From 89f1936004c16cd45c9cfba3bae7cfaf278434ce Mon Sep 17 00:00:00 2001 From: John Sapienza <98348171+jwsapienza@users.noreply.github.com> Date: Tue, 30 Jan 2024 11:23:07 -0500 Subject: [PATCH] ci(FS-7045): Update sonarqube-scan.yml --- .github/workflows/sonarqube-scan.yml | 77 ++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/sonarqube-scan.yml diff --git a/.github/workflows/sonarqube-scan.yml b/.github/workflows/sonarqube-scan.yml new file mode 100644 index 00000000..e6b8b071 --- /dev/null +++ b/.github/workflows/sonarqube-scan.yml @@ -0,0 +1,77 @@ +### +# Foundation-security SonarQube workflow +# version: 2.1 +### +name: Foundation-Security/SonarQube Scan + +on: + push: + tags: + - "**" + branches: + - "*main*" + - "*master*" + - "*STABLE*" + pull_request: + types: [opened, synchronize, reopened] + branches: + - "**" + workflow_dispatch: + inputs: + ref: + description: "Branch to scan" + required: true + default: "main" + +jobs: + SonarQube-Scan: + name: SonarQube Scan Job + if: ${{ github.actor != 'dependabot[bot]' }} + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + steps: + - name: Checkout source repository for dispatch runs + id: checkout-source-dispatch + if: github.event_name == 'workflow_dispatch' + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }} + ref: ${{ inputs.ref }} + path: source + token: ${{ secrets.GH_SLONIK }} + + - name: Checkout source repository for non-dispatch runs + id: checkout-source + if: github.event_name != 'workflow_dispatch' + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }} + ref: ${{ github.ref }} + path: source + token: ${{ secrets.GH_SLONIK }} + + - name: Checkout foundation-security repository + id: checkout-foundation-security + uses: actions/checkout@v4 + with: + repository: EnterpriseDB/foundation-security + ref: v2 + path: foundation-security + token: ${{ secrets.GH_SLONIK }} + + - name: SonarQube Scan + id: call-sq-composite + uses: ./foundation-security/actions/sonarqube + with: + github-token: ${{ secrets.GH_SLONIK }} + github-ref: ${{ github.ref_name }} + sonarqube-url: ${{ vars.SQ_URL }} + sonarqube-token: ${{ secrets.SONARQUBE_TOKEN }} + project-name: ${{ github.event.repository.name }} + pull-request-key: ${{ github.event.number }} + pull-request-branch: ${{ github.head_ref }} + pull-request-base-branch: ${{ github.base_ref }} + foundation-security-sonarqube-token: ${{ secrets.FOUNDATION_SECURITY_SONARQUBE_TOKEN }} + cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}