diff --git a/.cirrus.star b/.cirrus.star new file mode 100644 index 0000000..9f91e15 --- /dev/null +++ b/.cirrus.star @@ -0,0 +1,4 @@ +load("github.com/SonarSource/cirrus-modules@v3", "load_features") + +def main(ctx): + return load_features(ctx) diff --git a/.cirrus.yml b/.cirrus.yml new file mode 100644 index 0000000..e2c861c --- /dev/null +++ b/.cirrus.yml @@ -0,0 +1,35 @@ +env: + CIRRUS_VAULT_URL: https://vault.sonar.build:8200 + CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci + CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME} + + # Staging image configuration + STAGING_IMAGE_NAME: sonarsource/sonarcloud-github-action + CURRENT_TAG: master + +vm_instance_template: &VM_TEMPLATE + experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051 + image: docker-builder-v* + type: t2.small + region: eu-central-1 + subnet_id: ${CIRRUS_AWS_SUBNET} + disk: 10 + cpu: 4 + memory: 16G + +mend_task: + ec2_instance: + <<: *VM_TEMPLATE + # run only on master and long-term branches + only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*") + env: + MEND_API_KEY: VAULT[development/kv/data/mend data.apikey] + setup_script: + - docker build --tag "${STAGING_IMAGE_NAME}:${CURRENT_TAG}" . + - apt-get remove -y unattended-upgrades + - apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre + - curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar + - echo "docker.includes=${CURRENT_TAG}" >> .cirrus/wss-unified-agent.config + scan_script: + - echo "Scan the ${STAGING_IMAGE_NAME}:${CURRENT_TAG} image" + - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY diff --git a/.cirrus/wss-unified-agent.config b/.cirrus/wss-unified-agent.config new file mode 100644 index 0000000..d23b6de --- /dev/null +++ b/.cirrus/wss-unified-agent.config @@ -0,0 +1,4 @@ +docker.projectNameFormat=repositoryNameAndTag +docker.scanImages=true +wss.url=https://saas-eu.whitesourcesoftware.com/agent +productName=GitHubAction/SonarCloudGitHubAction diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e182dab..3f43f0d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -.github/CODEOWNERS @sonarsource/orchestration-processing-squad +.github/CODEOWNERS @sonarsource/analysis-experience-squad diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 4ae3727..0000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,7 +0,0 @@ -Part of - diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml deleted file mode 100644 index 1bf2140..0000000 --- a/.github/workflows/PullRequestClosed.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Pull Request Closed - -on: - pull_request: - types: [closed] - -jobs: - PullRequestClosed_job: - name: Pull Request Closed - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - pull-requests: read - # For external PR, ticket should be moved manually - if: | - github.event.pull_request.head.repo.full_name == github.repository - steps: - - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/kv/data/jira user | JIRA_USER; - development/kv/data/jira token | JIRA_TOKEN; - - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} - jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml deleted file mode 100644 index 1e00ed0..0000000 --- a/.github/workflows/PullRequestCreated.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Pull Request Created - -on: - pull_request: - types: ["opened"] - -jobs: - PullRequestCreated_job: - name: Pull Request Created - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - # For external PR, ticket should be created manually - if: | - github.event.pull_request.head.repo.full_name == github.repository - steps: - - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; - development/kv/data/jira user | JIRA_USER; - development/kv/data/jira token | JIRA_TOKEN; - - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2 - with: - github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} - jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} - jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} - jira-project: SCSCANGHA diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml deleted file mode 100644 index eb1425d..0000000 --- a/.github/workflows/RequestReview.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Request review - -on: - pull_request: - types: ["review_requested"] - -jobs: - RequestReview_job: - name: Request review - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - # For external PR, ticket should be moved manually - if: | - github.event.pull_request.head.repo.full_name == github.repository - steps: - - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; - development/kv/data/jira user | JIRA_USER; - development/kv/data/jira token | JIRA_TOKEN; - - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2 - with: - github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} - jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} - jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml deleted file mode 100644 index d5b18a7..0000000 --- a/.github/workflows/SubmitReview.