diff --git a/.github/workflows/ci-sonar-scan.yml b/.github/workflows/ci-sonar-scan.yml index 575b8dd9b..134178793 100644 --- a/.github/workflows/ci-sonar-scan.yml +++ b/.github/workflows/ci-sonar-scan.yml @@ -20,8 +20,8 @@ on: - 'CMakeLists.txt' - 'CMakePresets.json' - # Pull request event runs in context of the target repository branch, but remote repos do not have access to secrets, - # so it is used only for internal PRs from origin repository branches according to job condition below. + # "Pull request" event runs in context of the target repository branch, but remote repos do not have access to secrets, + # it is used only for internal PRs from origin repository branches according to job condition below. pull_request: branches: [ master ] types: [opened, synchronize, reopened] @@ -69,9 +69,13 @@ jobs: # - Trigger on either "push" or "pull request" event for the origin repository owned branches # - Or trigger on "pull request target" event for external repositories to have access to secrets from origin repo context # see https://github.com/orgs/community/discussions/26829 - if: ${{ github.repository == 'MethanePowered/MethaneKit' && - (github.event_name != 'pull_request_target' || - github.event.pull_request.head.repo.full_name != github.repository) }} + if: ${{ github.repository == 'MethanePowered/MethaneKit' && ( + github.event_name == 'push' || + (github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository) || + (github.event_name == 'pull_request_target' && + github.event.pull_request.head.repo.full_name != github.repository) + ) }} strategy: fail-fast: false @@ -115,16 +119,35 @@ jobs: COMPILE_COMMANDS_FILE: Build/Output/${{ matrix.config_preset }}/Build/compile_commands.json steps: - - name: Checkout repository + - name: Checkout origin repository branch + if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Checkout fork repository branch + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + fetch-depth: 0 + + - name: Checkout base branch + if: ${{ github.event_name == 'pull_request_target' }} + run: | + git remote add upstream ${{ github.event.pull_request.base.repo.full_name }} + git fetch upstream + git checkout -B ${{ github.event.pull_request.base.ref }} upstream/${{ github.event.pull_request.base.ref }} + git checkout ${{ github.event.pull_request.head.ref }} + git clean -ffdx && git reset --hard HEAD + - name: Install Linux prerequisites if: ${{ matrix.os_name == 'linux' }} run: ./Build/Unix/CI/InstallLinuxPrerequisites.sh lcov - - name: Install Testspace + - name: Install TestSpace + if: ${{ github.event_name == 'push' }} uses: testspace-com/setup-testspace@v1 with: domain: ${{ github.repository_owner }} @@ -219,8 +242,8 @@ jobs: name: MethaneKit_${{ matrix.name }}_CoverageResults path: Build/Output/${{ matrix.config_preset }}/Install/Tests/Coverage/Report/Cobertura.xml - - name: Upload Build Log and Code Coverage to Testspace server - if: ${{ success() || failure() }} + - name: Upload Build Log and Code Coverage to TestSpace server + if: ${{ github.event_name == 'push' && (success() || failure()) }} shell: bash run: | testspace \ @@ -243,10 +266,10 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_ORGANIZATION: methane-powered GITHUB_EVENT_NAME: ${{ github.event_name }} - GITHUB_COMMIT_SHA: ${{ github.sha }} - GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}" - GITHUB_PR_BRANCH: ${{ github.event.pull_request.head.ref }}" - GITHUB_PR_BASE: ${{ github.event.pull_request.base.ref }}" + GITHUB_COMMIT_SHA: ${{ github.event_name == 'push' && github.sha || github.event.pull_request.head.sha }} + GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} + GITHUB_PR_BRANCH: ${{ github.event.pull_request.head.ref }} + GITHUB_PR_BASE: ${{ github.event.pull_request.base.ref }} run: | ./Build/Unix/CI/RunSonarScanner.sh \ "${{ matrix.sonar_project_key }}" \ diff --git a/Build/Unix/CI/RunSonarScanner.sh b/Build/Unix/CI/RunSonarScanner.sh index e5a809597..57e225d9f 100755 --- a/Build/Unix/CI/RunSonarScanner.sh +++ b/Build/Unix/CI/RunSonarScanner.sh @@ -3,12 +3,15 @@ sonar_project_key="${1}" build_dir="${2}" tests_dir="${3}" +if [ "${SONAR_TOKEN}" == "" ]; then + echo "Sonar Token is not available!" + exit 1 +fi case "$OSTYPE" in msys*|cygwin*) sonar_scanner_exe="sonar-scanner.bat" ;; *) sonar_scanner_exe="sonar-scanner" ;; esac -# Uncomment to enable debug output: -# sonar_scanner_exe="${sonar_scanner_exe} -X" +# Add -X flag to enable debug output: SONAR_SCAN_CMD="${sonar_scanner_exe} --define sonar.host.url=https://sonarcloud.io" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.organization=${SONAR_ORGANIZATION}" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.projectKey=${sonar_project_key}" @@ -17,7 +20,7 @@ SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.cfamily.compile-commands=${build_ SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.testExecutionReportPaths=${test_results}" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.coverageReportPaths=${tests_dir}/Coverage/Report/SonarQube.xml" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.scm.revision=${GITHUB_COMMIT_SHA}" -if [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then +if [[ ${GITHUB_EVENT_NAME} == pull_request* ]]; then SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.provider=GitHub" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.github.repository=MethanePowered/MethaneKit" SONAR_SCAN_CMD="$SONAR_SCAN_CMD --define sonar.pullrequest.key=${GITHUB_PR_NUMBER}"