Skip to content
This repository was archived by the owner on Feb 13, 2026. It is now read-only.

Commit 092b483

Browse files
authored
Refactor sonarcloud workflow and remove security issue (#325)
1 parent c2cba19 commit 092b483

1 file changed

Lines changed: 25 additions & 65 deletions

File tree

.github/workflows/sonarcloud.yaml

Lines changed: 25 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,12 @@
1-
name: SonarQube
1+
name: SonarCloud
22

33
on:
44
push:
5-
branches: [ main ]
6-
5+
branches:
6+
- main
77
pull_request:
8-
branches: [ main ]
9-
10-
pull_request_target:
11-
types: [ labeled, opened, synchronize, reopened ]
12-
branches: [ main ]
8+
branches:
9+
- main
1310

1411
permissions:
1512
contents: read
@@ -19,85 +16,48 @@ env:
1916
SONAR_PROJECT_KEY: skodjob_test-frame
2017

2118
jobs:
22-
sonar-push:
23-
if: github.event_name == 'push'
19+
analyze:
2420
runs-on: ubuntu-latest
2521

2622
steps:
27-
- uses: actions/checkout@v4
23+
- name: Checkout code
24+
uses: actions/checkout@v4
2825
with:
2926
fetch-depth: 0
3027

31-
- uses: actions/setup-java@v4
28+
- name: Set up JDK 17
29+
uses: actions/setup-java@v4
3230
with:
3331
distribution: temurin
3432
java-version: 17
3533

36-
- uses: actions/cache@v4
34+
- name: Cache Maven packages
35+
uses: actions/cache@v4
3736
with:
38-
path: ~/.m2
37+
path: ~/.m2/repository
3938
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
4039
restore-keys: ${{ runner.os }}-m2
4140

42-
- name: Build & Sonar scan (push)
41+
- name: SonarCloud scan on PR
42+
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
4343
env:
4444
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
4545
run: |
4646
./mvnw verify \
47-
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
48-
-Dsonar.projectKey=$SONAR_PROJECT_KEY \
49-
-Dsonar.coverage.exclusions="**/*"
50-
51-
sonar-pr-internal:
52-
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
53-
runs-on: ubuntu-latest
54-
55-
steps:
56-
- uses: actions/checkout@v4
57-
with:
58-
ref: ${{ github.event.pull_request.head.sha }}
59-
fetch-depth: 0
60-
61-
- uses: actions/setup-java@v4
62-
with:
63-
distribution: temurin
64-
java-version: 17
65-
66-
- uses: actions/cache@v4
67-
with:
68-
path: ~/.m2
69-
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
70-
restore-keys: ${{ runner.os }}-m2
47+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
48+
-Dsonar.projectKey=$SONAR_PROJECT_KEY
7149
72-
- name: Build & Sonar scan (internal PR)
50+
- name: SonarCloud scan on Push
51+
if: github.event_name == 'push'
7352
env:
7453
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
7554
run: |
7655
./mvnw verify \
77-
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
78-
-Dsonar.projectKey=$SONAR_PROJECT_KEY
56+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
57+
-Dsonar.projectKey=$SONAR_PROJECT_KEY \
58+
-Dsonar.coverage.exclusions="**/*"
7959
80-
sonar-pr-fork:
81-
if: |
82-
github.event_name == 'pull_request_target' &&
83-
github.event.pull_request.head.repo.fork == true &&
84-
contains(github.event.pull_request.labels.*.name, 'safe-to-scan')
85-
runs-on: ubuntu-latest
86-
87-
steps:
88-
- uses: actions/checkout@v4
89-
with:
90-
ref: ${{ github.event.pull_request.head.sha }}
91-
fetch-depth: 0
92-
persist-credentials: false
93-
94-
- uses: actions/setup-java@v4
95-
with: { distribution: temurin, java-version: 17 }
96-
97-
- name: Sonar scan (fork PR)
98-
env:
99-
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
60+
- name: Comment on fork PRs
61+
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
10062
run: |
101-
./mvnw verify \
102-
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
103-
-Dsonar.projectKey=$SONAR_PROJECT_KEY
63+
echo "Skipping SonarCloud analysis for forked PRs for security reasons."

0 commit comments

Comments
 (0)