Actions for running sonarqube
When running PR analysis it is important to checkout the PR commit. By default
github.sha
will contain the SHA of the merge commit when the action event
type is pull_request
. In order to checkout the PR commit, we need to specify
ref: ${{ github.event.pull_request.head.sha }}
when using the
actions/checkout@v2
action.
on: [pull_request]
jobs:
sonarqube:
runs-on: self-hosted
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: tradeshift/actions-sonarqube@v2
with:
token: ${{ secrets.SONAR_TOKEN }}
host: https://mysonar.com
When running branch analysis eg. on master branch, it is important to
checkout with history. This can be done using fetch-depth: 0
when using
the actions/checkout@v2
action.
on:
push:
branches: master
jobs:
sonarqube:
runs-on: self-hosted
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: tradeshift/actions-sonarqube@v2
with:
token: ${{ secrets.SONAR_TOKEN }}
host: https://mysonar.com
To have extra security on the access to sonarqube we are guarding it with mTLS. To run the action with mTLS pass ca-cert
, client-cert
and client-key
on:
push:
branches: master
jobs:
sonarqube:
runs-on: self-hosted
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: tradeshift/actions-sonarqube@v2
with:
ca-cert: ${{ secrets.SONAR_CACERT }}
client-cert: ${{ secrets.SONAR_CLIENTCERT }}
client-key: ${{ secrets.SONAR_CLIENTKEY }}
token: ${{ secrets.SONAR_TOKEN }}
host: https://mysonar.com
Usage:
name: Sonarqube scanner
on:
pull_request:
jobs:
build:
runs-on: self-hosted
steps:
- uses: actions/checkout@v2
- uses: actions/cache@v1
id: cache
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Set up JDK 10
uses: actions/setup-java@v1
with:
java-version: 10
- name: Setup Maven certs
uses: tradeshift/actions-maven@master
with:
maven-settings: ${{ secrets.MAVEN_SETTINGS }}
maven-security-settings: ${{ secrets.MAVEN_SECURITY }}
maven-p12-keystore: ${{ secrets.MAVEN_P12 }}
maven-p12-keystore-password: ${{ secrets.MAVEN_P12_PASSWORD }}
company-rootca: ${{ secrets.MTLS_CACERT }}
- name: SonarQube options
id: sonar-opts
uses: tradeshift/actions-sonarqube/script-proxy-opts@master
with:
ca-cert: ${{ secrets.MTLS_CACERT }}
cert: ${{ secrets.MTLS_CERT }}
key: ${{ secrets.MTLS_KEY }}
sonar-token: ${{ secrets.SONAR_TOKEN }}
sonar-host: "https://sonar.host"
- name SonarQube maven scan
run: |
mvn -B sonar:sonar ${{ steps.sonar-opts.output.opts }}