Java change →
scanning 1 / skipping 62; spotbugs job ~1m45s (vs full ~8m44),BUILD SUCCESS, 0 violations, SARIF uploaded; all other jobs green.Why not
-Dspotbugs.onlyAnalyzeCleaner-looking (one flag) but SpotBugs screens too late (after the per-module fork) — ~17% vs ~88% measured. If an upstream SpotBugs early-exit lands, switch to
onlyAnalyzeand drop this script (noted in the script header).🤖 Generated with Claude Code