From 6f339d8ba4165650dafff335a33beedb2023bff1 Mon Sep 17 00:00:00 2001 From: deacon-mp <61169193+deacon-mp@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:36:47 -0400 Subject: [PATCH 1/4] Enhance quality.yml for SonarQube integration Updated GitHub Actions workflow to enable SonarQube scans for forked pull requests and adjusted job conditions. --- .github/workflows/quality.yml | 87 +++++++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 8 deletions(-) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 6d4860fa2..3a09f68bb 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -2,18 +2,25 @@ name: Code Quality on: push: - branches: - - master + branches: [ master ] pull_request: types: [opened, synchronize, reopened, ready_for_review] + pull_request_target: + types: [opened, synchronize, reopened, ready_for_review] # enables Sonar on fork PRs workflow_dispatch: permissions: contents: read jobs: + # ------------------------- + # Build & tests (no secrets) + # Runs on pushes and pull_request (both same-repo and forks). + # ------------------------- build: runs-on: ubuntu-latest + # Don't run this job for pull_request_target (we have a dedicated Sonar job there). + if: ${{ github.event_name != 'pull_request_target' }} permissions: contents: read pull-requests: read @@ -21,8 +28,6 @@ jobs: fail-fast: false matrix: include: - # - python-version: 3.9 - # toxenv: py39,style,coverage-ci - python-version: 3.10.9 toxenv: py310,style,coverage-ci - python-version: 3.11 @@ -34,29 +39,95 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: submodules: recursive - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + fetch-depth: 0 + - name: Setup python uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c with: python-version: ${{ matrix.python-version }} + - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: '20' + - name: Install dependencies run: | pip install --upgrade virtualenv pip install tox npm --prefix plugins/magma install npm --prefix plugins/magma run build + - name: Run tests env: TOXENV: ${{ matrix.toxenv }} run: tox + - name: Override Coverage Source Path for Sonar - run: sed -i "s/\/home\/runner\/work\/caldera\/caldera/\/github\/workspace/g" /home/runner/work/caldera/caldera/coverage.xml - - name: SonarQube Scan + run: sed -i "s#/home/runner/work/caldera/caldera#/github/workspace#g" /home/runner/work/caldera/caldera/coverage.xml + + # Sonar for same-repo pushes/PRs only (secrets available). + - name: SonarQube Scan (same-repo) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} + uses: SonarSource/sonarqube-scan-action@v6.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # If your sonar-project.properties is not at repo root, add: + # with: + # args: -Dsonar.projectBaseDir=caldera + + # ------------------------- + # Sonar for fork PRs (secrets allowed via pull_request_target). + # Checks out fork HEAD into ./pr and scans that path; does NOT run fork code with secrets. + # ------------------------- + sonar_fork_pr: + runs-on: ubuntu-latest + needs: [] # independent from build + if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork }} + permissions: + contents: read + pull-requests: write # needed only if you want PR decorations; otherwise remove + steps: + # Base repo checkout (for workflow context) + - name: Checkout base repo @ base SHA + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.base.sha }} + fetch-depth: 0 + + # Checkout the PR head from the fork into ./pr + - name: Checkout PR HEAD (read-only to analyze) + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + path: pr + fetch-depth: 0 + submodules: recursive + + # Optional: quick debug + - name: Debug + run: | + echo "PR #${{ github.event.pull_request.number }}" + echo "Head: ${{ github.event.pull_request.head.ref }} @ ${{ github.event.pull_request.head.sha }}" + echo "Base: ${{ github.event.pull_request.base.ref }} @ ${{ github.event.pull_request.base.sha }}" + ls -la pr || true + git -C pr rev-parse --short HEAD + + - name: SonarQube Scan (fork PR) uses: SonarSource/sonarqube-scan-action@v6.0.0 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # If using self-hosted SonarQube, also set: + # SONAR_HOST_URL: https://sonar.example.com + with: + args: > + -Dsonar.projectBaseDir=pr + -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} + -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} + -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} + # If your project key/organization aren't in pr/sonar-project.properties, add: + # -Dsonar.projectKey= + # -Dsonar.organization= # SonarCloud only From fd1de55cf6fc3a824440872b3c55412eb06446f0 Mon Sep 17 00:00:00 2001 From: deacon-mp <61169193+deacon-mp@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:41:07 -0400 Subject: [PATCH 2/4] Refactor GitHub Actions workflow for code quality --- .github/workflows/quality.yml | 51 +++++++++++++---------------------- 1 file changed, 19 insertions(+), 32 deletions(-) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 3a09f68bb..c01edebcc 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -2,25 +2,20 @@ name: Code Quality on: push: - branches: [ master ] + branches: + - master pull_request: types: [opened, synchronize, reopened, ready_for_review] pull_request_target: - types: [opened, synchronize, reopened, ready_for_review] # enables Sonar on fork PRs + types: [opened, synchronize, reopened, ready_for_review] # added for fork PRs workflow_dispatch: permissions: contents: read jobs: - # ------------------------- - # Build & tests (no secrets) - # Runs on pushes and