1- name : SonarQube
1+ name : SonarCloud
22
33on :
44 push :
5- branches : [ main ]
6-
5+ branches :
6+ - main
77 pull_request :
8- branches : [ main ]
9-
10- pull_request_target :
11- types : [ labeled, opened, synchronize, reopened ]
12- branches : [ main ]
8+ branches :
9+ - main
1310
1411permissions :
1512 contents : read
1916 SONAR_PROJECT_KEY : skodjob_test-frame
2017
2118jobs :
22- sonar-push :
23- if : github.event_name == 'push'
19+ analyze :
2420 runs-on : ubuntu-latest
2521
2622 steps :
27- - uses : actions/checkout@v4
23+ - name : Checkout code
24+ uses : actions/checkout@v4
2825 with :
2926 fetch-depth : 0
3027
31- - uses : actions/setup-java@v4
28+ - name : Set up JDK 17
29+ uses : actions/setup-java@v4
3230 with :
3331 distribution : temurin
3432 java-version : 17
3533
36- - uses : actions/cache@v4
34+ - name : Cache Maven packages
35+ uses : actions/cache@v4
3736 with :
38- path : ~/.m2
37+ path : ~/.m2/repository
3938 key : ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
4039 restore-keys : ${{ runner.os }}-m2
4140
42- - name : Build & Sonar scan (push)
41+ - name : SonarCloud scan on PR
42+ if : github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
4343 env :
4444 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
4545 run : |
4646 ./mvnw verify \
47- org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
48- -Dsonar.projectKey=$SONAR_PROJECT_KEY \
49- -Dsonar.coverage.exclusions="**/*"
50-
51- sonar-pr-internal :
52- if : github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
53- runs-on : ubuntu-latest
54-
55- steps :
56- - uses : actions/checkout@v4
57- with :
58- ref : ${{ github.event.pull_request.head.sha }}
59- fetch-depth : 0
60-
61- - uses : actions/setup-java@v4
62- with :
63- distribution : temurin
64- java-version : 17
65-
66- - uses : actions/cache@v4
67- with :
68- path : ~/.m2
69- key : ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
70- restore-keys : ${{ runner.os }}-m2
47+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
48+ -Dsonar.projectKey=$SONAR_PROJECT_KEY
7149
72- - name : Build & Sonar scan (internal PR)
50+ - name : SonarCloud scan on Push
51+ if : github.event_name == 'push'
7352 env :
7453 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
7554 run : |
7655 ./mvnw verify \
77- org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
78- -Dsonar.projectKey=$SONAR_PROJECT_KEY
56+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
57+ -Dsonar.projectKey=$SONAR_PROJECT_KEY \
58+ -Dsonar.coverage.exclusions="**/*"
7959
80- sonar-pr-fork :
81- if : |
82- github.event_name == 'pull_request_target' &&
83- github.event.pull_request.head.repo.fork == true &&
84- contains(github.event.pull_request.labels.*.name, 'safe-to-scan')
85- runs-on : ubuntu-latest
86-
87- steps :
88- - uses : actions/checkout@v4
89- with :
90- ref : ${{ github.event.pull_request.head.sha }}
91- fetch-depth : 0
92- persist-credentials : false
93-
94- - uses : actions/setup-java@v4
95- with : { distribution: temurin, java-version: 17 }
96-
97- - name : Sonar scan (fork PR)
98- env :
99- SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
60+ - name : Comment on fork PRs
61+ if : github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
10062 run : |
101- ./mvnw verify \
102- org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
103- -Dsonar.projectKey=$SONAR_PROJECT_KEY
63+ echo "Skipping SonarCloud analysis for forked PRs for security reasons."
0 commit comments