sonarcloud.yml

name: SonarCloud

on:
  push:
    branches: [ dev ]
  pull_request:
    branches: [ dev ]

env:
   REGION: eu-west-1

jobs:
  aws_creds:
    name: Get ECR Access
    runs-on: [ self-hosted, corefront, sandbox ]
    outputs:
      token: ${{ steps.ecr_token.outputs.token }}
    steps:
      - id: ecr_token
        name: Get ECR Token
        run: |
          echo token=$(aws ecr get-login-password --region $REGION) >> $GITHUB_OUTPUT
  static_analysis:
    runs-on: [self-hosted, corefront, sandbox]
    needs: aws_creds
    container:
        image: 162230498103.dkr.ecr.eu-west-1.amazonaws.com/mutable-debian11_dev:latest
        credentials:
          username: AWS
          password: ${{ needs.aws_creds.outputs.token }}

    steps:
    - name: Install sonar dependencies
      run: apt update -y && apt install -y unzip
    - name: force chown to avoid errors
      run: chown -R $(whoami):$(whoami) .
    - name: Display remaining space
      run: df -h
    - name: Generate github private access token
      id: ci-core-app-token
      uses: getsentry/action-github-app-token@v2.0.0
      with:
        app_id: ${{ secrets.CI_CORE_APP_ID }}
        private_key: ${{ secrets.CI_CORE_APP_PEM }}
    - uses: actions/checkout@v3
      with:
        submodules: recursive
        token: ${{ steps.ci-core-app-token.outputs.token }}
    - name: Configure
      run: |
        mkdir build
        cmake -DCMAKE_BUILD_TYPE=Profile -DSTRIP_SYMBOLS=ON -S source -B build
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@v5.3.1
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
          args: >
            --define sonar.cfamily.compile-commands=build/compile_commands.json
    - name: clean up workspace
      if: ${{ always() }}
      run: |
        rm -rf ./*
        rm -rf ./.??*