-
Notifications
You must be signed in to change notification settings - Fork 0
101 lines (95 loc) · 3.61 KB
/
Copy pathscan-sonarqube.yml
File metadata and controls
101 lines (95 loc) · 3.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Sonarqube scan
on:
workflow_call:
inputs:
COVERAGE_IMPORT:
description: Whether or not to import coverage artifact
required: false
type: boolean
default: false
COVERAGE_ARTIFACT_NAME:
description: Artifact name of the coverage reports
required: false
type: string
default: unit-tests-coverage
COVERAGE_ARTIFACT_PATH:
description: Target path to download coverage artifact
required: false
type: string
default: ./coverage
SONAR_EXTRA_ARGS:
description: Extra arguments to use with Sonarqube
required: false
type: string
SOURCES_PATH:
description: Paths to the source code that should be analyzed (eg. 'apps,packages')
required: false
type: string
SONAR_URL:
description: Sonarqube server URL
required: true
type: string
FAIL_ON_ERROR:
description: Whether to fail the workflow on linting errors
type: boolean
required: false
default: true
RUNS_ON:
description: Runner labels as JSON array (e.g., '["ubuntu-24.04"]' or '["self-hosted", "linux"]')
required: false
type: string
default: '["ubuntu-24.04"]'
secrets:
SONAR_TOKEN:
description: Sonarqube token
required: true
SONAR_PROJECT_KEY:
description: Sonarqube project key
required: true
jobs:
code-scan:
name: Run code quality analysis
runs-on: ${{ fromJSON(inputs.RUNS_ON) }}
permissions:
contents: read
issues: write
pull-requests: write
steps:
- name: Checks-out repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
- name: Download artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
if: ${{ inputs.COVERAGE_IMPORT }}
with:
name: ${{ inputs.COVERAGE_ARTIFACT_NAME }}
path: ${{ inputs.COVERAGE_ARTIFACT_PATH }}
- name: Set sonarqube args
id: sonar-args
run: |
echo "SONAR_ARGS_PR=-Dsonar.pullrequest.provider=github -Dsonar.pullrequest.key=${{ github.event.number }} -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.github.repository=${{ github.repository }}" >> $GITHUB_OUTPUT
echo "SONAR_ARGS_BRANCH=-Dsonar.branch.name=${{ github.ref_name }}" >> $GITHUB_OUTPUT
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ inputs.SONAR_URL }}
GITHUB_TOKEN: ${{ github.token }}
with:
args: >
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
-Dsonar.scm.provider=git
-Dsonar.sources=${{ inputs.SOURCES_PATH}}
${{ github.event_name == 'pull_request' && steps.sonar-args.outputs.SONAR_ARGS_PR || steps.sonar-args.outputs.SONAR_ARGS_BRANCH }}
${{ inputs.SONAR_EXTRA_ARGS != '' && inputs.SONAR_EXTRA_ARGS }}
skipSignatureVerification: true
continue-on-error: ${{ inputs.FAIL_ON_ERROR == false }}
- name: SonarQube Quality Gate check
id: sonarqube-quality-gate-check
uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b # v1.2.0
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ inputs.SONAR_URL }}
timeout-minutes: 5
continue-on-error: ${{ inputs.FAIL_ON_ERROR == false }}