Requesting permission to access lift docker images

As per Running Lift via GitHub Actions
I would like to try Sonatype Lift as part of our PR process for GitHub - odpi/egeria: Open Metadata and Governance

The dockerhub userid we use in our ci/cd is ‘odpipocadmin’

However I also note that the example makes use of docker credentials in the pull request action. This will fail since whilst we can define the secrets used for push etc (ie after merge), a pr uses the fork owners secrets and they won’t have them set. It’s too onerous to expect them to do so in an B open source project using a pr model.

What was the intent or have I misunderstood?

Is this due to docker hub pull request images?
Are the images available elsewhere perhaps quay?

Many thanks

Hi Nigel! Thanks for your interest in Lift. The Egeria project is very cool (governance is near and dear to my heart) and I’d love to support getting you up and running with Lift. The GitHub action isn’t our suggested method (it’s still in beta and doesn’t offer the full Lift experience yet). Best is just to enable the Lift app on the repository (install “Lift Free” from the Marketplace). That will immediately result in new pull requests being analyzed and issues being reported in PRs. To get a sense for the results on the Egeria project, you can take a look at a scan I did here:

1 Like

Thanks for the info. I’ll look at enabling that action next week & the info from that scan!

I setup lift for Egeria, The scans are inserting some useful comments into PRs. I did note though that the scan is taking 149 minutes

A normal build takes around 26 minutes with maven, Github’s codeQL takes 25 m, and a gradle build about 21 m

As part of our maven/gradle builds we do run various UT & FVT tests which extends build time a little – a more minimal build can come down to perhaps 50%-75% of this.

Looks like some tweaking of the config as per Configuration Reference would be useful for us so will look at that.

Is there a way to easily download build logs - I’m intrigued as to where the time is going & want to get some hints to improve. The logs are so big they are impossible to sensibly work with in the web UI. Additionally I don’t see timestamps on the build logs - this would be useful? (though I guess I can override MAVEN_OPTS to at least get timestamps there?)

Glad it’s working for you and providing useful results! Tweaking which tools run can definitely take those times down (though the deeper analysis tools like Infer both take more time and tend to provide more useful results, sot here’s a tradeoff). We are always working on improving run-times so you may notice this time coming down as we continue to update the service.

For the comments about the logs, providing info on how long each step takes is a great idea and I’ve made a ticket for that. For downloading the logs, would a “copy” button that copies the full log data to the clipboard work for you? Or would you prefer a download button?