forked from arjungautam1/fullstack-backend
-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (135 loc) · 9.44 KB
/
code-scan-sonarcloud.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
---
# Workflow syntax for GitHub Actions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
# SonarCloud: https://sonarcloud.io/
# CI analysis while Automatic Analysis must be disabled for successful execution of this workflow https://docs.sonarcloud.io/advanced-setup/automatic-analysis/#conflict-with-ci-based-analysis
name: Scan Code with SonarCloud
# Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
on:
# Run workflow on push except for ignored branches and paths
push:
paths-ignore:
- '**.md' # Ignore documentation changes
- '.github/**(!code-scan-sonarcloud.yml)' # Ignore other workflow changes
# Run workflow on pull request
pull_request: # By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened
# Run a single job at a time: https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Set Workflow-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions:
contents: read
jobs:
sonarcloud:
# Run job when not triggered by a merge
if: (github.event_name == 'push' && contains(toJSON(github.event.head_commit.message), 'Merge pull request ') == false) || (github.event_name != 'push')
runs-on: ubuntu-latest # GitHub-hosted runners: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
# Set Job-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions:
pull-requests: read # Allow SonarCloud to get pull request details
environment: sonarcloud # Use `sonarcloud` repository environment
steps:
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action
- name: Checkout repository
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
# Setup Java
- uses: actions/setup-java@v3 # https://github.com/actions/setup-java
with:
distribution: microsoft # Microsoft was selected to match Visual Studio Code Dev Container Java distribuition, see .devcontainer/devcontainer.json. Supported distributions: https://github.com/actions/setup-java#supported-distributions
java-version: '17' # Java version must match `project.properties['java.version']` in pom.xml
- name: Cache Maven dependencies
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions
with:
path: |
~/.m2
key: maven-${{ hashFiles('**/pom.xml') }}
- name: Cache SonarCloud dependencies
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions
with:
path: |
~/.sonar/cache
key: sonarcloud-${{ github.repository_id }}
# - name: SonarCloud Scan via Github Action
# uses: sonarsource/sonarcloud-github-action@v2.0.2 # https://github.com/marketplace/actions/sonarcloud-scan
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is a special secret automatically generated by GitHub: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN must be defined in `sonarcloud` repository environment. SonarCloud access token should be generated from https://sonarcloud.io/account/security/
# In case you need to override default settings
# - name: Analyze with SonarCloud
# uses: sonarsource/sonarcloud-github-action@v2.0.2
# with:
# projectBaseDir: my-custom-directory
# args: >
# -Dsonar.organization=my-organization
# -Dsonar.projectKey=my-projectkey
# -Dsonar.python.coverage.reportPaths=coverage.xml
# -Dsonar.sources=lib/
# -Dsonar.test.exclusions=tests/**
# -Dsonar.tests=tests/
# -Dsonar.verbose=true
# SonarCloud GitHub Action fails when a Maven project is detected and recommends usage of Maven Sonar plugin
- name: SonarCloud Scan via Maven (${{ github.event_name }})
if: github.event_name != 'pull_request'
# Get SONAR_ORGANIZATION and SONAR_PROJECT_KEY from https://sonarcloud.io/project/information?id=paul-gilber_demoapp-backend
# SONAR_ORGANIZATION must be defined in `sonarcloud` repository environment
# SONAR_PROJECT_KEY must be defined in `sonarcloud` repository environment
run: |
mvn -B verify \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Drevision=${{ env.CI_ACTION_REF_NAME }} \
-Dsonar.organization=${{ env.CI_REPOSITORY_OWNER }} \
-Dsonar.projectKey=${{ env.CI_REPOSITORY_OWNER }}_${{ env.CI_REPOSITORY_NAME }} \
-Dmaven.test.skip=true \
-Ddockerfile.skip=true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is a special secret automatically generated by GitHub: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SONAR_HOST_URL must be defined in `sonarcloud` repository environment
# SONAR_ORGANIZATION: ${{ vars.SONAR_ORGANIZATION }} # SONAR_ORGANIZATION must be defined in `sonarcloud` repository environment
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN must be defined in `sonarcloud` repository environment. SonarCloud access token should be generated from https://sonarcloud.io/account/security/
# SonarCloud GitHub Action fails when a Maven project is detected and recommends usage of Maven Sonar plugin
- name: SonarCloud Scan via Maven (pull_request)
if: github.event_name == 'pull_request'
# Get SONAR_ORGANIZATION and SONAR_PROJECT_KEY from https://sonarcloud.io/project/information?id=paul-gilber_demoapp-backend
# SONAR_ORGANIZATION must be defined in `sonarcloud` repository environment
# SONAR_PROJECT_KEY must be defined in `sonarcloud` repository environment
run: |
mvn -B verify \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Drevision=${{ env.CI_ACTION_REF_NAME }} \
-Dsonar.organization=${{ env.CI_REPOSITORY_OWNER }} \
-Dsonar.projectKey=${{ env.CI_REPOSITORY_OWNER }}_${{ env.CI_REPOSITORY_NAME }} \
-Dsonar.pullrequest.provider=GitHub \
-Dsonar.pullrequest.github.repository=${{ github.repository }} \
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }} \
-Dsonar.pullrequest.branch=${{ github.head_ref }} \
-Dsonar.pullrequest.base=${{ github.base_ref }} \
-Dmaven.test.skip=true \
-Ddockerfile.skip=true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is a special secret automatically generated by GitHub: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SONAR_HOST_URL must be defined in `sonarcloud` repository environment
# SONAR_ORGANIZATION: ${{ vars.SONAR_ORGANIZATION }} # SONAR_ORGANIZATION must be defined in `sonarcloud` repository environment
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN must be defined in `sonarcloud` repository environment. SonarCloud access token should be generated from https://sonarcloud.io/account/security/
# In case you need to override default settings
# - name: SonarCloud Scan via Maven
# run: |
# mvn -B verify \
# org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
# -Dmaven.test.skip=true \
# -Ddockerfile.skip=true \
# -Dsonar.organization=my-organization \
# -Dsonar.projectKey=my-projectkey \
# -Dsonar.python.coverage.reportPaths=coverage.xml \
# -Dsonar.sources=lib/ \
# -Dsonar.test.exclusions=tests/** \
# -Dsonar.tests=tests/ \
# -Dsonar.verbose=true
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is a special secret automatically generated by GitHub: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
# SONAR_ORGANIZATION: ${{ vars.SONAR_ORGANIZATION }} # SONAR_ORGANIZATION must be defined in `sonarcloud` repository environment
# SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SONAR_HOST_URL must be defined in `sonarcloud` repository environment
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN must be defined in `sonarcloud` repository environment. SonarCloud access token should be generated from https://sonarcloud.io/account/security/