@@ -14,54 +14,54 @@ jobs:
1414 runs-on : ubuntu-latest
1515 if : github.event.workflow_run.conclusion == 'success'
1616 timeout-minutes : 15
17+ permissions :
18+ contents : read
19+ actions : read
20+ pull-requests : read
1721 steps :
1822 - name : echo event
1923 run : cat $GITHUB_EVENT_PATH
2024 - name : Download PR number artifact
21- if : github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
22- uses : dawidd6/action-download-artifact@v14
25+ if : github.event.workflow_run.event == 'pull_request'
26+ uses : dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
2327 with :
2428 workflow : SonarCloud Build
2529 run_id : ${{ github.event.workflow_run.id }}
2630 name : PR_NUMBER
2731 - name : Read PR_NUMBER.txt
28- if : github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
32+ if : github.event.workflow_run.event == 'pull_request'
2933 id : pr_number
30- uses : juliangruber/read-file-action@v1
34+ uses : juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1
3135 with :
3236 path : ./PR_NUMBER.txt
3337 - name : Request GitHub API for PR data
34- if : github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
35- uses : octokit/request-action@v2.x
38+ if : github.event.workflow_run.event == 'pull_request'
39+ uses : octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
3640 id : get_pr_data
3741 with :
3842 route : GET /repos/{full_name}/pulls/{number}
3943 number : ${{ steps.pr_number.outputs.content }}
4044 full_name : ${{ github.event.repository.full_name }}
4145 env :
4246 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
43- - uses : actions/checkout@v6
47+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4448 with :
45- repository : ${{ github.event.workflow_run.head_repository.full_name }}
46- ref : ${{ github.event.workflow_run.head_branch }}
4749 fetch-depth : 0
48- - name : Checkout base branch
49- if : github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
50- run : |
51- git remote add upstream ${{ github.event.repository.clone_url }}
52- git fetch upstream
53- git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
54- git checkout ${{ github.event.workflow_run.head_branch }}
55- git clean -ffdx && git reset --hard HEAD
50+ - name : Download build artifacts
51+ uses : dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
52+ with :
53+ workflow : SonarCloud Build
54+ run_id : ${{ github.event.workflow_run.id }}
55+ name : build-artifacts
5656 - name : Cache SonarCloud packages
57- uses : actions/cache@v5
57+ uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
5858 with :
5959 path : ~/.sonar/cache
6060 key : ${{ runner.os }}-sonar
6161 restore-keys : ${{ runner.os }}-sonar
6262
6363 - name : Set up JDK 17
64- uses : actions/setup-java@v5
64+ uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
6565 with :
6666 distribution : ' zulu'
6767 java-version : ' 17'
@@ -70,35 +70,35 @@ jobs:
7070 - name : Set Common Sonar Variables
7171 id : sonar_env
7272 run : |
73- echo "##[set-output name= sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
73+ echo "sonar_opts= -Dsonar.host.url=https://sonarcloud.io \
7474 -Dsonar.projectKey=com-pas_compas-cim-mapping \
75- -Dsonar.organization=com-pas )"
75+ -Dsonar.organization=com-pas" >> $GITHUB_OUTPUT
7676 - name : Create custom Maven Settings.xml
77- uses : whelk-io/maven-settings-xml-action@v21
77+ uses : whelk-io/maven-settings-xml-action@7c60eb95b2d5ec18f2e0e29f34c9ed69475e7a96 # v21
7878 with :
7979 output_file : custom_maven_settings.xml
8080 servers : ' [{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
8181 - name : Build and analyze (Pull Request)
82- if : ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
82+ if : ${{ github.event.workflow_run.event == 'pull_request' }}
8383 env :
8484 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
8585 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
8686 run : |
87- ./mvnw -B -s custom_maven_settings.xml -Psonar \
87+ mvn -B -s custom_maven_settings.xml -Psonar \
8888 ${{ steps.sonar_env.outputs.sonar_opts }} \
8989 -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
9090 -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
9191 -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
9292 -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
93- clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
93+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
9494 - name : Build and analyze (Push)
9595 if : ${{ github.event.workflow_run.event == 'push' }}
9696 env :
9797 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
9898 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
9999 run : |
100- ./mvnw -B -s custom_maven_settings.xml -Psonar \
100+ mvn -B -s custom_maven_settings.xml -Psonar \
101101 ${{ steps.sonar_env.outputs.sonar_opts }} \
102102 -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
103103 -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
104- clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
104+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
0 commit comments