diff --git a/.cirrus.star b/.cirrus.star deleted file mode 100644 index 9f91e15..0000000 --- a/.cirrus.star +++ /dev/null @@ -1,4 +0,0 @@ -load("github.com/SonarSource/cirrus-modules@v3", "load_features") - -def main(ctx): - return load_features(ctx) diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index e2c861c..0000000 --- a/.cirrus.yml +++ /dev/null @@ -1,35 +0,0 @@ -env: - CIRRUS_VAULT_URL: https://vault.sonar.build:8200 - CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci - CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME} - - # Staging image configuration - STAGING_IMAGE_NAME: sonarsource/sonarcloud-github-action - CURRENT_TAG: master - -vm_instance_template: &VM_TEMPLATE - experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051 - image: docker-builder-v* - type: t2.small - region: eu-central-1 - subnet_id: ${CIRRUS_AWS_SUBNET} - disk: 10 - cpu: 4 - memory: 16G - -mend_task: - ec2_instance: - <<: *VM_TEMPLATE - # run only on master and long-term branches - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*") - env: - MEND_API_KEY: VAULT[development/kv/data/mend data.apikey] - setup_script: - - docker build --tag "${STAGING_IMAGE_NAME}:${CURRENT_TAG}" . - - apt-get remove -y unattended-upgrades - - apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre - - curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar - - echo "docker.includes=${CURRENT_TAG}" >> .cirrus/wss-unified-agent.config - scan_script: - - echo "Scan the ${STAGING_IMAGE_NAME}:${CURRENT_TAG} image" - - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY diff --git a/.cirrus/wss-unified-agent.config b/.cirrus/wss-unified-agent.config deleted file mode 100644 index d23b6de..0000000 --- a/.cirrus/wss-unified-agent.config +++ /dev/null @@ -1,4 +0,0 @@ -docker.projectNameFormat=repositoryNameAndTag -docker.scanImages=true -wss.url=https://saas-eu.whitesourcesoftware.com/agent -productName=GitHubAction/SonarCloudGitHubAction diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3f43f0d..e182dab 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -.github/CODEOWNERS @sonarsource/analysis-experience-squad +.github/CODEOWNERS @sonarsource/orchestration-processing-squad diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..4ae3727 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,7 @@ +Part of + diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml new file mode 100644 index 0000000..1bf2140 --- /dev/null +++ b/.github/workflows/PullRequestClosed.yml @@ -0,0 +1,28 @@ +name: Pull Request Closed + +on: + pull_request: + types: [closed] + +jobs: + PullRequestClosed_job: + name: Pull Request Closed + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + pull-requests: read + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml new file mode 100644 index 0000000..1e00ed0 --- /dev/null +++ b/.github/workflows/PullRequestCreated.yml @@ -0,0 +1,29 @@ +name: Pull Request Created + +on: + pull_request: + types: ["opened"] + +jobs: + PullRequestCreated_job: + name: Pull Request Created + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + # For external PR, ticket should be created manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2 + with: + github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} + jira-project: SCSCANGHA diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml new file mode 100644 index 0000000..eb1425d --- /dev/null +++ b/.github/workflows/RequestReview.yml @@ -0,0 +1,28 @@ +name: Request review + +on: + pull_request: + types: ["review_requested"] + +jobs: + RequestReview_job: + name: Request review + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2 + with: + github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml new file mode 100644 index 0000000..d5b18a7 --- /dev/null +++ b/.github/workflows/SubmitReview.yml @@ -0,0 +1,30 @@ +name: Submit Review + +on: + pull_request_review: + types: [submitted] + +jobs: + SubmitReview_job: + name: Submit Review + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + pull-requests: read + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + && (github.event.review.state == 'changes_requested' + || github.event.review.state == 'approved') + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index dcf9500..499388d 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -11,7 +11,10 @@ jobs: argsInputTest: name: > 'args' input - runs-on: ubuntu-latest + strategy: + matrix: + os: [ ubuntu-latest, windows-latest, macos-latest ] + runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 with: @@ -28,7 +31,10 @@ jobs: projectBaseDirInputTest: name: > 'projectBaseDir' input - runs-on: ubuntu-latest + strategy: + matrix: + os: [ ubuntu-latest, windows-latest, macos-latest ] + runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 with: @@ -45,118 +51,51 @@ jobs: - name: Assert run: | ./test/assertFileContains ./output.properties "sonar.projectBaseDir=.