pull_request (both same-repo and forks). - # ------------------------- build: runs-on: ubuntu-latest - # Don't run this job for pull_request_target (we have a dedicated Sonar job there). - if: ${{ github.event_name != 'pull_request_target' }} permissions: contents: read pull-requests: read @@ -39,7 +34,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: submodules: recursive - fetch-depth: 0 + fetch-depth: 0 # shallow clones should be disabled for analysis - name: Setup python uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c @@ -66,38 +61,31 @@ jobs: - name: Override Coverage Source Path for Sonar run: sed -i "s#/home/runner/work/caldera/caldera#/github/workspace#g" /home/runner/work/caldera/caldera/coverage.xml - # Sonar for same-repo pushes/PRs only (secrets available). - - name: SonarQube Scan (same-repo) + # --- Sonar scan for pushes and same-repo PRs only --- + - name: SonarQube Scan if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} uses: SonarSource/sonarqube-scan-action@v6.0.0 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # needed for PR info SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # If your sonar-project.properties is not at repo root, add: - # with: - # args: -Dsonar.projectBaseDir=caldera - # ------------------------- - # Sonar for fork PRs (secrets allowed via pull_request_target). - # Checks out fork HEAD into ./pr and scans that path; does NOT run fork code with secrets. - # ------------------------- + # --- Sonar scan for forked PRs (runs safely with pull_request_target) --- sonar_fork_pr: runs-on: ubuntu-latest - needs: [] # independent from build if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork }} permissions: contents: read - pull-requests: write # needed only if you want PR decorations; otherwise remove + pull-requests: write # needed only for PR comments/decorations steps: - # Base repo checkout (for workflow context) - - name: Checkout base repo @ base SHA + # Checkout the base repo at the base SHA for context (not fork code) + - name: Checkout base repo uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.base.sha }} fetch-depth: 0 - # Checkout the PR head from the fork into ./pr - - name: Checkout PR HEAD (read-only to analyze) + # Checkout the fork’s PR head as data into ./pr + - name: Checkout PR HEAD (fork) uses: actions/checkout@v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -106,28 +94,27 @@ jobs: fetch-depth: 0 submodules: recursive - # Optional: quick debug - - name: Debug + # Optional debug info + - name: Debug checkout run: | echo "PR #${{ github.event.pull_request.number }}" echo "Head: ${{ github.event.pull_request.head.ref }} @ ${{ github.event.pull_request.head.sha }}" echo "Base: ${{ github.event.pull_request.base.ref }} @ ${{ github.event.pull_request.base.sha }}" ls -la pr || true - git -C pr rev-parse --short HEAD + # Run Sonar scan against fork code - name: SonarQube Scan (fork PR) uses: SonarSource/sonarqube-scan-action@v6.0.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # If using self-hosted SonarQube, also set: - # SONAR_HOST_URL: https://sonar.example.com + with: args: > -Dsonar.projectBaseDir=pr -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} - # If your project key/organization aren't in pr/sonar-project.properties, add: + # Add project/organization explicitly if not in properties file # -Dsonar.projectKey= - # -Dsonar.organization= # SonarCloud only + # -Dsonar.organization= From e69784c43abcbc6bb5771c4080753a78a13b771c Mon Sep 17 00:00:00 2001 From: deacon-mp <61169193+deacon-mp@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:45:45 -0400 Subject: [PATCH 3/4] Refactor SonarQube scan action arguments Updated SonarQube scan action configuration for better project structure. --- .github/workflows/quality.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index c01edebcc..d10f0131b 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -68,6 +68,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # needed for PR info SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # Uncomment if your sonar-project.properties is in a subfolder: + # with: + # args: | + # -Dsonar.projectBaseDir=caldera # --- Sonar scan for forked PRs (runs safely with pull_request_target) --- sonar_fork_pr: @@ -108,13 +112,13 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - + # SONAR_HOST_URL: https://sonarcloud.io # uncomment for self-hosted or explicit with: - args: > - -Dsonar.projectBaseDir=pr + args: | + -Dsonar.projectBaseDir=pr/caldera -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} - # Add project/organization explicitly if not in properties file + # Uncomment and set if not defined in sonar-project.properties: # -Dsonar.projectKey= # -Dsonar.organization= From e99b42371586ace64db3dd9ef29ab0d52a2eda53 Mon Sep 17 00:00:00 2001 From: deacon-mp <61169193+deacon-mp@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:48:43 -0400 Subject: [PATCH 4/4] Update quality.yml --- .github/workflows/quality.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index d10f0131b..fc50d3417 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -112,13 +112,9 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # SONAR_HOST_URL: https://sonarcloud.io # uncomment for self-hosted or explicit with: + projectBaseDir: pr/caldera # <— override the action’s default "." args: | - -Dsonar.projectBaseDir=pr/caldera -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} - # Uncomment and set if not defined in sonar-project.properties: - # -Dsonar.projectKey= - # -Dsonar.organization=