@@ -14,96 +14,91 @@ jobs:
1414 runs-on : ubuntu-latest
1515 if : github.event.workflow_run.conclusion == 'success'
1616 timeout-minutes : 15
17+ permissions :
18+ contents : read
19+ actions : read
20+ pull-requests : read
1721 steps :
18- - name : echo event
19- run : cat $GITHUB_EVENT_PATH
20- - name : Download PR number artifact
21- if : github.event.workflow_run.event == 'pull_request'
22- uses : dawidd6/action-download-artifact@v3
23- with :
24- workflow : SonarCloud Build
25- run_id : ${{ github.event.workflow_run.id }}
26- name : PR_NUMBER
27- - name : Read PR_NUMBER.txt
28- if : github.event.workflow_run.event == 'pull_request'
29- id : pr_number
30- uses : juliangruber/read-file-action@v1
31- with :
32- path : ./PR_NUMBER.txt
33- - name : Request GitHub API for PR data
34- if : github.event.workflow_run.event == 'pull_request'
35- uses : octokit/request-action@v2.x
36- id : get_pr_data
37- with :
38- route : GET /repos/{full_name}/pulls/{number}
39- number : ${{ steps.pr_number.outputs.content }}
40- full_name : ${{ github.event.repository.full_name }}
41- env :
42- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
43- - uses : actions/checkout@v4
44- with :
45- repository : ${{ github.event.workflow_run.head_repository.full_name }}
46- ref : ${{ github.event.workflow_run.head_branch }}
47- fetch-depth : 0
48- - name : Checkout base branch
49- if : github.event.workflow_run.event == 'pull_request'
50- run : |
51- git remote add upstream ${{ github.event.repository.clone_url }}
52- git fetch upstream
53- git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
54- git checkout ${{ github.event.workflow_run.head_branch }}
55- git clean -ffdx && git reset --hard HEAD
56- - name : Cache SonarCloud packages
57- uses : actions/cache@v4
58- with :
59- path : ~/.sonar/cache
60- key : ${{ runner.os }}-sonar
61- restore-keys : ${{ runner.os }}-sonar
62- - name : Cache Maven packages
63- uses : actions/cache@v4
64- with :
65- path : ~/.m2
66- key : ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
67- restore-keys : ${{ runner.os }}-m2
22+ - name : echo event
23+ run : cat $GITHUB_EVENT_PATH
24+ - name : Download PR number artifact
25+ if : github.event.workflow_run.event == 'pull_request'
26+ uses : dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
27+ with :
28+ workflow : SonarCloud Build
29+ run_id : ${{ github.event.workflow_run.id }}
30+ name : PR_NUMBER
31+ - name : Read PR_NUMBER.txt
32+ if : github.event.workflow_run.event == 'pull_request'
33+ id : pr_number
34+ uses : juliangruber/read-file-action@271ff311a4947af354c6abcd696a306553b9ec18 # v1
35+ with :
36+ path : ./PR_NUMBER.txt
37+ - name : Request GitHub API for PR data
38+ if : github.event.workflow_run.event == 'pull_request'
39+ uses : octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
40+ id : get_pr_data
41+ with :
42+ route : GET /repos/{full_name}/pulls/{number}
43+ number : ${{ steps.pr_number.outputs.content }}
44+ full_name : ${{ github.event.repository.full_name }}
45+ env :
46+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
47+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
48+ with :
49+ fetch-depth : 0
50+ - name : Download build artifacts
51+ uses : dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
52+ with :
53+ workflow : SonarCloud Build
54+ run_id : ${{ github.event.workflow_run.id }}
55+ name : build-artifacts
56+ - name : Cache SonarCloud packages
57+ uses : actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
58+ with :
59+ path : ~/.sonar/cache
60+ key : ${{ runner.os }}-sonar
61+ restore-keys : ${{ runner.os }}-sonar
6862
69- - name : Set up JDK 17
70- uses : actions/setup-java@v4
71- with :
72- distribution : ' zulu'
73- java-version : ' 17'
63+ - name : Set up JDK 17
64+ uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
65+ with :
66+ distribution : ' zulu'
67+ java-version : ' 17'
68+ cache : ' maven'
7469
75- - name : Set Common Sonar Variables
76- id : sonar_env
77- run : |
78- echo "##[set-output name= sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
79- -Dsonar.projectKey=com-pas_compas-core \
80- -Dsonar.organization=com-pas )"
81- - name : Create custom Maven Settings.xml
82- uses : whelk-io/maven-settings-xml-action@v22
83- with :
84- output_file : custom_maven_settings.xml
85- servers : ' [{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
86- - name : Build and analyze (Pull Request)
87- if : ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
88- env :
89- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
90- SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
91- run : |
92- ./mvnw -B -s custom_maven_settings.xml -Psonar \
93- ${{ steps.sonar_env.outputs.sonar_opts }} \
94- -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
95- -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
96- -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
97- -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
98- clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
99- - name : Build and analyze (Push)
100- if : ${{ github.event.workflow_run.event == 'push' }}
101- env :
102- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
103- SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
104- run : |
105- ./mvnw -B -s custom_maven_settings.xml -Psonar \
106- ${{ steps.sonar_env.outputs.sonar_opts }} \
107- -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
108- -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
109- clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
70+ - name : Set Common Sonar Variables
71+ id : sonar_env
72+ run : |
73+ echo "sonar_opts= -Dsonar.host.url=https://sonarcloud.io \
74+ -Dsonar.projectKey=com-pas_compas-core \
75+ -Dsonar.organization=com-pas" >> $GITHUB_OUTPUT
76+ - name : Create custom Maven Settings.xml
77+ uses : whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
78+ with :
79+ output_file : custom_maven_settings.xml
80+ servers : ' [{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
81+ - name : Build and analyze (Pull Request)
82+ if : ${{ github.event.workflow_run.event == 'pull_request' }}
83+ env :
84+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
85+ SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
86+ run : |
87+ mvn -B -s custom_maven_settings.xml -Psonar \
88+ ${{ steps.sonar_env.outputs.sonar_opts }} \
89+ -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
90+ -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
91+ -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
92+ -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
93+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
94+ - name : Build and analyze (Push)
95+ if : ${{ github.event.workflow_run.event == 'push' }}
96+ env :
97+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
98+ SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
99+ run : |
100+ mvn -B -s custom_maven_settings.xml -Psonar \
101+ ${{ steps.sonar_env.outputs.sonar_opts }} \
102+ -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
103+ -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
104+ org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
0 commit comments