Fix Sonar Scan workflow for external pull requests

MethanePowered · Jan 9, 2024 · 353b7b0 · 353b7b0 · github-actions · Jan 9, 2024
1 parent 3a05cd7
commit 353b7b0
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 16 deletions.
diff --git a/.github/workflows/ci-sonar-scan.yml b/.github/workflows/ci-sonar-scan.yml
@@ -20,8 +20,8 @@ on:
       - 'CMakeLists.txt'
       - 'CMakePresets.json'
 
-  # Pull request event runs in context of the target repository branch, but remote repos do not have access to secrets,
-  # so it is used only for internal PRs from origin repository branches according to job condition below.
+  # "Pull request" event runs in context of the target repository branch, but remote repos do not have access to secrets,
+  # it is used only for internal PRs from origin repository branches according to job condition below.
   pull_request:
     branches: [ master ]
     types: [opened, synchronize, reopened]
@@ -69,9 +69,13 @@ jobs:
     # - Trigger on either "push" or "pull request" event for the origin repository owned branches
     # - Or trigger on "pull request target" event for external repositories to have access to secrets from origin repo context
     #   see https://github.com/orgs/community/discussions/26829
-    if: ${{ github.repository == 'MethanePowered/MethaneKit' && 
-            (github.event_name != 'pull_request_target' ||
-             github.event.pull_request.head.repo.full_name != github.repository) }}
+    if: ${{ github.repository == 'MethanePowered/MethaneKit' && (
+               github.event_name == 'push' ||
+              (github.event_name == 'pull_request' &&
+               github.event.pull_request.head.repo.full_name == github.repository) ||
+              (github.event_name == 'pull_request_target' &&
+               github.event.pull_request.head.repo.full_name != github.repository)
+            ) }}
 
     strategy:
       fail-fast: false
@@ -115,16 +119,35 @@ jobs:
       COMPILE_COMMANDS_FILE: Build/Output/${{ matrix.config_preset }}/Build/compile_commands.json
 
     steps:
-      - name: Checkout repository
+      - name: Checkout origin repository branch
+        if: ${{ github.event_name != 'pull_request_target' }}
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Checkout fork repository branch
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+
+      - name: Checkout base branch
+        if: ${{ github.event_name == 'pull_request_target' }}
+        run: |
+          git remote add upstream ${{ github.event.pull_request.base.repo.full_name }}
+          git fetch upstream
+          git checkout -B ${{ github.event.pull_request.base.ref }} upstream/${{ github.event.pull_request.base.ref }}
+          git checkout ${{ github.event.pull_request.head.ref }}
+          git clean -ffdx && git reset --hard HEAD
+
       - name: Install Linux prerequisites
         if: ${{ matrix.os_name == 'linux' }}
         run: ./Build/Unix/CI/InstallLinuxPrerequisites.sh lcov
 
-      - name: Install Testspace
+      - name: Install TestSpace
+        if: ${{ github.event_name == 'push' }}
         uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{ github.repository_owner }}
@@ -219,8 +242,8 @@ jobs:
           name: MethaneKit_${{ matrix.name }}_CoverageResults
           path: Build/Output/${{ matrix.config_preset }}/Install/Tests/Coverage/Report/Cobertura.xml
 
-      - name: Upload Build Log and Code Coverage to Testspace server
-        if: ${{ success() || failure() }}
+      - name: Upload Build Log and Code Coverage to TestSpace server
+        if: ${{ github.event_name == 'push' && (success() || failure()) }}
         shell: bash
         run: |
           testspace \
@@ -243,10 +266,10 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_ORGANIZATION: methane-powered
           GITHUB_EVENT_NAME: ${{ github.event_name }}
-          GITHUB_COMMIT_SHA: ${{ github.sha }}
-          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}"
-          GITHUB_PR_BRANCH: ${{ github.event.pull_request.head.ref }}"
-          GITHUB_PR_BASE: ${{ github.event.pull_request.base.ref }}"
+          GITHUB_COMMIT_SHA: ${{ github.event_name == 'push' && github.sha || github.event.pull_request.head.sha }}
+          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_PR_BRANCH: ${{ github.event.pull_request.head.ref }}
+          GITHUB_PR_BASE: ${{ github.event.pull_request.base.ref }}
         run: |
             ./Build/Unix/CI/RunSonarScanner.sh \
               "${{ matrix.sonar_project_key }}" \

diff --git a/Build/Unix/CI/RunSonarScanner.sh b/Build/Unix/CI/RunSonarScanner.sh
@@ -3,12 +3,15 @@
 sonar_project_key="${1}"
 build_dir="${2}"
 tests_dir="${3}"
+if [ "${SONAR_TOKEN}" == "" ]; then
+    echo "Sonar Token is not available!"
+    exit 1
+fi
 case "$OSTYPE" in
   msys*|cygwin*) sonar_scanner_exe="sonar-scanner.bat" ;;
   *) sonar_scanner_exe="sonar-scanner" ;;
 esac
-# Uncomment to enable debug output:
-# sonar_scanner_exe="${sonar_scanner_exe} -X"
+# Add -X flag to enable debug output:
 SONAR_SCAN_CMD="${sonar_scanner_exe} --define sonar.host.url=https://sonarcloud.io"
 SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.organization=${SONAR_ORGANIZATION}"
 SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.projectKey=${sonar_project_key}"
@@ -17,7 +20,7 @@ SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.cfamily.compile-commands=${build_
 SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.testExecutionReportPaths=${test_results}"
 SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.coverageReportPaths=${tests_dir}/Coverage/Report/SonarQube.xml"
 SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.scm.revision=${GITHUB_COMMIT_SHA}"
-if [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+if [[ ${GITHUB_EVENT_NAME} == pull_request* ]]; then
   SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.provider=GitHub"
   SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.github.repository=MethanePowered/MethaneKit"
   SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.key=${GITHUB_PR_NUMBER}"
Package	Line Rate	Branch Rate	Health
Default	38%	100%	➖
Summary	38% (7685 / 20305)	100% (0 / 0)	➖
Package	Line Rate	Branch Rate	Health
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneDataEventsTest.exe	95%	100%	✔
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneDataRangeSetTest.exe	91%	100%	✔
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneDataTypesTest.exe	98%	100%	✔
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneGraphicsCameraTest.exe	61%	100%	➖
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneGraphicsRhiTest.exe	42%	100%	➖
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneGraphicsTypesTest.exe	98%	100%	✔
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethanePlatformInputTest.exe	43%	100%	➖
D:\a\MethaneKit\MethaneKit\Build\Output\Ninja-Win-DX-Scan\Install\Tests\MethaneUserInterfaceTypesTest.exe	9%	100%	❌
Summary	34% (4496 / 13379)	100% (0 / 0)	➖
Package	Line Rate	Branch Rate	Health
Default	49%	22%	➖
Summary	49% (12122 / 24799)	22% (3394 / 15604)	➖