Skip to content

Commit 5d272c8

Browse files
committed
ci: run SonarCloud on fork pull requests
Outside-contributor PRs cannot run SonarCloud directly because fork PRs have no access to SONAR_TOKEN. Add a workflow_run-triggered SonarCloud (fork PRs) workflow that calls the new reusable workflow in actions-common, and have the build workflow upload the PR number/base so the fork scan decorates the correct pull request.
1 parent cc24382 commit 5d272c8

2 files changed

Lines changed: 63 additions & 0 deletions

File tree

.github/workflows/ci-build.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,27 @@ jobs:
1919
minverMinimumMajorMinor: '10.2'
2020
secrets:
2121
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
22+
23+
# Fork PRs cannot run SonarCloud directly (no access to SONAR_TOKEN). Record
24+
# the PR number + base branch so the trusted, workflow_run-triggered
25+
# SonarCloud (fork PRs) workflow can decorate the correct pull request.
26+
save-pr-metadata:
27+
if: github.event_name == 'pull_request'
28+
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
31+
steps:
32+
- name: Write PR metadata
33+
env:
34+
PR_NUMBER: ${{ github.event.pull_request.number }}
35+
PR_BASE: ${{ github.event.pull_request.base.ref }}
36+
run: |
37+
mkdir -p pr-meta
38+
printf '%s' "$PR_NUMBER" > pr-meta/number
39+
printf '%s' "$PR_BASE" > pr-meta/base
40+
- name: Upload PR metadata
41+
uses: actions/upload-artifact@v7
42+
with:
43+
name: pr-number
44+
path: pr-meta/
45+
retention-days: 1
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: SonarCloud (fork PRs)
2+
3+
# Runs SonarCloud analysis for pull requests opened from forks, which cannot run
4+
# the standard SonarCloud workflow because fork PRs have no access to
5+
# SONAR_TOKEN. Triggered by `workflow_run` once the untrusted "Build" workflow
6+
# finishes, so this runs in the base repo's trusted context (token available).
7+
# See the SECURITY note in workflow-common-sonarcloud-fork.yml.
8+
9+
on:
10+
workflow_run:
11+
workflows: [ "Build" ]
12+
types: [ completed ]
13+
14+
permissions:
15+
contents: read
16+
actions: read
17+
18+
jobs:
19+
sonarcloud-fork:
20+
# Only for fork PR builds that succeeded. Same-repo PRs are already
21+
# analysed by sonarcloud.yml, so they are excluded here.
22+
if: >-
23+
github.event.workflow_run.event == 'pull_request' &&
24+
github.event.workflow_run.conclusion == 'success' &&
25+
github.event.workflow_run.head_repository.full_name != github.repository
26+
uses: reactiveui/actions-common/.github/workflows/workflow-common-sonarcloud-fork.yml@main
27+
with:
28+
srcFolder: src
29+
solutionFile: Refit.slnx
30+
minverMinimumMajorMinor: '10.2'
31+
sonarProjectKey: reactiveui_refit
32+
sonarOrganization: reactiveui
33+
sonarExclusions: '**/tests/**,**/benchmarks/**,**/examples/**,**/TestResults/**'
34+
sonarCoverageExclusions: '**/tests/**,**/benchmarks/**,**/examples/**,**/*Tests/**,**/*Tests.cs,**/Generated/**,**/*.g.cs'
35+
sonarCpdExclusions: '**/tests/**,**/benchmarks/**,**/examples/**'
36+
sonarTestExclusions: '**/tests/**,**/benchmarks/**,**/examples/**'
37+
testTimeout: '15m'
38+
secrets:
39+
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

0 commit comments

Comments
 (0)