103 lines
3.4 KiB
YAML
103 lines
3.4 KiB
YAML
name: SonarQube Quality Gate
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
project_key:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
SONAR_HOST_URL:
|
|
required: true
|
|
SONAR_TOKEN:
|
|
required: true
|
|
GITEA_TOKEN:
|
|
required: true
|
|
|
|
jobs:
|
|
sonarqube:
|
|
runs-on: ubuntu-latest
|
|
|
|
container:
|
|
image: sonarsource/sonar-scanner-cli:12.0.0.3214_8.0.1
|
|
options: --user root
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
# ✅ Install jq (required for parsing)
|
|
- name: Install jq
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y jq
|
|
|
|
# ✅ Run scan
|
|
- name: Run SonarQube Scan
|
|
run: |
|
|
REPO_NAME=${{ inputs.project_key }}
|
|
|
|
sonar-scanner \
|
|
-Dsonar.projectKey=$REPO_NAME \
|
|
-Dsonar.projectName=$REPO_NAME \
|
|
-Dsonar.sources=. \
|
|
-Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
|
|
-Dsonar.token=${{ secrets.SONAR_TOKEN }} \
|
|
-Dsonar.exclusions=node_modules/**,dist/**,coverage/** \
|
|
-Dsonar.qualitygate.wait=false
|
|
|
|
# ✅ Wait properly (poll instead of sleep)
|
|
- name: Wait for Sonar processing
|
|
if: gitea.event.pull_request != null
|
|
run: |
|
|
for i in {1..12}; do
|
|
RESPONSE=$(curl -s -u ${{ secrets.SONAR_TOKEN }}: \
|
|
"${{ secrets.SONAR_HOST_URL }}/api/qualitygates/project_status?projectKey=${{ inputs.project_key }}")
|
|
|
|
STATUS=$(echo "$RESPONSE" | jq -r '.projectStatus.status // empty')
|
|
|
|
if [ ! -z "$STATUS" ] && [ "$STATUS" != "null" ]; then
|
|
echo "Sonar ready: $STATUS"
|
|
echo "STATUS=$STATUS" >> $GITHUB_ENV
|
|
exit 0
|
|
fi
|
|
|
|
echo "Waiting for Sonar... ($i)"
|
|
sleep 5
|
|
done
|
|
|
|
echo "STATUS=ERROR" >> $GITHUB_ENV
|
|
|
|
# ✅ Get summary safely
|
|
- name: Get Sonar Summary
|
|
if: gitea.event.pull_request != null
|
|
run: |
|
|
RESPONSE=$(curl -s -u ${{ secrets.SONAR_TOKEN }}: \
|
|
"${{ secrets.SONAR_HOST_URL }}/api/measures/component?component=${{ inputs.project_key }}&metricKeys=bugs,vulnerabilities,code_smells")
|
|
|
|
echo "DEBUG SUMMARY RESPONSE:"
|
|
echo "$RESPONSE"
|
|
|
|
BUGS=$(echo "$RESPONSE" | jq -r '.component.measures[] | select(.metric=="bugs") | .value // "0"')
|
|
VULN=$(echo "$RESPONSE" | jq -r '.component.measures[] | select(.metric=="vulnerabilities") | .value // "0"')
|
|
SMELLS=$(echo "$RESPONSE" | jq -r '.component.measures[] | select(.metric=="code_smells") | .value // "0"')
|
|
|
|
echo "BUGS=$BUGS" >> $GITHUB_ENV
|
|
echo "VULN=$VULN" >> $GITHUB_ENV
|
|
echo "SMELLS=$SMELLS" >> $GITHUB_ENV
|
|
|
|
# ✅ Comment on PR
|
|
- name: Comment on PR
|
|
if: gitea.event.pull_request != null
|
|
run: |
|
|
if [ "$STATUS" = "OK" ]; then
|
|
MESSAGE="✅ SonarQube PASSED\n\n🐞 Bugs: $BUGS\n🔐 Vulnerabilities: $VULN\n🧹 Code Smells: $SMELLS"
|
|
else
|
|
MESSAGE="❌ SonarQube FAILED\n\n🐞 Bugs: $BUGS\n🔐 Vulnerabilities: $VULN\n🧹 Code Smells: $SMELLS"
|
|
fi
|
|
|
|
curl -X POST \
|
|
-H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"body\": \"$MESSAGE\"}" \
|
|
${{ gitea.api_url }}/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments |