Per #521, add hooks for a SonarQube GHA workflow.

dtcenter · Apr 4, 2024 · 74cd758 · 74cd758
1 parent 72e62d7
commit 74cd758
Show file tree

Hide file tree

Showing 4 changed files with 155 additions and 0 deletions.
diff --git a/.github/jobs/configure_sonarqube.sh b/.github/jobs/configure_sonarqube.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Constants
+SONAR_PROPERTIES_DIR=internal/scripts/sonarqube
+SONAR_PROPERTIES=sonar-project.properties
+
+# Check that this is being run from the top-level METdataio directory
+if [ ! -e $SONAR_PROPERTIES_DIR/$SONAR_PROPERTIES ]; then
+  echo "ERROR: ${0} -> must be run from the top-level METdataio directory"
+  exit 1
+fi
+
+# Check required environment variables
+if [ -z ${SOURCE_BRANCH+x} ]; then
+  echo "ERROR: ${0} -> \$SOURCE_BRANCH not defined!"
+  exit 1
+fi
+if [ -z ${WD_REFERENCE_BRANCH+x} ]; then
+  echo "ERROR: ${0} -> \$WD_REFERENCE_BRANCH not defined!"
+  exit 1
+fi
+if [ -z ${SONAR_HOST_URL+x} ]; then
+  echo "ERROR: ${0} -> \$SONAR_HOST_URL not defined!"
+  exit 1
+fi
+if [ -z ${SONAR_TOKEN+x} ]; then
+  echo "ERROR: ${0} -> \$SONAR_TOKEN not defined!"
+  exit 1
+fi
+
+# Define the version string
+SONAR_PROJECT_VERSION=$(cat docs/version | cut -d'=' -f2 | tr -d '" ')
+
+#
+# Define the $SONAR_REFERENCE_BRANCH as the
+#   - Target of any requests
+#   - Manual setting for workflow dispatch
+#   - Source branch for any pushes (e.g. develop)
+#
+if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+  export SONAR_REFERENCE_BRANCH=$GITHUB_BASE_REF
+elif [ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]; then
+  export SONAR_REFERENCE_BRANCH=$WD_REFERENCE_BRANCH
+else
+  export SONAR_REFERENCE_BRANCH=$SOURCE_BRANCH
+fi
+
+# Configure the sonar-project.properties
+[ -e $SONAR_PROPERTIES ] && rm $SONAR_PROPERTIES
+sed -e "s|SONAR_PROJECT_KEY|METdataio-GHA|" \
+    -e "s|SONAR_PROJECT_NAME|METdataio GHA|" \
+    -e "s|SONAR_PROJECT_VERSION|$SONAR_PROJECT_VERSION|" \
+    -e "s|SONAR_HOST_URL|$SONAR_HOST_URL|" \
+    -e "s|SONAR_TOKEN|$SONAR_TOKEN|" \
+    -e "s|SONAR_BRANCH_NAME|$SOURCE_BRANCH|" \
+    $SONAR_PROPERTIES_DIR/$SONAR_PROPERTIES > $SONAR_PROPERTIES
+
+# Define new code when the source and reference branches differ
+if [ "$SOURCE_BRANCH" != "$SONAR_REFERENCE_BRANCH" ]; then
+  echo "sonar.newCode.referenceBranch=${SONAR_REFERENCE_BRANCH}" >> $SONAR_PROPERTIES
+fi
+
+echo "Contents of the $SONAR_PROPERTIES file:"
+cat $SONAR_PROPERTIES
+
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -11,6 +11,9 @@
 - [ ] Will this PR result in changes to the test suite? **[Yes or No]**</br>
 If **yes**, describe the new output and/or changes to the existing output:</br>
 
+- [ ] Do these changes introduce new SonarQube findings? **[Yes or No]**</br>
+If **yes**, please describe:
+
 - [ ] Please complete this pull request review by **[Fill in date]**.</br>
 
 ## Pull Request Checklist ##

diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -0,0 +1,76 @@
+name: SonarQube Scan
+
+# Run SonarQube for Pull Requests and changes to the develop and main_vX.Y branches
+
+on:
+
+  # Trigger analysis for pushes to develop and main_vX.Y branches
+  push:
+    branches:
+      - develop
+      - 'main_v**'
+    paths-ignore:
+      - 'docs/**'
+      - '.github/pull_request_template.md'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '**/README.md'
+      - '**/LICENSE.md'
+
+  # Trigger analysis for pull requests to develop and main_vX.Y branches
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - develop
+      - 'main_v**'
+    paths-ignore:
+      - 'docs/**'
+      - '.github/pull_request_template.md'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '**/README.md'
+      - '**/LICENSE.md'
+
+  workflow_dispatch:
+    inputs:
+      reference_branch:
+        description: 'Reference Branch'
+        default: develop
+        type: string
+
+jobs:
+  sonarqube:
+    name: SonarQube Scan
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - uses: actions/checkout@v4
+      with:
+        # Disable shallow clones for better analysis
+        fetch-depth: 0
+
+    - name: Get branch name
+      id: get_branch_name
+      run: echo branch_name=${GITHUB_REF#refs/heads/} >> $GITHUB_OUTPUT
+
+    - name: Configure SonarQube
+      run: .github/jobs/configure_sonarqube.sh
+      env:
+        SOURCE_BRANCH: ${{ steps.get_branch_name.outputs.branch_name }}
+        WD_REFERENCE_BRANCH: ${{ github.event.inputs.reference_branch }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+    - name: SonarQube Quality Gate check
+      id: sonarqube-quality-gate-check
+      uses: sonarsource/sonarqube-quality-gate-action@master
+      # Force to fail step after specific time.
+      timeout-minutes: 5
+      env:
+       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/internal/scripts/sonarqube/sonar-project.properties b/internal/scripts/sonarqube/sonar-project.properties
@@ -0,0 +1,11 @@
+# Project and source code settings
+sonar.projectKey=SONAR_PROJECT_KEY
+sonar.projectName=SONAR_PROJECT_NAME
+sonar.projectVersion=SONAR_PROJECT_VERSION
+sonar.branch.name=SONAR_BRANCH_NAME
+sonar.sources=.
+sonar.sourceEncoding=UTF-8
+
+# SonarQube server
+sonar.host.url=SONAR_HOST_URL
+sonar.token=SONAR_TOKEN