Merge pull request #2578 from cta-observatory/sonar_on_forks

Run sonar in separate step to enable PRs from forks again

.github/workflows/ci.yml

@@ -146,11 +146,12 @@ jobs:
 
           ctapipe-info --version
 
-      # check code quality and coverage with SonarScanner
-      - uses: SonarSource/sonarqube-scan-action@v2
+      # upload coverage report for sonar workflow
+      - uses: actions/upload-artifact@v4
         if: contains(matrix.extra-args, 'codecov') && contains(github.event.pull_request.labels.*.name, 'documentation-only') == false
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          name: ctapipe-coverage-report
+          path: coverage.xml
 
   docs:
     runs-on: ubuntu-latest

.github/workflows/sonar.yml

@@ -0,0 +1,74 @@
+# This workflow is triggered by the completion of our CI workflow
+# It then checks out the pull request repository / branch, runs the
+# sonar scanner, downloads the coverage report and uploads the report
+# to the sonarqube server. This is necessary as forks don't have access
+# to secrets and SONAR_TOKEN is required to upload reports.
+#
+# Adapted from https://github.com/medplum/medplum/
+
+name: Sonar
+
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+
+jobs:
+  sonar:
+    name: Sonar
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Info
+        run: |
+          echo "Running Sonarqube action for PR ${PR_NUMBER} of ${REPOSITORY}:${PR_BRANCH} to ${PR_TARGET}"
+        env:
+          REPOSITORY: ${{ github.event.workflow_run.head_repository.full_name }}
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          PR_BRANCH: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
+          PR_TARGET: ${{ github.event.workflow_run.pull_requests[0].base.ref }}
+
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+
+      - name: 'Download code coverage'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "ctapipe-coverage-report"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/medplum-code-coverage.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip code coverage'
+        run: unzip ctapipe-coverage-report.zip -d coverage
+
+      - name: Check artifact
+        run: ls -l coverage
+
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
+            -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
+            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
+            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}

sonar-project.properties

@@ -1,6 +1,6 @@
 sonar.projectKey=cta-observatory_ctapipe_AY52EYhuvuGcMFidNyUs
 sonar.language=python
-sonar.python.coverage.reportPaths=coverage.xml
+sonar.python.coverage.reportPaths=coverage/coverage.xml
 sonar.python.version=3.10
 
 # ignore examples for coverage and issues, these are sphinx-gallery notebook scripts