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Submit Review - -on: - pull_request_review: - types: [submitted] - -jobs: - SubmitReview_job: - name: Submit Review - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - pull-requests: read - # For external PR, ticket should be moved manually - if: | - github.event.pull_request.head.repo.full_name == github.repository - && (github.event.review.state == 'changes_requested' - || github.event.review.state == 'approved') - steps: - - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/kv/data/jira user | JIRA_USER; - development/kv/data/jira token | JIRA_TOKEN; - - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} - jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 499388d..dcf9500 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -11,10 +11,7 @@ jobs: argsInputTest: name: > 'args' input - strategy: - matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: @@ -31,10 +28,7 @@ jobs: projectBaseDirInputTest: name: > 'projectBaseDir' input - strategy: - matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: @@ -51,51 +45,118 @@ jobs: - name: Assert run: | ./test/assertFileContains ./output.properties "sonar.projectBaseDir=.*/baseDir" - scannerVersionTest: + sonarTokenRequiredTest: name: > - 'scannerVersion' input - runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64 + 'SONAR_TOKEN' env var required + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action with scannerVersion + - name: Run action without SONAR_TOKEN uses: ./ with: - scannerVersion: 6.1.0.4477 args: -Dsonar.scanner.internal.dumpToFile=./output.properties - env: - NO_CACHE: true # force install-sonar-scanner-cli.sh execution - SONAR_HOST_URL: http://not_actually_used - SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - - name: Assert + continue-on-error: true + - name: Previous should have failed + if: ${{ steps.runTest.outcome == 'success'}} run: | - ./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.1.0.4477-linux-x64.zip" - scannerBinariesUrlTest: + echo "Expected previous step to fail" + exit 1 + dontFailGradleTest: name: > - 'scannerBinariesUrl' input with invalid URL - runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64 + Don't fail on Gradle project + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action with scannerBinariesUrl + - name: Run action on Gradle project id: runTest uses: ./ continue-on-error: true - with: - scannerVersion: 6.2.1.4610 - scannerBinariesUrl: https://invalid_uri/Distribution/sonar-scanner-cli env: - NO_CACHE: true # force install-sonar-scanner-cli.sh execution - SONAR_HOST_URL: http://not_actually_used - SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - - name: Fail if action succeeded - if: steps.runTest.outcome == 'success' - run: exit 1 - - name: Assert Sonar Scanner CLI was not downloaded + SONAR_TOKEN: FAKE_TOKEN + with: + projectBaseDir: ./test/gradle-project + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + - name: Assert run: | - ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip" - - name: Assert Sonar Scanner CLI was not executed + ./test/assertFileExists ./output.properties + dontFailGradleKotlinTest: + name: > + Don't fail on Kotlin Gradle project + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action on Kotlin Gradle project + id: runTest + uses: ./ + continue-on-error: true + env: + SONAR_TOKEN: FAKE_TOKEN + with: + projectBaseDir: ./test/gradle-project-kotlin + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + - name: Assert run: | - ./test/assertFileDoesntExist ./output.properties + ./test/assertFileExists ./output.properties + dontFailMavenTest: + name: > + Don't fail on Maven project + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action on Maven project + id: runTest + uses: ./ + continue-on-error: true + env: + SONAR_TOKEN: FAKE_TOKEN + with: + projectBaseDir: ./test/maven-project + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + - name: Assert + run: | + ./test/assertFileExists ./output.properties + runnerDebugUsedTest: + name: > + 'RUNNER_DEBUG' is used + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with debug mode + uses: ./ + with: + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + env: + RUNNER_DEBUG: 1 + SONAR_TOKEN: FAKE_TOKEN + - name: Assert + run: | + ./test/assertFileContains ./output.properties "sonar.verbose=true" + overrideSonarcloudUrlTest: + name: > + 'SONARCLOUD_URL' is used + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with SONARCLOUD_URL + uses: ./ + with: + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + env: + SONARCLOUD_URL: mirror.sonarcloud.io + SONAR_TOKEN: FAKE_TOKEN + - name: Assert + run: | + ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io" + ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" diff --git a/.github/workflows/update-tags.yml b/.github/workflows/update-tags.yml index be85366..a07d193 100644 --- a/.github/workflows/update-tags.yml +++ b/.github/workflows/update-tags.yml @@ -7,7 +7,7 @@ on: jobs: generate: - runs-on: github-ubuntu-latest-s + runs-on: ubuntu-latest permissions: contents: write diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3cc91c6 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,32 @@ +FROM sonarsource/sonar-scanner-cli:11.1 + +LABEL version="3.1.0" \ + repository="https://github.com/sonarsource/sonarcloud-github-action" \ + homepage="https://github.com/sonarsource/sonarcloud-github-action" \ + maintainer="SonarSource" \ + com.github.actions.name="SonarCloud Scan" \ + com.github.actions.description="Scan your code with SonarCloud to detect bugs, vulnerabilities and code smells in more than 25 programming languages." \ + com.github.actions.icon="check" \ + com.github.actions.color="green" + +ARG SONAR_SCANNER_HOME=/opt/sonar-scanner +ARG NODEJS_HOME=/opt/nodejs + +ENV PATH=${PATH}:${SONAR_SCANNER_HOME}/bin:${NODEJS_HOME}/bin + +# set up local envs in order to allow for special chars (non-asci) in filenames +ENV LC_ALL="C.UTF-8" + +WORKDIR /opt + +# GitHub actions should be run under ROOT +# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem +USER 0 + +# Prepare entrypoint +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +COPY cleanup.sh /cleanup.sh +RUN chmod +x /cleanup.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/README.md b/README.md index 07af29f..fe15a1e 100644 --- a/README.md +++ b/README.md @@ -1,151 +1,126 @@ -# Scan your code with SonarQube Cloud [![QA](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml) +# Analyze your code for free with SonarCloud -> [!WARNING] -> This action is deprecated and will be removed in a future release. -> Please use the `sonarqube-scan-action` action instead. -> The `sonarqube-scan-action` is a drop-in replacement for this action, you can find it [here](https://github.com/marketplace/actions/official-sonarqube-scan). +This SonarSource project, available as a GitHub Action, scans your projects with SonarCloud, and helps developers produce +[Clean Code](https://www.sonarsource.com/solutions/clean-code/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonarqube-scan-action). -This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/). + -![Logo](./images/SQ_Logo_Cloud_Dark_Backgrounds.png#gh-dark-mode-only) -![Logo](./images/SQ_Logo_Cloud_Light_Backgrounds.png#gh-light-mode-only) - -SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. - -It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). - -The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. +[SonarCloud](https://www.sonarsource.com/products/sonarcloud/) is a widely used static analysis solution for continuous code quality and security inspection. +It helps developers identify and fix issues in their code that could lead to bugs, vulnerabilities, or decreased development velocity. +SonarCloud supports the most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). ## Requirements -* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! -* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. +* Create your account on SonarCloud. Sign up for free now if it's not already the case! [SonarCloud Sign up](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) +* The repository to analyze is set up on SonarCloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. ## Usage Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: ```properties -sonar.organization= -sonar.projectKey= +sonar.organization= +sonar.projectKey= # relative paths to source directories. More details and properties are described -# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ +# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ sonar.sources=. ``` -The workflow, usually declared under `.github/workflows`, looks like: +The workflow, usually declared in `.github/workflows/build.yml`, looks like: ```yaml on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. + # Trigger analysis when pushing in master or pull requests, and when creating + # a pull request. push: branches: - - main - master - - develop - - 'releases/**' pull_request: types: [opened, synchronize, reopened] - name: Main Workflow jobs: - sonarqube: + sonarcloud: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: - # Disabling shallow clones is recommended for improving the relevancy of reporting + # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - - name: SonarQube Scan - uses: sonarsource/sonarcloud-github-action@ # Ex: v4.0.