[PAN-1881] Sonar Analysis as an independant workflow (#6)

* feat: Add sonar cloud as an independant workflow
pantos-io · May 13, 2024 · f3f7211 · f3f7211
1 parent 76e26e3
commit f3f7211
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 24 deletions.
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -132,27 +132,3 @@ jobs:
         with:
           name: code-coverage-postgres-report
           path: postgres-coverage.xml
-
-  SonarCloud:
-    runs-on: ubuntu-latest
-    needs: [StaticCodeAnalysis, Format, Lint, Sort, Bandit, UnitTest]
-    steps:
-      - uses: actions/checkout@v4
-        with:
-            submodules: recursive
-            token: ${{ secrets.GH_TOKEN || github.token }}
-
-      - uses: actions/download-artifact@v4
-        with:
-          name: code-coverage-report
-
-      - uses: actions/download-artifact@v4
-        if: ${{ inputs.test-database }}
-        with:
-          name: code-coverage-postgres-report
-
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-            GITHUB_TOKEN:  ${{ secrets.GH_TOKEN || github.token }}  # Needed to get PR information, if any
-            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -0,0 +1,65 @@
+name: Sonar
+on:
+  workflow_call:
+    inputs:
+      test-database:
+        required: false
+        type: boolean
+        default: false
+  workflow_run:
+    workflows: [CI shared workflow]
+    types: [completed]
+permissions:
+  actions: read
+  checks: read
+  id-token: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+jobs:
+  sonar:
+    name: Sonar
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+      - name: Get run ID of parent CI workflow
+        id: get-run-id
+        run: |
+          OTHER_REPO="${{ github.repository }}"
+          WF_NAME="CI"
+          RUN_ID=`gh run --repo ${OTHER_REPO} list --workflow ${WF_NAME} --json databaseId --jq .[0].databaseId`
+          echo "Detected latest run id of ${RUN_ID} for workflow ${WF_NAME}"
+          echo "run-id=${RUN_ID}" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Download artifact from CI workflow
+        uses: actions/download-artifact@v4
+        with:
+          name: code-coverage-report
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ steps.get-run-id.outputs.run-id }}
+      - uses: actions/download-artifact@v4
+        if: ${{ inputs.test-database }}
+        with:
+          name: code-coverage-postgres-report
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ steps.get-run-id.outputs.run-id }}
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
+            -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
+            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
+            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}