-
Notifications
You must be signed in to change notification settings - Fork 12
46 lines (40 loc) · 1.74 KB
/
sonar-scan-pull-request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Sonar Scan
on:
# Warning: using the pull_request_target event without the cautionary measures may allow
# unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
pull_request_target:
types: [opened, synchronize, reopened, labeled]
jobs:
authorize:
environment:
${{ github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
'sonar' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true
sonar:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare
# against.
fetch-depth: 0
# By default, actions/checkout@v4 will checkout the main branch instead of the merge
# commit when when using pull_request_target. It is currently difficult to checkout the
# merge commit in this context. The current solution is to checkout the PR HEAD insteand
# and enable the branch protection rule "Require branches to be up to date before
# merging".
ref: ${{ github.event.pull_request.head.sha }}
- name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@v4
- name: Set up the dev container
env:
SONAR_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: ./.github/actions/setup-dev-container
- name: Scan the affected projects with Sonar
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=sonar"