fix: split CI to run Sonar analysis via workflow_run#324
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughExtracts SonarQube analysis and coverage PR-commenting out of the build workflow into a new Changes
Sequence DiagramsequenceDiagram
participant Build as "Build & Test\nWorkflow"
participant Artifacts as "Artifact\nStorage"
participant Trigger as "Workflow\nRun Trigger"
participant Analysis as "Analysis\nWorkflow"
participant Sonar as "SonarQube"
participant GHAPI as "GitHub\nPR API"
Build->>Artifacts: upload coverage-report & junit-test-results
Build->>Trigger: workflow_run (completed)
Trigger->>Analysis: start on workflow_run
rect rgba(100,150,200,0.5)
Note over Analysis,Sonar: SonarQube Analysis Job
Analysis->>Artifacts: download artifacts
Analysis->>Sonar: run ./gradlew sonar (with PR props if resolved)
Sonar-->>Analysis: analysis results
end
rect rgba(150,200,100,0.5)
Note over Analysis,GHAPI: Coverage PR Comment Job
Analysis->>Artifacts: download coverage-report
Analysis->>Analysis: parse Kover XML -> compute LINE/BRANCH/INSTRUCTION
Analysis->>GHAPI: PATCH existing comment or POST new comment with table
GHAPI-->>Analysis: comment updated/created
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/analysis.yml (1)
111-125: PR resolution logic is duplicated across jobs.The PR number resolution logic (lines 111-125) is nearly identical to the one in the
sonarjob (lines 64-78). While acceptable for now, consider extracting this into a reusable composite action or a shared script if maintenance becomes burdensome.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/analysis.yml around lines 111 - 125, The "Resolve PR number" step duplicates PR resolution logic used in the sonar job; extract that shell block into a reusable unit (either a composite GitHub Action or a shared script) and replace both occurrences with a single call. Locate the step named "Resolve PR number" and the similar block in the sonar job, move the logic into a composite action (or a script checked into the repo) that accepts GH_TOKEN and returns number via outputs, then update both jobs to call that action (or execute the script) and consume its output.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/analysis.yml:
- Line 77: The hardcoded fallback to 'main' when
github.event.workflow_run.pull_requests[0].base.ref is empty can pick the wrong
base branch; change the step that sets "base=..." to detect an empty base ref
and query the GitHub API (via gh pr view) for the real baseRefName using the PR
number, then write that value to GITHUB_OUTPUT (e.g., obtain PR_NUMBER from
github.event.workflow_run.pull_requests[0].number or the workflow context, call
gh pr view "$PR_NUMBER" --json baseRefName and use its baseRefName if present,
otherwise fallback to main). Ensure the step references the same output variable
name (base) and that gh is available/authenticated in the job.
---
Nitpick comments:
In @.github/workflows/analysis.yml:
- Around line 111-125: The "Resolve PR number" step duplicates PR resolution
logic used in the sonar job; extract that shell block into a reusable unit
(either a composite GitHub Action or a shared script) and replace both
occurrences with a single call. Locate the step named "Resolve PR number" and
the similar block in the sonar job, move the logic into a composite action (or a
script checked into the repo) that accepts GH_TOKEN and returns number via
outputs, then update both jobs to call that action (or execute the script) and
consume its output.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: be5b70fa-d153-424a-815a-45e46677c286
📒 Files selected for processing (2)
.github/workflows/analysis.yml.github/workflows/build-and-test.yml
Fork PRs cannot access repository secrets, causing the SonarQube analysis step to fail. Split the build workflow so that secret-dependent steps (Sonar, coverage PR comment) run in a separate workflow_run- triggered workflow that executes in the base repo context.
driessamyn
force-pushed
the
fix/ci-fork-pr-analysis
branch
from
62c6809 to
cbfc316
Compare
Unit Tests 61 files ±0 61 suites ±0 2m 56s ⏱️ -4s Results for commit cbfc316. ± Comparison against base commit 452b33d. This pull request removes 39 and adds 39 tests. Note that renamed tests count towards both. |
2 tasks
This was referenced Mar 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build-and-test.ymlso it no longer depends onSONAR_TOKEN— fork PRs can now build and test without failinganalysis.ymltriggered byworkflow_runwhich runs in the base repo context with access to secretsworkflow_run.pull_requestsis emptyContext
PR #323 (from a fork) fails because the
:sonarGradle task cannot access theSONAR_TOKENsecret. This is a known GitHub Actions limitation — fork PRs don't receive repository secrets.Changes
build-and-test.yml:sonarfrom./gradlew check sonar→./gradlew checkSONAR_TOKENenv varmi-kas/kover-reportPR comment steppull-requests: writepermissionanalysis.yml(new):workflow_runtrigger on "Build and Test" completionsonarjob: checks out PR head SHA, downloads coverage/test artifacts, runs Sonar with PR-specific parameterscoverage-commentjob: parses Kover XML report and posts/updates a coverage comment on the PRTest plan
Build and Testworkflow passes without Sonar (this PR)Code Analysisworkflow triggers after build completesSummary by CodeRabbit
Chores
New Features