ci: in-process SpotBugs + changed-modules-only reactor in the spotbugs lane#1456
Draft
joaodinissf wants to merge 4 commits into
Draft
ci: in-process SpotBugs + changed-modules-only reactor in the spotbugs lane#1456joaodinissf wants to merge 4 commits into
joaodinissf wants to merge 4 commits into
Conversation
This was referenced Jul 10, 2026
Closed
c2bfe49 to
5bc6f59
Compare
This was referenced Jul 11, 2026
a4c86bb to
c5095ce
Compare
Replace the pmd/checkstyle jobs with a parallel shape that gives early,
inline feedback and stops re-running analysis inside the build:
- lint: compile + pmd:pmd + checkstyle:checkstyle (SARIF) + pmd:cpd-check,
-T 2C, --fail-never; gates by counting the merged SARIF (+ cpd.xml grep).
Fails in ~3-5 min on its own check, independent of the build.
- spotbugs: compile + spotbugs:spotbugs (SARIF), -Xmx4g, own parallel lane
(the slow analysis).
- maven-verify: build + tests only; the redundant checkstyle/pmd/spotbugs
goals are dropped (now owned by lint/spotbugs).
- line-endings: unchanged.
- both new lanes restore the master-produced Linux-maven-publish-* cache,
restore-only, mirroring snapshot.yml's path spec and key recipe exactly
(the path spec is hashed into the cache version, so the mirroring must
be literal).
All three emit SARIF 2.1.0, merged per tool and uploaded to Code Scanning
(security-events: write) for inline annotations on the PR diff + Security tab.
No custom Python annotator.
Count-gate rather than the *:check goals: the check goals @Execute-fork a
second analysis and cannot emit SARIF, and without the full compile classpath
they false-positive on type-resolving rules. Each report goal runs once
(full-reactor compile -> correct + SARIF) and the gate counts the result.
Rationale + tables in docs/ci-static-analysis-design.md; measurement protocol
in docs/ci-measurement-protocol.md.
CPD gating is wired but inert until dsldevkit#1339 lowers the token threshold.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SpotBugs' per-module analysis is the spotbugs job's long pole. A PR only needs its changed modules scanned, so a pre-step injects <spotbugs.skip>true> into every unchanged reactor module's pom — the plugin then skips the goal, and the per-module JVM fork, for them. The full-reactor compile is kept (a changed module keeps its complete aux-classpath); a build/config change falls back to a full scan. pull_request only — master/snapshot run a full scan. -Dspotbugs.onlyAnalyze was the cleaner-looking alternative but screens too late (after the per-module fork), ~17% vs ~88% measured; the script header documents the migration if an upstream SpotBugs early-exit ever lands. - .github/scripts/compute-spotbugs-skip.sh: diff -> changed modules -> inject skip into the unchanged ones (idempotent; build/config change -> full scan). - verify.yml spotbugs job: fetch-depth 0 + a scope step before compile; -Djgit.dirtyWorkingTree=ignore because the scope step dirties poms on purpose and this job releases nothing (releases/maven-verify keep =error); SARIF upload guarded so an empty scan set (no module scanned) doesn't fail the upload. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
spotbugs-maven-plugin forks a fresh JVM per module by default (maxHeap 2048), so a full scan pays 59 JVM startups. -Dspotbugs.fork=false runs the analysis inside the Maven JVM; the lane's MAVEN_OPTS -Xmx4g governs the shared heap (the plugin's maxHeap setting applies to forks only). Measured locally (full scan, clean tree, JDK 21): 75s vs 95s wall at -T 3C, and stable at CI thread width (-T 8, 4 GB heap) with identical findings (59 module SARIFs, same result count). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
4d0ee52 to
81dacbb
Compare
compute-spotbugs-skip.sh now also exports SPOTBUGS_SCOPE_ARGS
("-pl ../ddk-target,<changed modules> -am") and the spotbugs lane
passes it to mvn, so a scoped run builds only the PR's changed modules
plus their upstream dependencies instead of the full 64-module
reactor. The -am-pulled unchanged dependencies keep the injected
spotbugs.skip: they compile (complete aux-classpath) but are not
analysed.
ddk-target is pinned into every scoped reactor: the target-definition
artifact is referenced by target-platform-configuration, not by any
bundle MANIFEST, so -am alone never pulls it — Tycho then falls back
to a local-repository copy of the .target, which fails on a cold cache
and can silently resolve a stale target definition on a warm one
(verified: a June install of the same sequenceNumber still pointed at
the 2026-03 release train while the tree's points at 2026-06).
