ci: enable sonar scanning and report results to sonacloud.io

[arjun-rajappa]

No description provided.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[pvital]

Could you update the image of the final_job to use python:3.13, please?

[pvital]

You can remove those three steps and only install coverage by changing line 96 to something like:

            python -m venv venv
            . venv/bin/activate
            pip install --upgrade pip coverage

[github-actions]

❌ @arjun-rajappa the signed-off-by was not found in the following 1 commits:

• 2c81ec1: Merge branch 'main' into sonar-scan

📝 What should I do to fix it?

All proposed commits should include a sign-off in their messages, ideally at the end.

❔ Why it is required

The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO, reformatted for readability:

By making a contribution to this project, I certify that:

a. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

b. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

c. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

d. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

Contributors sign-off that they adhere to these requirements by adding a Signed-off-by line to commit messages.

This is my commit message

Signed-off-by: Random Developer <[email protected]>

Git even has a -s command line option to append this automatically to your commit message:

$ git commit -s -m 'This is my commit message'

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[pvital]

A few questions and requests....

[pvital]

You are still executing the pip install commands that are not necessary here:

Suggested change

	- image: public.ecr.aws/docker/library/python:3.13
	working_directory: ~/repo
	steps:
	- checkout
	- check-if-tests-needed
	- pip-install-deps
	- pip-install-tests-deps
	- store-pytest-results
	# - run_sonarqube
	- run_sonarqube
	- image: public.ecr.aws/docker/library/python:3.13
	working_directory: ~/repo
	steps:
	- checkout
	- check-if-tests-needed
	- run_sonarqube

[pvital]

Are the files used by the coverage command you removed necessary for the sonar-scanner execution?

If not, you can then continue to remove those two lines, but nothing else is necessary to install, then:

Suggested change

	python -m venv venv
	. venv/bin/activate
	coverage combine ./coverage_results
	coverage xml -i
	wget -O /tmp/sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.1.3023.zip
	unzip -d /tmp /tmp/sonar-scanner-cli.zip
	if [[ -n "${CIRCLE_PR_NUMBER}" ]]; then
	/tmp/sonar-scanner-4.8.1.3023/bin/sonar-scanner \
	-Dsonar.host.url=${SONARQUBE_URL} \
	-Dsonar.login="${SONARQUBE_LOGIN}" \
	-Dsonar.pullrequest.key="${CIRCLE_PR_NUMBER}" \
	pip install --upgrade pip coverage

If they are necessary, you should keep those lines and change the order of them:

Suggested change

	python -m venv venv
	. venv/bin/activate
	coverage combine ./coverage_results
	coverage xml -i
	wget -O /tmp/sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.1.3023.zip
	unzip -d /tmp /tmp/sonar-scanner-cli.zip
	if [[ -n "${CIRCLE_PR_NUMBER}" ]]; then
	/tmp/sonar-scanner-4.8.1.3023/bin/sonar-scanner \
	-Dsonar.host.url=${SONARQUBE_URL} \
	-Dsonar.login="${SONARQUBE_LOGIN}" \
	-Dsonar.pullrequest.key="${CIRCLE_PR_NUMBER}" \
	pip install --upgrade pip coverage
	python -m venv venv
	. venv/bin/activate
	pip install --upgrade pip coverage
	coverage combine ./coverage_results
	coverage xml -i

[pvital]

Don't these lines overwrite the configuration of the sonar-project.properties file?

In addition, I guess it should be the following to only check the library code, not everything in the repository:

Suggested change

	-Dsonar.organization=instana \
	-Dsonar.projectKey=instana_python-sensor \
	-Dsonar.sources=. \
	-Dsonar.organization=instana \
	-Dsonar.projectKey=instana_python-sensor \
	-Dsonar.sources=.src/instana/ \

[pvital]

Same as the previous comment.

[pvital]

As the documentation mentions, if the sonar.tests "property is not defined, no code will be analyzed as test code as there is no default value."

I guess we can remove those two lines:

Suggested change

	sonar.tests=tests/
	sonar.test.inclusions=test/**/*

[pvital]

@arjun-rajappa, perhaps we can use the pysonar CLI command with the configuration in the pyproject.toml file to run the checking as described in the documentation.