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} ``` -## Action parameters - You can change the analysis base directory by using the optional input `projectBaseDir` like this: ```yaml -- uses: sonarsource/sonarcloud-github-action@ - with: - projectBaseDir: app/src +uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan +with: + projectBaseDir: my-custom-directory ``` -In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: +In case you need to add additional analysis parameters, you can use the `args` option: ```yaml -- uses: sonarsource/sonarcloud-github-action@ +- name: Analyze with SonarCloud + uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan with: - scannerVersion: 6.2.0.4584 -``` - -In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option: - -```yaml -- uses: sonarsource/sonarcloud-github-action@ - with: - projectBaseDir: app/src + projectBaseDir: my-custom-directory args: > -Dsonar.organization=my-organization -Dsonar.projectKey=my-projectkey -Dsonar.python.coverage.reportPaths=coverage.xml -Dsonar.sources=lib/ - -Dsonar.tests=tests/ -Dsonar.test.exclusions=tests/** + -Dsonar.tests=tests/ -Dsonar.verbose=true ``` -You can also specify the URL where to retrieve the SonarScanner CLI from. -The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`. -This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet: +More information about possible analysis parameters is found in the documentation at: +https://docs.sonarcloud.io/advanced-setup/analysis-parameters -```yaml -- uses: sonarsource/sonarcloud-github-action@ - with: - scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ -``` +See also example configurations at: +https://github.com/sonarsource/sonarcloud-github-action-samples/ -More information about possible analysis parameters can be found in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation. +### Secrets -### Environment variables - -- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the [documentation](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). +- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarCloud. You can generate a token on your [Security page in SonarCloud](https://sonarcloud.io/account/security/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository. - *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* -- `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of a secured proxy to SonarQube Cloud. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). -Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: +## Error cleaning up workspace -```yaml -- uses: sonarsource/sonarcloud-github-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} +In some cases, the checkout action may fail to clean up the workspace. This is a known problem for GitHub actions implemented as a docker container (such as `sonarcloud-github-actions`) when self-hosted runners are used. +Example of the error message: `File was unable to be removed Error: EACCES: permission denied, unlink '/actions-runner/_work//project/.scannerwork/.sonar_lock'` +To work around the problem, `sonarcloud-github-action` attempts to fix the permission of the temporary files that it creates. If that doesn't work, you can manually clean up the workspace by running the following action: ``` - -If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: - -```yaml -- uses: sonarsource/sonarcloud-github-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - LC_ALL: "ru_RU.UTF-8" +- name: Clean the workspace + uses: docker://alpine + with: + args: /bin/sh -c "find \"${GITHUB_WORKSPACE}\" -mindepth 1 ! -name . -prune -exec rm -rf {} +" ``` +You can find more info [here](https://github.com/actions/runner/issues/434). -## Alternatives for Java, .NET, and C/C++ projects +## Example of pull request analysis -This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives: + -* Your code is built with Maven. Read the documentation about our [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/). -* Your code is built with Gradle. Read the documentation about our [SonarScanner for Gradle](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/). -* You want to analyze a .NET solution. Read the documentation about our [SonarScanner for .NET](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/). -* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=). +Want to see more examples of SonarCloud in action? You can [explore current Open Source projects in SonarCloud](https://sonarcloud.io/explore/projects?sort=-analysis_date?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) that are using the Clean as You Code methodology. + +## Do not use this GitHub action if you are in the following situations + +* Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar' during the build +* Your code is built with Gradle: use the SonarQube plugin for Gradle during the build +* You want to analyze a .NET solution: Follow our interactive tutorial for GitHub Actions after importing your project directly into SonarCloud +* You want to analyze C and C++ code: rely on our [SonarCloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) and look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=) ## Have questions or feedback? -To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). +To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/) with the tag `sonarcloud`. ## License +The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License. + Container images built with this project include third-party materials. diff --git a/action.yml b/action.yml index eefd987..de11390 