Skip to content

ci(FS-7019): Update sonarqube-scan.yml #1

ci(FS-7019): Update sonarqube-scan.yml

ci(FS-7019): Update sonarqube-scan.yml #1

###
# Foundation-security SonarQube workflow
# version: 2.1
###
name: Foundation-Security/SonarQube Scan
on:
push:
tags:
- "**"
branches:
- "*main*"
- "*master*"
- "*STABLE*"
pull_request:
types: [opened, synchronize, reopened]
branches:
- "**"
workflow_dispatch:
inputs:
ref:
description: "Branch to scan"
required: true
default: "main"
jobs:
SonarQube-Scan:
name: SonarQube Scan Job
if: ${{ github.actor != 'dependabot[bot]' }}
permissions:
id-token: write
contents: read
runs-on: ubuntu-22.04
steps:
- name: Checkout source repository for dispatch runs
id: checkout-source-dispatch
if: github.event_name == 'workflow_dispatch'
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}
ref: ${{ inputs.ref }}
path: source
token: ${{ secrets.GH_SLONIK }}
- name: Checkout source repository for non-dispatch runs
id: checkout-source
if: github.event_name != 'workflow_dispatch'
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}
ref: ${{ github.ref }}
path: source
token: ${{ secrets.GH_SLONIK }}
- name: Checkout foundation-security repository
id: checkout-foundation-security
uses: actions/checkout@v4
with:
repository: EnterpriseDB/foundation-security
ref: v2
path: foundation-security
token: ${{ secrets.GH_SLONIK }}
- name: SonarQube Scan
id: call-sq-composite
uses: ./foundation-security/actions/sonarqube
with:
github-token: ${{ secrets.GH_SLONIK }}
github-ref: ${{ github.ref_name }}
sonarqube-url: ${{ vars.SQ_URL }}
sonarqube-token: ${{ secrets.SONARQUBE_TOKEN }}
project-name: ${{ github.event.repository.name }}
pull-request-key: ${{ github.event.number }}
pull-request-branch: ${{ github.head_ref }}
pull-request-base-branch: ${{ github.base_ref }}
foundation-security-sonarqube-token: ${{ secrets.FOUNDATION_SECURITY_SONARQUBE_TOKEN }}
cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}