initial version

.gitignore

@@ -0,0 +1 @@
+.idea

.travis.yml

@@ -0,0 +1,8 @@
+# any language
+language: ruby
+
+services:
+  - docker
+
+script:
+  - docker build -t sonarsource/sonarcloud-github-action .

Dockerfile

@@ -0,0 +1,40 @@
+FROM openjdk:11-jre-slim
+
+LABEL version="0.0.1"
+LABEL repository="https://github.com/sonarsource/sonarcloud-github-action"
+LABEL homepage="https://github.com/sonarsource/sonarcloud-github-action"
+LABEL maintainer="SonarSource"
+LABEL "com.github.actions.name"="SonarCloud Scan"
+LABEL "com.github.actions.description"="Scan your code with SonarCloud to detect bugs, vulnerabilities and code smells in more than 25 programming languages."
+LABEL "com.github.actions.icon"="check"
+LABEL "com.github.actions.color"="green"
+
+ARG SONAR_SCANNER_HOME=/opt/sonar-scanner
+ARG NODEJS_HOME=/opt/nodejs
+
+ENV SONAR_SCANNER_HOME=${SONAR_SCANNER_HOME} \
+    SONAR_SCANNER_VERSION=3.3.0.1492 \
+    NODEJS_HOME=${NODEJS_HOME} \
+    NODEJS_VERSION=v8.12.0
+
+ENV PATH=${PATH}:${SONAR_SCANNER_HOME}/bin:${NODEJS_HOME}/bin
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends wget \
+    && apt-get install -y --no-install-recommends git \
+    && apt-get install -y --no-install-recommends jq
+
+RUN wget -U "sonarcloud-github-action" -q -O sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip \
+    && unzip sonar-scanner-cli.zip \
+    && rm sonar-scanner-cli.zip \
+    && mv sonar-scanner-${SONAR_SCANNER_VERSION} ${SONAR_SCANNER_HOME}
+
+RUN wget -q -O nodejs.tar.xz https://nodejs.org/dist/${NODEJS_VERSION}/node-${NODEJS_VERSION}-linux-x64.tar.xz \
+    && tar Jxf nodejs.tar.xz \
+    && mv node-${NODEJS_VERSION}-linux-x64 ${NODEJS_HOME}
+
+RUN npm install -g typescript
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE.txt

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

README.md

@@ -1,12 +1,60 @@
-# GitHub Action for SonarCloud
+# Scan your code with SonarCloud
 
-This GitHub Action analyzes source code to detect bugs, vulnerabilities and Quality flaws.
-Results are available in both [SonarCloud](https://sonarcloud.io/) and GitHub Checks.
+> Using this GitHub Action, scan your code with [SonarCloud](https://sonarcloud.io/) to detects bugs, vulnerabilities and code smells in more than 25 programming languages!
 
-Analysis of pull requests is supported, without any specific configuration.
+<img src="./images/SonarCloud-72px.png">
+
+## Requirements
+
+* Have an account on SonarCloud. [Sign up for free now](https://sonarcloud.io/sessions/init/github) if it's not already the case!
+* The repository to analyze is set up on SonarCloud. [Set it up](https://sonarcloud.io/projects/create) in just one click.
+
+## Usage
+
+Project metadata, including the location to the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
+
+```
+sonar.organization=<replace with your SonarCloud organization key>
+sonar.projectKey=<replace with the key generated when setting up the project on SonarCloud>
+
+// relative paths to source directories. More details and properties are described
+// in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ 
+sonar.sources=.
+```
+
+The workflow, usually declared in `.github/main.workflow`, looks like:
+
+```
+workflow "Main Worflow" {
+  on = "push"
+  resolves = "SonarCloud Trigger"
+}
+
+action "SonarCloud Trigger" {
+  uses = "sonarsource/sonarcloud-github-action@master"
+  secrets = ["GITHUB_TOKEN", "SONAR_TOKEN"]
+}
+```
+
+### Secrets
+
+- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarCloud. You can generate a token on your [Security page in SonarCloud](https://sonarcloud.io/account/security/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository.
+
+## Example of pull request analysis
+
+<img src="./images/SonarCloud-analysis-in-Checks.png">
+
+## Do not use this GitHub action if you are in the following situations
+
+* Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar' during the build
+* Your code is built with Gradle: use the SonarQube plugin for Gradle during the build
+* You want to analyze a .NET solution: use the [SonarCloud Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarcloud) to analyze your code on SonarCloud with Azure Pipelines
+* You want to analyze C/C++ code: rely on our [Travis-CI extension](https://docs.travis-ci.com/user/sonarcloud/) and look at [our sample C/C++ project](https://github.com/SonarSource/sq-com_example_c-sqscanner-travis)
 
 ## License
 
 The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License.
 
 Container images built with this project include third party materials.
+
+[![Build Status](https://travis-ci.com/SonarSource/sonarcloud-github-action.svg?branch=master)](https://travis-ci.com/SonarSource/sonarcloud-github-action)

entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+if [[ -z "${SONAR_TOKEN}" ]]; then
+  echo "Set the SONAR_TOKEN env variable."
+  exit 1
+fi
+
+if [[ -f "pom.xml" ]]; then
+  echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
+  exit 1
+fi
+
+if [[ -f "build.gradle" ]]; then
+  echo "Gradle project detected. You should use the SonarQube plugin for Gradle during build rather than using this GitHub Action."
+  exit 1
+fi
+
+if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
+  EVENT_ACTION=$(jq -r ".action" "${GITHUB_EVENT_PATH}")
+  if [[ "${EVENT_ACTION}" != "opened" ]] && [[ "${EVENT_ACTION}" != "synchronize" ]]; then
+	  echo "No need to run analysis"
+	  exit 78
+  fi
+fi
+
+if [[ -z "${SONARCLOUD_URL}" ]]; then
+  SONARCLOUD_URL="https://sonarcloud.io"
+fi
+
+sonar-scanner -Dsonar.host.url=${SONARCLOUD_URL}
+
+