How to utilize code analysis with no default branch - static-analysis

I'm currently trying to setup some code analysis for my team however I found our release process does not mesh well with the tools I have looked into (CodeClimate and SonarQube). Both tools require a default branch to track the state or "grade" of your repository over time. They watch the default branch and analyze pull requests to that branch. However, our current release process involves a new branch for each release which we merge into master after the branch is released. We could use master as our default branch but we would not see the analysis until after the code is out which is not ideal. As I am not in a position to change our process, I am tasked with finding a tool or work around to get an analysis tool to work with our process. The only work around I could think of is two pull requests. One to the release branch as usual, and another to master just to trigger the analysis. The master PR would then be closed once the issues found in the analysis are fixed. This is far from ideal and I come to my favorite forum looking for help and experience.
Code is in Github.
Primary language to analyze is PHP, bonus languages are CSS, JS, and Java.

It looks like Codacy could be a good alternative.
You can enable the analysis on all the branches of your project. All the pull requests to an analysed branch will be analysed, even if it's not the default branch.
It supports all the required languages: PHP, JS, CSS, Java and more. It also has a nice auto-comment integration with Github to help you save more time in code reviews.

Related

Is it possible to get a new code analysis for every feature in sonarqube?

On the dashboard there is a cool block with new code analysis. I'd like to see something like this for every feature. I hoped to solve this using sonar-branch-community plugin, but it doesn't measure coverage of new code in short-lived branches. As for long-lived branches - I tried to make all the feature branches long-lived. There is an analysis of new code in this case, but it starts from first scan of this branch and there is no way to compare it to another long-lived branch (or is it?)
Is there a way to execute the new code analysis by features? May be it's possible to pass 2 scanning results to this widget to see the difference?
Newer versions of SonarQube support reporting of code coverage on branches and the introduction of new issues compared to the target long-lived branch.
The SonarQube Community Branch Plugin supports the new branch scanning features introduced in SonarQube 7.2, although I don't believe SonarQube provides the charted/visual history of the branches, just the numeric values.

Embed SonarQube analysis in development process

In our agile dev team we're always working on multiple features at the same time.
We're using Git flow as a branching model and each feature gets its own feature branch, (parent = develop).
What we are looking for is a good way to embed SonarQube (v6.2 for us right now) analysis (for Java) in our development proces, such that:
We get SonarQube feedback (eg. new introduced issues) before starting the test on the feature branch. Meaning before merging back to develop.
We want only 1 SonarQube project, not multiple, such that we can monitor deltas in issues correctly.
It is very possible that the features touch the same classes
SonarQube does not handle multiple branches properly, it handles them as separate projects.
Does anyone have an idea on how to embed SonarQube in a process like this?
One option we have is create a separate sonar Git branch, in which feature branches are merged and on which the analysis is done, but that feels like useless more work and still leaves us with the problem of not being able to cancel a feature at any point before final acceptance.

GoCD Branch Tracking?

We have a project on Snap CI but since it's going away we have to switch to another tool.
GoCD is our favorite but there is an important feature I am wondering if it's supported: Branch tracking.
Snap CI supports branch tracking which is currently enabled in our project: 'This repository has automatic branch tracking enabled for all branches starting with ***':
I tried to set up GoCD to do exactly this. But I couldn't find a way to achieve this behavior. The only thing I found was the feature branch / pull request plugin.
Do you know if such a feature is supported or how I have to configure the FB/PR plugin?
Thanks!
We wanted to do something similar and were faced with the same problem. In the end, we couldn't get direct branch tracking, but created a GoCD API client that created pipelines from a template, and the branch of Git material is set to a parameter (e.g. #branch). The client gets run manually when branches are created, but it could quite easily be adapted to run from hooks to automate it.

Azure PaaS and ALM - how to handle branches with single-click Publishing?

Right now I have an Azure PaaS solution with a single repo in TFS - we right-click publish from VS to an App Service and then swap slots to get code to production. Small team, disciplined check-ins (or so I thought), etc.
I made a decision to check code in that wasn’t production ready, thinking if needed, I could roll back and publish a hotfix should the need arise.
Well, the need has arisen and I've rolled things back to apply the fix. This was a bit of a headache though.
I’m a little unclear on what the right thing to do is moving forward. What I want to try is:
Create a branch from our MAIN repo and stick all ongoing development there, call it DEV. We'll create two workspaces on our machines - one for each branch.
When we're ready to push a feature, merge down to MAIN and then QA before right-click publishing > Staging > Prod.
At a high level, does this seem like a step in the right direction?
What I’m trying to do is keep this project/alm lean and simple. I don't want to go as far as introducing a build server with RM and other expensive (time, materials, process) components - I just want a sensible, incremental upgrade in the maturity of our current setup to avoid the above headache and this is all I could come up with.
That's two way for your reference, one base on the working flow , one base on the publish (releaseing)
A. Just using mainline and tagging for release
Pros:
Avoid merge hell.
Keeping to the mainline encourages some best practices like proper
release planning, not introducing a lot of WIP, using branching by
abstraction to deal with out-of-band long term work, and using the
open closed system and configurable features for dealing with
managing works in progress that may; or may not; need to be disabled
now or in the future in order to release or to avoid a full rollback.
Cons:
Dealing with works in progress becomes an issue and adds to potential
surface attack area when it comes time to release. However, if your
developers are disciplined then new features should be configurable
and modular and therefore easily disabled/enabled, or there is no WIP
and at each release point all work is either completed or has not yet
been started (i.e. Scrum).
Large scale/out-of-band changes require more thinking ahead of time
to implement.
B. Branch by release
Pros:
You can begin working on the next iteration while the current
iteration finishes its round of acceptance testing.
Cons:
Tons of branches.
Still need to tag branches at release points.
Still need to deal with WIP and merge WIP from previous release
branch into next release branch if it's not going to make it and
still need to disable or yank it of release branch and re-run
acceptance tests.
Hot fixes need to be applied to more branches (release branch +
hotfix + new tag merge hotfix into vnext branch and possibly
vnextnext depending on where the hotfix fails.)
With respect to your point 1. I would not recommend using two workspaces, since you already are running "two workspaces" internally with two branches. The approach is not that bad, just a litte hard to do in TFVC, meaning the old server based version control inside TFS. I do hope your planning to merge everything from dev to main at point in time.
In general your guide is more matching with Git as source-control, and especially gitflow http://nvie.com/posts/a-successful-git-branching-model/ as a branching model. We are running that with success within my team.
You can migrate from TFVC to git using git-tf http://git-tfs.com/
If you are looking for a cheap model that scales out with buildservers and such I would reccommend looking at Visual studio team services https://www.visualstudio.com/en-us/products/visual-studio-team-services-vs.aspx as well to host and build your code. There you also have Release management integrated without cost(up to 5 people/free for all visual studio subscribers)

Multiple feature branches and continuous integration

I've been doing some reading about continuous integration recently and there is a scenario which could occur which I don't understand how to deal with appropriately.
We have a stable mainline/trunk branch and create branches for features. Each developer will keep their own feature branches up to date by merging from trunk into their branch on a regular basis. However it is entirely possible that two or more feature branches could be created and worked on over a period of several weeks or months. In this time many releases of the software could be deployed. This where my confusion arises.
It is very likely that changes for one feature branch will cause merge conflicts with other feature branches. CI suggests you should merge into trunk at least daily which would resolve the conflicts quickly. However, you may not want to merge the feature code into trunk because it may not be finished or you may not want that feature available in the next release. So, how do you deal with this scenario and still follow CI principles of daily code integration?
There are no feature branches in proper CI. Use feature toggles instead.
The idea explained more fully in this article is to merge from the trunk/release branch to feature branches daily, but only merge back in the other direction once a feature meets your definition of 'done'.
Code written by one feature team will be pushed into the trunk once it's complete, and will be 'distributed' to the other teams, where conflicts can be dealt with, as part of the daily merge process.
This doesn't go as far as satisfying Nick's desire for a version control system that can be used a backup tool, unless the changes being made are small enough that they can be committed to the feature branch within a timeframe where the the risk of losing your work is acceptable.
I personally don't try to reintegrate code into the release branch before it's done, and although I've never really tried, I'm sure building feature toggles in for unfinished work has its own issues.
I think they mean merging mainline into the feature branch, not the other way 'round. This way, the feature branch will not deviate from mainline too much, and be kept in an easily mergeable state.
The git folks do the same thing by rebasing feature branches on top of the master branch before submitting a feature.
In my experience with CI, the way that you should keep your feature branches up to date with the main line changes as others have suggested. This has been working me for several releases. If you are using subversion make sure you to merge with the merge history enable. This way when you are trying to merge your changes back to line it will only like you are merging the feature changes to line, not trying resolve conflicts which your feature might have with the main line. If you are using more advance VCS like git the first merge will be a rebase where the second will be a merge.
There are tools that can support you to get thins done more smoothly like this Feature branches with Bamboo
Feature branches committing back into the mainline, and OFTEN is an essential feature of Continuous Integration. For a thorough breakdown, see This Article
There's now some good resources showing how to combine both CI and feature branches. Bamboo or Feature Branch Notifier are some ways to look.
And this is another quite long article showing pros of so called distributed CI. Hereunder, one excerpt explaining the benefits:
Distributed CI has the advantage for Continuous Deployment because it keeps a clean and stable Mainline branch that can always be deployed to Production. During a Centralized CI process, an unstable Mainline will exist if code does not integrate properly (broken build) or if there is unfinished work integrated. This works quite well with iteration release planning, but creates a bottleneck for Continuous Deployment. The direct line from developer branch to Production must be kept clean in CD, Distributed CI does this by only allowing Production ready code to be put into the Mainline.
One thing that still can be challenging is keeping the branch build isolated so that it doesn't pollute your repository of binaries by pushing its branch builds to it. Bamboo seems to address that, but not sure it's as easy with Jenkins.

Resources