Skip to content

SonarCloud Static Scans (PR) #1194

SonarCloud Static Scans (PR)

SonarCloud Static Scans (PR) #1194

Workflow file for this run

name: SonarCloud Static Scans (PR)
on:
workflow_run:
workflows:
- Pytest tests
types:
- completed
permissions:
contents: read
pull-requests: read
actions: read
jobs:
sonarcloud:
name: SonarCloud Static Scans (PR)
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
env:
HAS_SONAR_TOKEN: ${{ secrets.CICD_ORG_SONAR_TOKEN_CICD_BOT != '' }}
steps:
- name: Checkout Code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
- name: Fetch Code Coverage Report
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report
path: coverage-artifact
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- name: Fetch PR Number
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: pr_number
path: pr-artifact
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- name: Extract and validate PR Number
run: |
cat pr-artifact/pr_number.txt
VALID_PR=$(head -n1 pr-artifact/pr_number.txt | awk '{print $2}' | grep -E '^[0-9]+$') || true
if [ -z "$VALID_PR" ]; then
echo "Invalid PR number (must be a single integer)"
exit 1
fi
echo "PR_NUMBER=$VALID_PR" >> $GITHUB_ENV
- name: Check if PR is open and validate
id: pr_check
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ env.PR_NUMBER }}
GITHUB_REPO: ${{ github.repository }}
WORKFLOW_BRANCH: ${{ github.event.workflow_run.head_branch }}
WORKFLOW_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
WORKFLOW_HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }}
run: |
HTTP_CODE=$(curl -s -w "%{http_code}" -o pr_response.json -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPO/pulls/$PR_NUMBER")
if [ "$HTTP_CODE" != "200" ]; then
echo "Error: GitHub API returned HTTP $HTTP_CODE when checking PR state"
cat pr_response.json
exit 1
fi
PR_STATE=$(jq -r '.state // "not_found"' pr_response.json)
echo "PR $PR_NUMBER state: $PR_STATE"
if [ "$PR_STATE" = "not_found" ]; then
echo "Cannot determine PR state from API response"
exit 1
fi
if [ "$PR_STATE" != "open" ]; then
echo "PR is not open (state: $PR_STATE) - skipping SonarCloud scan"
echo "should_scan=false" >> $GITHUB_OUTPUT
exit 0
fi
PR_HEAD_BRANCH=$(jq -r '.head.ref' pr_response.json)
PR_HEAD_SHA=$(jq -r '.head.sha' pr_response.json)
PR_HEAD_REPO=$(jq -r '.head.repo.full_name' pr_response.json)
PR_BASE_BRANCH=$(jq -r '.base.ref' pr_response.json)
echo "PR head branch: $PR_HEAD_BRANCH"
echo "PR head SHA: $PR_HEAD_SHA"
echo "PR head repo: $PR_HEAD_REPO"
echo "Workflow run branch: $WORKFLOW_BRANCH"
echo "Workflow run SHA: $WORKFLOW_HEAD_SHA"
echo "Workflow run repo: $WORKFLOW_HEAD_REPO"
if [ "$PR_HEAD_BRANCH" != "$WORKFLOW_BRANCH" ] || \
[ "$PR_HEAD_SHA" != "$WORKFLOW_HEAD_SHA" ] || \
[ "$PR_HEAD_REPO" != "$WORKFLOW_HEAD_REPO" ]; then
echo "Error: Workflow run no longer matches PR #$PR_NUMBER head (branch/SHA/repo mismatch)"
echo "should_scan=false" >> $GITHUB_OUTPUT
exit 0
fi
echo "Validation successful: PR $PR_NUMBER matches workflow run (branch, SHA, repo)"
echo "should_scan=true" >> $GITHUB_OUTPUT
delim=$(openssl rand -hex 16)
echo "PR_BASE<<${delim}" >> $GITHUB_ENV
printf '%s\n' "$PR_BASE_BRANCH" >> $GITHUB_ENV
echo "${delim}" >> $GITHUB_ENV
delim=$(openssl rand -hex 16)
echo "PR_HEAD<<${delim}" >> $GITHUB_ENV
printf '%s\n' "$PR_HEAD_BRANCH" >> $GITHUB_ENV
echo "${delim}" >> $GITHUB_ENV
- name: Checkout Code for PR
if: steps.pr_check.outputs.should_scan == 'true'
run: |
gh pr checkout "$PR_NUMBER"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ env.PR_NUMBER }}
- name: SonarCloud Scan
if: steps.pr_check.outputs.should_scan == 'true' && env.HAS_SONAR_TOKEN == 'true'
uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
env:
SONAR_HOST_URL: https://sonarcloud.io
SONAR_ORGANIZATION: ansible
SONAR_PROJECT_KEY: ansible_metrics-service
SONAR_TOKEN: ${{ secrets.CICD_ORG_SONAR_TOKEN_CICD_BOT }}
with:
projectBaseDir: .
args: >
-Dsonar.python.coverage.reportPaths=coverage-artifact/coverage.xml
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ env.PR_NUMBER }}
-Dsonar.pullrequest.branch=${{ env.PR_HEAD }}
-Dsonar.pullrequest.base=${{ env.PR_BASE }}
-Dsonar.pullrequest.provider=github