Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/sonarqube.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
Comment on lines +5 to +11

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing SPDX headers. Other workflows in this repo include SPDX copyright and license headers (e.g., codeql.yml, reuse.yml). Add:

Suggested change
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
# SPDX-FileCopyrightText: 2026 Bernard Ladenthin <bernard.ladenthin@gmail.com>
# SPDX-FileCopyrightText: 2023-2025 Konstantin Herud
#
# SPDX-License-Identifier: MIT
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]

jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 21
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
with:
java-version: 21
distribution: 'zulu'
Comment on lines +17 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent action version pinning: This workflow uses full commit SHAs for some actions while other workflows in the repo use semantic versioning (@v6, @v5, etc.). For consistency and maintainability, consider using the same pattern as established workflows in this repo. Either:

  1. Update to use @v4 semver tags (simpler, follows other workflows), or
  2. Document why this workflow requires stricter pinning via commit SHA

Examples from other workflows:

  • codeql.yml: uses @v4, @v6, @v5
  • reuse.yml: uses @v6
  • publish.yml: uses @v7, @v8, etc.

- name: Cache SonarQube packages
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp
Comment on lines +37 to +40

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing error handling: The workflow runs mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar but doesn't check if SONAR_TOKEN is actually set. If the secret is not configured, the Maven command will fail silently or with unclear errors. Consider adding a check or documenting this dependency:

Suggested change
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -z "$SONAR_TOKEN" ]; then
echo "Warning: SONAR_TOKEN not set, skipping SonarQube analysis"
mvn -B verify
else
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp
fi

Alternatively, document in the PR body or README that this workflow requires the SONAR_TOKEN secret to be configured for the repository.

1 change: 1 addition & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ SPDX-License-Identifier: MIT
</distributionManagement>

<properties>
<sonar.organization>bernardladenthin</sonar.organization>
<jna.version>5.19.0</jna.version>
<jspecify.version>1.0.0</jspecify.version>
<lombok.version>1.18.46</lombok.version>
Expand Down
Loading