-
Notifications
You must be signed in to change notification settings - Fork 2
73 lines (73 loc) · 2.54 KB
/
sonar.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Sonar
on:
workflow_call:
inputs:
test-database:
required: false
type: boolean
default: false
workflow_run:
workflows: [CI shared workflow]
types: [completed]
permissions:
actions: read
checks: read
id-token: read
pull-requests: read
repository-projects: read
statuses: read
jobs:
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12"]
os: [ubuntu-22.04]
sonar:
name: Sonar
runs-on: ubuntu-latest
timeout-minutes: 30
if: github.event.workflow_run.conclusion == 'success'
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0
- name: Get run ID of parent CI workflow
id: get-run-id
run: |
OTHER_REPO="${{ github.repository }}"
WF_NAME="CI"
RUN_ID=`gh run --repo ${OTHER_REPO} list --workflow ${WF_NAME} --json databaseId --jq .[0].databaseId`
echo "Detected latest run id of ${RUN_ID} for workflow ${WF_NAME}"
echo "run-id=${RUN_ID}" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ github.token }}
- name: Download artifact from CI workflow
uses: actions/download-artifact@v4
with:
name: code-coverage-report-${{ matrix.python-version }}
github-token: ${{ github.token }}
repository: ${{ github.repository }}
run-id: ${{ steps.get-run-id.outputs.run-id }}
- uses: actions/download-artifact@v4
if: ${{ inputs.test-database }}
with:
name: code-coverage-postgres-report-${{ matrix.python-version }}
github-token: ${{ github.token }}
repository: ${{ github.repository }}
run-id: ${{ steps.get-run-id.outputs.run-id }}
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
-Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
-Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}