The gate verifies that every scanned source-bearing module produced
its SARIF (and that a full scan produced any at all): --fail-never
swallows even target-resolution failures, so without a presence check
a dead build uploads nothing, counts zero violations, and passes
vacuously.
Fail-safes are unchanged: a build/config change means a full reactor
and full scan, and a PR touching no reactor module builds the full
reactor with every analysis skipped.
Measured locally (single-module change, clean tree, JDK 21): 34s wall
vs 75s for the full-reactor equivalent, resolving the current target
platform (jdt.core 3.46.0) with findings identical to the full scan.
Verified against a repository with no installed ddk-target: without
the pin the run reproduces the swallowed resolution failure with zero
SARIFs; with it the scoped run succeeds.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
81dacbb to
6fa2d0e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Stacked on #1400. Earlier commits belong to #1399/#1396/#1400; review only the last two commits here.
Two reductions to the
spotbugslane, the verify pipeline's critical path (~8.5 min full scan):-Dspotbugs.fork=false— the plugin forks a fresh 2 GB JVM per module by default (59 forks per full scan). Analysis now runs inside the Maven JVM; the lane'sMAVEN_OPTS: -Xmx4ggoverns the shared heap. Findings are identical (59 module SARIFs, same result count).compute-spotbugs-skip.shadditionally exportsSPOTBUGS_SCOPE_ARGS(-pl ../ddk-target,<changed modules> -am), so a scoped run builds only the PR's changed modules plus their upstream dependencies instead of the full 64-module reactor; the-am-pulled unchanged dependencies keep the injectedspotbugs.skip(they compile for the aux-classpath but are not analysed).ddk-targetis pinned into every scoped reactor because the target-definition artifact is referenced bytarget-platform-configuration, not by any MANIFEST — without the pin, Tycho falls back to a local-repository copy of the.target, which fails on a cold cache and can silently resolve a stale target definition on a warm one (observed: an installed June copy of the samesequenceNumberstill pointed at the 2026-03 release train). The gate verifies every scanned source-bearing module produced its SARIF (plus any-SARIF on full scans):--fail-neverswallows even target-resolution failures, so without the presence check a dead build counts zero violations and passes vacuously. When no reactor module changed at all (e.g. a docs-only PR) the lane skips the Maven invocation and the SARIF upload entirely (SPOTBUGS_KEPT=0); the fail-safe full-scan path exportsKEPT=all, because an unset variable coerces equal to'0'in the workflowif:expression and would wrongly skip the build. Fail-safes otherwise unchanged: build/config changes and master/snapshot builds get a full reactor and full scan.Measurements
Local (clean tree, JDK 21, warm cache): full scan 75s vs 95s; scoped 34s vs 75s with the pinned reactor resolving the current platform (jdt.core 3.46.0). An earlier probe's 40s scoped figure was vacuous — the run had silently failed target resolution and analysed nothing, which is exactly the hole the presence gate closes.
Tycho
-pl/-amverification (local, exhaustive)-pl <module> -amreactor was compared against a MANIFEST-derived ground-truth closure (Require-Bundle + Fragment-Host + Import-Package→Export-Package). 59/59 covered, including the four test fragments and the Import-Package-wired test bundle.ddk.targetcontains no DDK p2 repository, so a missing-amedge cannot be satisfied by a stale published DDK bundle — resolution fails hard (and the presence gate catches even a swallowed failure).xtext.test,check.ui.test,xtext.format), SpotBugs'FindBugsSummary(analyzed/referenced classes, size, packages) is identical between full-reactor and scoped runs; with theddk-targetpin the resolved third-party platform-bundle versions match exactly as well.Merge chain:
#1399(merged) → #1396 → #1400 → #1456 (this PR) → #1457 → #1397🤖 Generated with Claude Code