100644 --- a/action.yml +++ b/action.yml @@ -1,37 +1,20 @@ -name: SonarQube Cloud Scan +name: SonarCloud Scan description: > - Scan your code with SonarQube Cloud to detect coding issues in 30+ - languages. (Formerly SonarCloud) + Scan your code with SonarCloud to detect bugs, vulnerabilities and code smells + in 26+ programming languages. branding: icon: check color: green +runs: + using: docker + image: Dockerfile + entrypoint: "/entrypoint.sh" + post-entrypoint: "/cleanup.sh" inputs: args: - description: Additional arguments to the Sonar Scanner CLI + description: Additional arguments to the sonarcloud scanner required: false projectBaseDir: description: Set the sonar.projectBaseDir analysis property required: false - scannerVersion: - description: Version of the Sonar Scanner CLI to use - required: false - # to be kept in sync with the default version in the sonarqube-scan-action - default: 7.0.2.4839 - scannerBinariesUrl: - description: URL to download the Sonar Scanner CLI binaries from - required: false - default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli -runs: - using: "composite" - steps: - - name: Deprecation warning - shell: bash - run: | - echo "::warning title=SonarScanner::This action is deprecated and will be removed in a future release. Please use the sonarqube-scan-action action instead. The sonarqube-scan-action is a drop-in replacement for this action." - - name: SonarQube Cloud Scan - uses: SonarSource/sonarqube-scan-action@v5.0.0 - with: - args: ${{ inputs.args }} - projectBaseDir: ${{ inputs.projectBaseDir }} - scannerVersion: ${{ inputs.scannerVersion }} - scannerBinariesUrl: ${{ inputs.scannerBinariesUrl }} + default: . diff --git a/cleanup.sh b/cleanup.sh new file mode 100644 index 0000000..8a5e4c9 --- /dev/null +++ b/cleanup.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +if [ ! -d "${INPUT_PROJECTBASEDIR}/.scannerwork" ]; then + echo ".scannerwork directory not found; nothing to clean up." + exit +fi + +_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1) +PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file") + +chown -R "$PERM" "${INPUT_PROJECTBASEDIR}/.scannerwork/" + diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..d8e59e0 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +set -eo pipefail + +declare -a args=() + +if [[ -z "${SONAR_TOKEN}" ]]; then + echo "Set the SONAR_TOKEN env variable." + exit 1 +fi + +if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then + echo "WARNING! Maven project detected. Sonar recommends running the 'org.sonarsource.scanner.maven:sonar-maven-plugin:sonar' goal during the build process instead of using this GitHub Action + to get more accurate results." +fi + +if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle" || -f "${INPUT_PROJECTBASEDIR%/}/build.gradle.kts" ]]; then + echo "WARNING! Gradle project detected. Sonar recommends using the SonarQube plugin for Gradle during the build process instead of using this GitHub Action + to get more accurate results." +fi + +if [[ ${SONARCLOUD_URL} ]]; then + args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}") +fi + +if [[ "$RUNNER_DEBUG" == '1' ]]; then + args+=("--debug") +fi + +unset JAVA_HOME + +args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}") + +sonar-scanner "${args[@]}" ${INPUT_ARGS} diff --git a/images/SQ_Logo_Cloud_Dark_Backgrounds.png b/images/SQ_Logo_Cloud_Dark_Backgrounds.png deleted file mode 100644 index 9e9a1f4..0000000 Binary files a/images/SQ_Logo_Cloud_Dark_Backgrounds.png and /dev/null differ diff --git a/images/SQ_Logo_Cloud_Light_Backgrounds.png b/images/SQ_Logo_Cloud_Light_Backgrounds.png deleted file mode 100644 index 4a7f25e..0000000 Binary files a/images/SQ_Logo_Cloud_Light_Backgrounds.png and /dev/null differ diff --git a/images/SonarCloud-72px.png b/images/SonarCloud-72px.png new file mode 100644 index 0000000..98ce8c1 Binary files /dev/null and b/images/SonarCloud-72px.png differ diff --git a/images/SonarCloud-analysis-in-Checks.png b/images/SonarCloud-analysis-in-Checks.png new file mode 100644 index 0000000..2f025a4 Binary files /dev/null and b/images/SonarCloud-analysis-in-Checks.png differ diff --git a/test/assertFileDoesntExist b/test/assertFileDoesntExist deleted file mode 100755 index 032a07c..0000000 --- a/test/assertFileDoesntExist +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -error() { echo -e "\\e[31m✗ $*\\e[0m"; } - -if [ -f $1 ]; then - error "File '$1' found" - exit 1 -fi \ No newline at end of file diff --git a/test/gradle-project-kotlin/build.gradle.kts b/test/gradle-project-kotlin/build.gradle.kts new file mode 100644 index 0000000..e69de29 diff --git a/test/gradle-project/build.gradle b/test/gradle-project/build.gradle new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/test/gradle-project/build.gradle @@ -0,0 +1 @@ + diff --git a/test/maven-project/pom.xml b/test/maven-project/pom.xml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/test/maven-project/pom.xml @@ -0,0 +1 @@ +