Skip to content

ci: scope SpotBugs to a PR's changed modules (per-module skip)#23

Closed
joaodinissf wants to merge 1 commit into
ci/maven-verify-cache-restore-keysfrom
ci/spotbugs-skip
Closed

ci: scope SpotBugs to a PR's changed modules (per-module skip)#23
joaodinissf wants to merge 1 commit into
ci/maven-verify-cache-restore-keysfrom
ci/spotbugs-skip

Conversation

@joaodinissf

@joaodinissf joaodinissf commented May 31, 2026

Copy link
Copy Markdown
Owner

Stacked on dsldevkit#1396 — base is the dsldevkit#1396 branch, so the diff is just the SpotBugs-scoping commit.

Problem

SpotBugs is the spotbugs job's long pole (per-module bytecode analysis + a JVM fork per module). A PR only needs its changed modules scanned.

What this does

A pre-step injects <spotbugs.skip>true> into every unchanged reactor module's pom, so the plugin skips the goal — and the per-module fork — for them. The full-reactor compile is kept (a changed module keeps its complete aux-classpath). pull_request only; master/snapshot run a full scan. A build/config change → full scan (fail-safe).

  • .github/scripts/compute-spotbugs-skip.sh — diff → changed modules → inject skip into the unchanged ones (idempotent; never touches ddk-parent).
  • verify.yml spotbugs job — fetch-depth: 0 + the scope step; -Djgit.dirtyWorkingTree=ignore (the scope step intentionally dirties poms and this job releases nothing — releases/maven-verify keep =error); SARIF upload guarded against an empty scan set.

Validated (fork probe #22)

A one-module Java change → scope logged scanning 1 / skipping 62; spotbugs job 1m42s (vs full ~8m44), BUILD SUCCESS, 0 violations, SARIF uploaded. All other jobs green.

Why not -Dspotbugs.onlyAnalyze

Cleaner-looking (one flag), but SpotBugs screens too late (after the per-module fork) — ~17% vs ~88% measured. If an upstream SpotBugs early-exit lands, switch to onlyAnalyze and drop this script (noted in the script header).

🤖 Generated with Claude Code

@joaodinissf @claude
ci: scope SpotBugs to the PR's changed modules (per-module skip)
0b31263 
SpotBugs' per-module analysis is the spotbugs job's long pole. A PR only needs
its changed modules scanned, so a pre-step injects <spotbugs.skip>true> into
every unchanged reactor module's pom — the plugin then skips the goal, and the
per-module JVM fork, for them. The full-reactor compile is kept (a changed
module keeps its complete aux-classpath); a build/config change falls back to a
full scan. pull_request only — master/snapshot run a full scan.

-Dspotbugs.onlyAnalyze was the cleaner-looking alternative but screens too late
(after the per-module fork), ~17% vs ~88% measured; the script header documents
the migration if an upstream SpotBugs early-exit ever lands.

- .github/scripts/compute-spotbugs-skip.sh: diff -> changed modules -> inject
  skip into the unchanged ones (idempotent; build/config change -> full scan).
- verify.yml spotbugs job: fetch-depth 0 + a scope step before compile;
  -Djgit.dirtyWorkingTree=ignore because the scope step dirties poms on purpose
  and this job releases nothing (releases/maven-verify keep =error); SARIF upload
  guarded so an empty scan set (no module scanned) doesn't fail the upload.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@joaodinissf joaodinissf changed the base branch from ci/static-analysis-sarif to ci/maven-verify-cache-restore-keys May 31, 2026 12:38
@joaodinissf

joaodinissf commented May 31, 2026

Copy link
Copy Markdown
Owner Author

Superseded by dsldevkit#1400 — retargeted to upstream master.

Closed by Claude at João's request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joaodinissf