-
Notifications
You must be signed in to change notification settings - Fork 0
ci: add sonarcloud workflow and configure sonar-project.properties #108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
70a16ce
8316053
facf0b3
431432f
0737e2c
854a6fa
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: SonarCloud Analysis | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| jobs: | ||
| sonarcloud: | ||
| name: SonarCloud | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '22' | ||
| cache: 'npm' | ||
|
Comment on lines
+15
to
+23
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/sonarcloud.yml"
# Ensure file exists and print the relevant sections with line numbers
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "=== File: $FILE (lines 1-220) ==="
nl -ba "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:|uses:" "$FILE" || true
echo
echo "=== Grep for persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep for SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || trueRepository: EmiyaKiritsugu3/PWeb_Project Length of output: 195 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/sonarcloud.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "=== File: $FILE (lines 1-220) ==="
cat -n "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:" "$FILE" || true
echo
echo "=== Grep persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || trueRepository: EmiyaKiritsugu3/PWeb_Project Length of output: 1412 🌐 Web query:
💡 Result: For actions/checkout@v4, the input persist-credentials has default value true.[1][2] This means that unless you explicitly set persist-credentials: false, the action configures (persists) the provided auth token/SSH key in the local git config during checkout.[3][1] Citations:
🌐 Web query:
💡 Result: The SonarSource Citations:
Pin
Suggested patch jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@<checkout-commit-sha>
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ persist-credentials: false
- name: Setup Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@<setup-node-commit-sha>
with:
node-version: '22'
cache: 'npm'🧰 Tools🪛 zizmor (1.25.2)[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Install dependencies | ||
| run: npm ci --legacy-peer-deps | ||
|
|
||
| - name: Run tests with coverage | ||
| run: npm run test:coverage | ||
|
|
||
| - name: SonarCloud Scan | ||
| uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3 | |||||||||
|
|
||||||||||
| # Encoding of the source code. Default is default system encoding | ||||||||||
| #sonar.sourceEncoding=UTF-8 | ||||||||||
|
|
||||||||||
| # Test coverage reporting | ||||||||||
| sonar.javascript.lcov.reportPaths=coverage/lcov.info | ||||||||||
| sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/** | ||||||||||
| sonar.tests=src | ||||||||||
| sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx | ||||||||||
|
Comment on lines
+17
to
+18
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. P2: Prompt for AI agents
Suggested change
|
||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
P2:
actions/checkout@v4defaultspersist-credentialstotrue, which persists the auth token in.git/configand exposes it to all subsequent steps. Addpersist-credentials: falseto thewith:block. Additionally, consider pinning bothactions/checkoutandactions/setup-nodeto full commit SHAs instead of mutablev4tags to mitigate supply-chain risk.Prompt for AI agents