Run SonarCloud on PRs and pushes

Relates:
stolostron/backlog#25949

Signed-off-by: mprahl <[email protected]>

Author: mprahl

.github/workflows/sonarcloud.yml

@@ -0,0 +1,14 @@
+name: Sonarcloud scan
+
+on:
+  workflow_run:
+    workflows:
+      - Unit Tests
+    types:
+      - completed
+
+jobs:
+  sonarcloud:
+    uses: stolostron/governance-policy-framework/.github/workflows/sonarcloud.yml@main
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/unit-tests.yml

@@ -23,6 +23,27 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - name: Unit Tests
+    - name: Test Coverage and Report Generation
       run: |
-        make test
+        make test-coverage | tee report_unit.json
+        make gosec-scan
+        cat gosec.json
+
+    - name: Store the GitHub triggering event for the sonarcloud workflow
+      if: |
+        github.repository_owner == 'stolostron'
+      run: |
+        cat <<EOF > event.json
+        ${{ toJSON(github.event) }}
+        EOF
+
+    - name: Upload artifacts for the sonarcloud workflow
+      if: |
+        github.repository_owner == 'stolostron'
+      uses: actions/upload-artifact@v3
+      with:
+        name: artifacts
+        path: |
+          coverage*.out
+          event.json
+          gosec.json

.gitignore

@@ -24,3 +24,6 @@ vendor/
 .idea
 
 bin/
+
+gosec.json
+coverage.out

Makefile

@@ -80,6 +80,19 @@ lint: lint-dependencies lint-all
 ############################################################
 # test section
 ############################################################
+GOSEC = $(LOCAL_BIN)/gosec
 
 test:
 	@go test $(TESTARGS) ./...
+
+.PHONY: test-coverage
+test-coverage: TESTARGS = -json -cover -covermode=atomic -coverprofile=coverage.out
+test-coverage: test
+
+.PHONY: gosec
+gosec:
+	$(call go-get-tool,github.com/securego/gosec/v2/cmd/[email protected])
+
+.PHONY: gosec-scan
+gosec-scan: gosec
+	$(GOSEC) -fmt sonarqube -out gosec.json -no-fail -exclude-dir=.go ./...