*/baseDir" - sonarTokenRequiredTest: + scannerVersionTest: name: > - 'SONAR_TOKEN' env var required - runs-on: ubuntu-latest + 'scannerVersion' input + runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64 steps: - uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action without SONAR_TOKEN + - name: Run action with scannerVersion uses: ./ with: + scannerVersion: 6.1.0.4477 args: -Dsonar.scanner.internal.dumpToFile=./output.properties - continue-on-error: true - - name: Previous should have failed - if: ${{ steps.runTest.outcome == 'success'}} + env: + NO_CACHE: true # force install-sonar-scanner-cli.sh execution + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert run: | - echo "Expected previous step to fail" - exit 1 - dontFailGradleTest: + ./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.1.0.4477-linux-x64.zip" + scannerBinariesUrlTest: name: > - Don't fail on Gradle project - runs-on: ubuntu-latest + 'scannerBinariesUrl' input with invalid URL + runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64 steps: - uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action on Gradle project + - name: Run action with scannerBinariesUrl id: runTest uses: ./ continue-on-error: true + with: + scannerVersion: 6.2.1.4610 + scannerBinariesUrl: https://invalid_uri/Distribution/sonar-scanner-cli env: - SONAR_TOKEN: FAKE_TOKEN - with: - projectBaseDir: ./test/gradle-project - args: -Dsonar.scanner.internal.dumpToFile=./output.properties - - name: Assert + NO_CACHE: true # force install-sonar-scanner-cli.sh execution + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Fail if action succeeded + if: steps.runTest.outcome == 'success' + run: exit 1 + - name: Assert Sonar Scanner CLI was not downloaded run: | - ./test/assertFileExists ./output.properties - dontFailGradleKotlinTest: - name: > - Don't fail on Kotlin Gradle project - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action on Kotlin Gradle project - id: runTest - uses: ./ - continue-on-error: true - env: - SONAR_TOKEN: FAKE_TOKEN - with: - projectBaseDir: ./test/gradle-project-kotlin - args: -Dsonar.scanner.internal.dumpToFile=./output.properties - - name: Assert + ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip" + - name: Assert Sonar Scanner CLI was not executed run: | - ./test/assertFileExists ./output.properties - dontFailMavenTest: - name: > - Don't fail on Maven project - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action on Maven project - id: runTest - uses: ./ - continue-on-error: true - env: - SONAR_TOKEN: FAKE_TOKEN - with: - projectBaseDir: ./test/maven-project - args: -Dsonar.scanner.internal.dumpToFile=./output.properties - - name: Assert - run: | - ./test/assertFileExists ./output.properties - runnerDebugUsedTest: - name: > - 'RUNNER_DEBUG' is used - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action with debug mode - uses: ./ - with: - args: -Dsonar.scanner.internal.dumpToFile=./output.properties - env: - RUNNER_DEBUG: 1 - SONAR_TOKEN: FAKE_TOKEN - - name: Assert - run: | - ./test/assertFileContains ./output.properties "sonar.verbose=true" - overrideSonarcloudUrlTest: - name: > - 'SONARCLOUD_URL' is used - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action with SONARCLOUD_URL - uses: ./ - with: - args: -Dsonar.scanner.internal.dumpToFile=./output.properties - env: - SONARCLOUD_URL: mirror.sonarcloud.io - SONAR_TOKEN: FAKE_TOKEN - - name: Assert - run: | - ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io" - ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" + ./test/assertFileDoesntExist ./output.properties diff --git a/.github/workflows/update-tags.yml b/.github/workflows/update-tags.yml index a07d193..be85366 100644 --- a/.github/workflows/update-tags.yml +++ b/.github/workflows/update-tags.yml @@ -7,7 +7,7 @@ on: jobs: generate: - runs-on: ubuntu-latest + runs-on: github-ubuntu-latest-s permissions: contents: write diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 3cc91c6..0000000 --- a/Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -FROM sonarsource/sonar-scanner-cli:11.1 - -LABEL version="3.1.0" \ - repository="https://github.com/sonarsource/sonarcloud-github-action" \ - homepage="https://github.com/sonarsource/sonarcloud-github-action" \ - maintainer="SonarSource" \ - com.github.actions.name="SonarCloud Scan" \ - com.github.actions.description="Scan your code with SonarCloud to detect bugs, vulnerabilities and code smells in more than 25 programming languages." \ - com.github.actions.icon="check" \ - com.github.actions.color="green" - -ARG SONAR_SCANNER_HOME=/opt/sonar-scanner -ARG NODEJS_HOME=/opt/nodejs - -ENV PATH=${PATH}:${SONAR_SCANNER_HOME}/bin:${NODEJS_HOME}/bin - -# set up local envs in order to allow for special chars (non-asci) in filenames -ENV LC_ALL="C.UTF-8" - -WORKDIR /opt - -# GitHub actions should be run under ROOT -# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem -USER 0 - -# Prepare entrypoint -COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh -COPY cleanup.sh /cleanup.sh -RUN chmod +x /cleanup.sh - -ENTRYPOINT ["/entrypoint.sh"] diff --git a/README.md b/README.md index fe15a1e..07af29f 100644 --- a/README.md +++ b/README.md @@ -1,126 +1,151 @@ -# Analyze your code for free with SonarCloud +# Scan your code with SonarQube Cloud [![QA](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml) -This SonarSource project, available as a GitHub Action, scans your projects with SonarCloud, and helps developers produce -[Clean Code](https://www.sonarsource.com/solutions/clean-code/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonarqube-scan-action). +> [!WARNING] +> This action is deprecated and will be removed in a future release. +> Please use the `sonarqube-scan-action` action instead. +> The `sonarqube-scan-action` is a drop-in replacement for this action, you can find it [here](https://github.com/marketplace/actions/official-sonarqube-scan). - +This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/). -[SonarCloud](https://www.sonarsource.com/products/sonarcloud/) is a widely used static analysis solution for continuous code quality and security inspection. -It helps developers identify and fix issues in their code that could lead to bugs, vulnerabilities, or decreased development velocity. -SonarCloud supports the most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). +![Logo](./images/SQ_Logo_Cloud_Dark_Backgrounds.png#gh-dark-mode-only) +![Logo](./images/SQ_Logo_Cloud_Light_Backgrounds.png#gh-light-mode-only) + +SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. + +It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). + +The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. ## Requirements -* Create your account on SonarCloud. Sign up for free now if it's not already the case! [SonarCloud Sign up](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) -* The repository to analyze is set up on SonarCloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. +* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! +* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. ## Usage Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: ```properties -sonar.organization= -sonar.projectKey= +sonar.organization= +sonar.projectKey= # relative paths to source directories. More details and properties are described -# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ +# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ sonar.sources=. ``` -The workflow, usually declared in `.github/workflows/build.yml`, looks like: +The workflow, usually declared under `.github/workflows`, looks like: ```yaml on: - # Trigger analysis when pushing in master or pull requests, and when creating - # a pull request. + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: + - main - master + - develop + - 'releases/**' pull_request: types: [opened, synchronize, reopened] + name: Main Workflow jobs: - sonarcloud: + sonarqube: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: - # Disabling shallow clone is recommended for improving relevancy of reporting + # Disabling shallow clones is recommended for improving the relevancy of reporting fetch-depth: 0 - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + - name: SonarQube Scan + uses: sonarsource/sonarcloud-github-action@ # Ex: v4.0.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} ``` +## Action parameters + You can change the analysis base directory by using the optional input `projectBaseDir` like this: ```yaml -uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan -with: - projectBaseDir: my-custom-directory +- uses: sonarsource/sonarcloud-github-action@ + with: + projectBaseDir: app/src ``` -In case you need to add additional analysis parameters, you can use the `args` option: +In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: ```yaml -- name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan +- uses: sonarsource/sonarcloud-github-action@ with: - projectBaseDir: my-custom-directory + scannerVersion: 6.2.0.4584 +``` + +In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option: + +```yaml +- uses: sonarsource/sonarcloud-github-action@ + with: + projectBaseDir: app/src args: > -Dsonar.organization=my-organization -Dsonar.projectKey=my-projectkey -Dsonar.python.coverage.reportPaths=coverage.xml -Dsonar.sources=lib/ - -Dsonar.test.exclusions=tests/** -Dsonar.tests=tests/ + -Dsonar.test.exclusions=tests/** -Dsonar.verbose=true ``` -More information about possible analysis parameters is found in the documentation at: -https://docs.sonarcloud.io/advanced-setup/analysis-parameters +You can also specify the URL where to retrieve the SonarScanner CLI from. +The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`. +This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet: -See also example configurations at: -https://github.com/sonarsource/sonarcloud-github-action-samples/ - -### Secrets - -- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarCloud. You can generate a token on your [Security page in SonarCloud](https://sonarcloud.io/account/security/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository. -- *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* - -## Error cleaning up workspace - -In some cases, the checkout action may fail to clean up the workspace. This is a known problem for GitHub actions implemented as a docker container (such as `sonarcloud-github-actions`) when self-hosted runners are used. -Example of the error message: `File was unable to be removed Error: EACCES: permission denied, unlink '/actions-runner/_work//project/.scannerwork/.sonar_lock'` -To work around the problem, `sonarcloud-github-action` attempts to fix the permission of the temporary files that it creates. If that doesn't work, you can manually clean up the workspace by running the following action: -``` -- name: Clean the workspace - uses: docker://alpine +```yaml +- uses: sonarsource/sonarcloud-github-action@ with: - args: /bin/sh -c "find \"${GITHUB_WORKSPACE}\" -mindepth 1 ! -name . -prune -exec rm -rf {} +" + scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ ``` -You can find more info [here](https://github.com/actions/runner/issues/434). -## Example of pull request analysis +More information about possible analysis parameters can be found in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation. - +### Environment variables -Want to see more examples of SonarCloud in action? You can [explore current Open Source projects in SonarCloud](https://sonarcloud.io/explore/projects?sort=-analysis_date?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) that are using the Clean as You Code methodology. +- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the [documentation](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). +- *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* +- `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of a secured proxy to SonarQube Cloud. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). -## Do not use this GitHub action if you are in the following situations +Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: -* Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar' during the build -* Your code is built with Gradle: use the SonarQube plugin for Gradle during the build -* You want to analyze a .NET solution: Follow our interactive tutorial for GitHub Actions after importing your project directly into SonarCloud -* You want to analyze C and C++ code: rely on our [SonarCloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) and look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=) +```yaml +- uses: sonarsource/sonarcloud-github-action@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} +``` + +If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: + +```yaml +- uses: sonarsource/sonarcloud-github-action@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + LC_ALL: "ru_RU.UTF-8" +``` + +## Alternatives for Java, .NET, and C/C++ projects + +This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives: + +* Your code is built with Maven. Read the documentation about our [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/). +* Your code is built with Gradle. Read the documentation about our [SonarScanner for Gradle](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/). +* You want to analyze a .NET solution. Read the documentation about our [SonarScanner for .NET](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/). +* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=). ## Have questions or feedback? -To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/) with the tag `sonarcloud`. +To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). ## License -The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License. - Container images built with this project include third-party materials. diff --git a/action.yml b/action.yml index de11390..eefd987 100644 --- a/action.yml +++ b/action.yml @@ -1,20 +1,37 @@ -name: SonarCloud Scan +name: SonarQube Cloud Scan description: > - Scan your code with SonarCloud to detect bugs, vulnerabilities and code smells - in 26+ programming