ci : fix failing sonar pipeline by moving sonar publish step to workflow_run

rohanKanojia · rohanKanojia · commit 3f17d24530cc · 2025-07-16T23:26:52.000+05:30
Sonar analysis is no longer working on pull requests as sonar login token is not
propagated to pull requests.

In order to perform analysis, split the github action into two actions:
- `Sonar PR Report Request` : Will run on PR, but would only verify build is ok
- `Sonar PR Report Publish` : Will run after completion of previous workflow, but on main repository that would have required secrets.

Signed-off-by: Rohan Kumar &lt;rohaan@redhat.com&gt;
diff --git a/.github/workflows/sonar-pr-report-publish.yml b/.github/workflows/sonar-pr-report-publish.yml
@@ -0,0 +1,66 @@
+#
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: Sonar PR Report Publish
+
+on:
+  workflow_run:
+    workflows: [Sonar PR Report Request]
+    types:
+      - completed
+
+concurrency:
+  # Only run once for latest commit per ref and cancel other (previous) runs.
+  group: ci-sonar-kubernetes-client-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  sonar:
+    name: Sonar
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      BASE_BRANCH: main
+      PR_BRANCH: ${{ github.event.workflow_run.head_branch }}
+      PR_AUTHOR: ${{ github.event.sender.login }}
+      GITHUB_REPO: ${{ github.repository }}
+      SONAR_LOGIN_TOKEN: ${{ secrets.SONAR_LOGIN_TOKEN }}
+    steps:
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Get PR number
+        run: |
+          PR_QUERY_RESULT=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+            "https://api.github.com/repos/$GITHUB_REPO/pulls?head=$PR_AUTHOR:$PR_BRANCH&state=open" | jq '.[0].number')
+          if [ "$PR_QUERY_RESULT" = "null" ] || [ -z "$PR_QUERY_RESULT" ]; then
+            echo "Could not find PR number for $PR_AUTHOR:$PR_BRANCH"
+            exit 1
+          fi
+          echo "PR_NUMBER=$PR_QUERY_RESULT" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: refs/pull/${{ env.PR_NUMBER }}/head
+          # Shallow clones should be disabled for a better relevancy of analysis
+          fetch-depth: 0
+      - name: Sonar
+        run: make sonar-pr-report
diff --git a/.github/workflows/sonar-pr-report-request.yml b/.github/workflows/sonar-pr-report-request.yml
@@ -0,0 +1,47 @@
+#
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: Sonar PR Report Request
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'doc/**'
+      - 'ide-config/**'
+      - '**.md'
+
+concurrency:
+  # Only run once for latest commit per ref and cancel other (previous) runs.
+  group: ci-sonar-kubernetes-client-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  sonar:
+    name: Sonar
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Java 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Build Project before requesting for Sonar Analysis
+        run: mvn ${MAVEN_ARGS} install
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -20,11 +20,6 @@ on:
   push:
     branches:
       - main
-#  pull_request:
-#    paths-ignore:
-#      - 'doc/**'
-#      - 'ide-config/**'
-#      - '**.md'
 
 concurrency:
   # Only run once for latest commit per ref and cancel other (previous) runs.
diff --git a/Makefile b/Makefile
@@ -65,6 +65,15 @@ sonar: clean
 	# $(MAVEN_ARGS) ---> -T 1C won't work with sonar analysis (yet)
 	mvn -Psonar install sonar:sonar
 
+.PHONY: sonar-pr-report
+sonar-pr-report: clean
+	mvn -Psonar install sonar:sonar \
+		-Dsonar.login=${SONAR_LOGIN_TOKEN} \
+		-Dsonar.pullrequest.key=${PR_NUMBER} \
+		-Dsonar.pullrequest.branch=${PR_BRANCH} \
+		-Dsonar.pullrequest.base=${BASE_BRANCH} \
+		-Dsonar.pullrequest.provider=GitHub
+
 .PHONY: javadoc
 javadoc: clean
 	mvn $(MAVEN_ARGS) install javadoc:jar -DskipTests -Pjavadoc-test
