From 3f17d24530cce9334b2758fc6ab1a991bfcdb5d9 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sun, 6 Jul 2025 21:43:25 +0530 Subject: [PATCH] ci : fix failing sonar pipeline by moving sonar publish step to `workflow_run` Sonar analysis is no longer working on pull requests as sonar login token is not propagated to pull requests. In order to perform analysis, split the github action into two actions: - `Sonar PR Report Request` : Will run on PR, but would only verify build is ok - `Sonar PR Report Publish` : Will run after completion of previous workflow, but on main repository that would have required secrets. Signed-off-by: Rohan Kumar --- .github/workflows/sonar-pr-report-publish.yml | 66 +++++++++++++++++++ .github/workflows/sonar-pr-report-request.yml | 47 +++++++++++++ .github/workflows/sonar.yml | 5 -- Makefile | 9 +++ 4 files changed, 122 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/sonar-pr-report-publish.yml create mode 100644 .github/workflows/sonar-pr-report-request.yml diff --git a/.github/workflows/sonar-pr-report-publish.yml b/.github/workflows/sonar-pr-report-publish.yml new file mode 100644 index 00000000000..b4abcdde8cc --- /dev/null +++ b/.github/workflows/sonar-pr-report-publish.yml @@ -0,0 +1,66 @@ +# +# Copyright (C) 2015 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Sonar PR Report Publish + +on: + workflow_run: + workflows: [Sonar PR Report Request] + types: + - completed + +concurrency: + # Only run once for latest commit per ref and cancel other (previous) runs. + group: ci-sonar-kubernetes-client-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BASE_BRANCH: main + PR_BRANCH: ${{ github.event.workflow_run.head_branch }} + PR_AUTHOR: ${{ github.event.sender.login }} + GITHUB_REPO: ${{ github.repository }} + SONAR_LOGIN_TOKEN: ${{ secrets.SONAR_LOGIN_TOKEN }} + steps: + - name: Setup Java 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + - name: Get PR number + run: | + PR_QUERY_RESULT=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + "https://api.github.com/repos/$GITHUB_REPO/pulls?head=$PR_AUTHOR:$PR_BRANCH&state=open" | jq '.[0].number') + if [ "$PR_QUERY_RESULT" = "null" ] || [ -z "$PR_QUERY_RESULT" ]; then + echo "Could not find PR number for $PR_AUTHOR:$PR_BRANCH" + exit 1 + fi + echo "PR_NUMBER=$PR_QUERY_RESULT" >> $GITHUB_ENV + - name: Checkout + uses: actions/checkout@v4 + with: + ref: refs/pull/${{ env.PR_NUMBER }}/head + # Shallow clones should be disabled for a better relevancy of analysis + fetch-depth: 0 + - name: Sonar + run: make sonar-pr-report diff --git a/.github/workflows/sonar-pr-report-request.yml b/.github/workflows/sonar-pr-report-request.yml new file mode 100644 index 00000000000..f4f5b1e0086 --- /dev/null +++ b/.github/workflows/sonar-pr-report-request.yml @@ -0,0 +1,47 @@ +# +# Copyright (C) 2015 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Sonar PR Report Request + +on: + pull_request: + paths-ignore: + - 'doc/**' + - 'ide-config/**' + - '**.md' + +concurrency: + # Only run once for latest commit per ref and cancel other (previous) runs. + group: ci-sonar-kubernetes-client-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Java 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + - name: Build Project before requesting for Sonar Analysis + run: mvn ${MAVEN_ARGS} install diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 5d7a3282010..5036e56d105 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -20,11 +20,6 @@ on: push: branches: - main -# pull_request: -# paths-ignore: -# - 'doc/**' -# - 'ide-config/**' -# - '**.md' concurrency: # Only run once for latest commit per ref and cancel other (previous) runs. diff --git a/Makefile b/Makefile index ce23d5c8d4b..b9a130ee3d3 100644 --- a/Makefile +++ b/Makefile @@ -65,6 +65,15 @@ sonar: clean # $(MAVEN_ARGS) ---> -T 1C won't work with sonar analysis (yet) mvn -Psonar install sonar:sonar +.PHONY: sonar-pr-report +sonar-pr-report: clean + mvn -Psonar install sonar:sonar \ + -Dsonar.login=${SONAR_LOGIN_TOKEN} \ + -Dsonar.pullrequest.key=${PR_NUMBER} \ + -Dsonar.pullrequest.branch=${PR_BRANCH} \ + -Dsonar.pullrequest.base=${BASE_BRANCH} \ + -Dsonar.pullrequest.provider=GitHub + .PHONY: javadoc javadoc: clean mvn $(MAVEN_ARGS) install javadoc:jar -DskipTests -Pjavadoc-test