languages. + Scan your code with SonarQube Cloud to detect coding issues in 30+ + languages. (Formerly SonarCloud) branding: icon: check color: green -runs: - using: docker - image: Dockerfile - entrypoint: "/entrypoint.sh" - post-entrypoint: "/cleanup.sh" inputs: args: - description: Additional arguments to the sonarcloud scanner + description: Additional arguments to the Sonar Scanner CLI required: false projectBaseDir: description: Set the sonar.projectBaseDir analysis property required: false - default: . + scannerVersion: + description: Version of the Sonar Scanner CLI to use + required: false + # to be kept in sync with the default version in the sonarqube-scan-action + default: 7.0.2.4839 + scannerBinariesUrl: + description: URL to download the Sonar Scanner CLI binaries from + required: false + default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli +runs: + using: "composite" + steps: + - name: Deprecation warning + shell: bash + run: | + echo "::warning title=SonarScanner::This action is deprecated and will be removed in a future release. Please use the sonarqube-scan-action action instead. The sonarqube-scan-action is a drop-in replacement for this action." + - name: SonarQube Cloud Scan + uses: SonarSource/sonarqube-scan-action@v5.0.0 + with: + args: ${{ inputs.args }} + projectBaseDir: ${{ inputs.projectBaseDir }} + scannerVersion: ${{ inputs.scannerVersion }} + scannerBinariesUrl: ${{ inputs.scannerBinariesUrl }} diff --git a/cleanup.sh b/cleanup.sh deleted file mode 100644 index 8a5e4c9..0000000 --- a/cleanup.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -set -e - -if [ ! -d "${INPUT_PROJECTBASEDIR}/.scannerwork" ]; then - echo ".scannerwork directory not found; nothing to clean up." - exit -fi - -_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1) -PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file") - -chown -R "$PERM" "${INPUT_PROJECTBASEDIR}/.scannerwork/" - diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index d8e59e0..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -declare -a args=() - -if [[ -z "${SONAR_TOKEN}" ]]; then - echo "Set the SONAR_TOKEN env variable." - exit 1 -fi - -if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then - echo "WARNING! Maven project detected. Sonar recommends running the 'org.sonarsource.scanner.maven:sonar-maven-plugin:sonar' goal during the build process instead of using this GitHub Action - to get more accurate results." -fi - -if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle" || -f "${INPUT_PROJECTBASEDIR%/}/build.gradle.kts" ]]; then - echo "WARNING! Gradle project detected. Sonar recommends using the SonarQube plugin for Gradle during the build process instead of using this GitHub Action - to get more accurate results." -fi - -if [[ ${SONARCLOUD_URL} ]]; then - args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}") -fi - -if [[ "$RUNNER_DEBUG" == '1' ]]; then - args+=("--debug") -fi - -unset JAVA_HOME - -args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}") - -sonar-scanner "${args[@]}" ${INPUT_ARGS} diff --git a/images/SQ_Logo_Cloud_Dark_Backgrounds.png b/images/SQ_Logo_Cloud_Dark_Backgrounds.png new file mode 100644 index 0000000..9e9a1f4 Binary files /dev/null and b/images/SQ_Logo_Cloud_Dark_Backgrounds.png differ diff --git a/images/SQ_Logo_Cloud_Light_Backgrounds.png b/images/SQ_Logo_Cloud_Light_Backgrounds.png new file mode 100644 index 0000000..4a7f25e Binary files /dev/null and b/images/SQ_Logo_Cloud_Light_Backgrounds.png differ diff --git a/images/SonarCloud-72px.png b/images/SonarCloud-72px.png deleted file mode 100644 index 98ce8c1..0000000 Binary files a/images/SonarCloud-72px.png and /dev/null differ diff --git a/images/SonarCloud-analysis-in-Checks.png b/images/SonarCloud-analysis-in-Checks.png deleted file mode 100644 index 2f025a4..0000000 Binary files a/images/SonarCloud-analysis-in-Checks.png and /dev/null differ diff --git a/test/assertFileDoesntExist b/test/assertFileDoesntExist new file mode 100755 index 0000000..032a07c --- /dev/null +++ b/test/assertFileDoesntExist @@ -0,0 +1,8 @@ +#!/bin/bash + +error() { echo -e "\\e[31m✗ $*\\e[0m"; } + +if [ -f $1 ]; then + error "File '$1' found" + exit 1 +fi \ No newline at end of file diff --git a/test/gradle-project-kotlin/build.gradle.kts b/test/gradle-project-kotlin/build.gradle.kts deleted file mode 100644 index e69de29..0000000 diff --git a/test/gradle-project/build.gradle b/test/gradle-project/build.gradle deleted file mode 100644 index 8b13789..0000000 --- a/test/gradle-project/build.gradle +++ /dev/null @@ -1 +0,0 @@ - diff --git a/test/maven-project/pom.xml b/test/maven-project/pom.xml deleted file mode 100644 index 8b13789..0000000 --- a/test/maven-project/pom.xml +++ /dev/null @@ -1 +0,0 @@ -