This is an automated email from the ASF dual-hosted git repository.
gnodet pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 2b07e28e9bf7 CAMEL-23274: Disable SonarCloud temporarily and fix
script injection (#22477)
2b07e28e9bf7 is described below
commit 2b07e28e9bf73885c7f3559dfbbacc196dcc1660
Author: Guillaume Nodet <[email protected]>
AuthorDate: Wed Apr 8 07:03:26 2026 +0200
CAMEL-23274: Disable SonarCloud temporarily and fix script injection
(#22477)
Temporarily disable sonar-build and sonar-scan workflows until the
SonarCloud quality gate is adjusted (INFRA-27808). The quality gate
requires ≥80% coverage on new code, but only core modules produce
coverage currently, causing failures on all PRs and main builds.
Also fix a BLOCKER vulnerability (githubactions:S7630) in
sonar-build.yml: user-controlled GitHub Actions expressions
(github.event.pull_request.head.ref) were used directly in run
blocks, enabling script injection. Moved to env variables.
Co-authored-by: Claude Opus 4.6 <[email protected]>
---
.github/workflows/sonar-build.yml | 19 +++++++++++++------
.github/workflows/sonar-scan.yml | 2 ++
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/sonar-build.yml
b/.github/workflows/sonar-build.yml
index 882bc2d58adf..9b1e990af721 100644
--- a/.github/workflows/sonar-build.yml
+++ b/.github/workflows/sonar-build.yml
@@ -37,7 +37,8 @@ concurrency:
jobs:
build:
- if: github.repository == 'apache/camel'
+ # Temporarily disabled until SonarCloud quality gate is adjusted
(INFRA-27808)
+ if: false && github.repository == 'apache/camel'
name: Build for Sonar Analysis
runs-on: ubuntu-latest
steps:
@@ -85,12 +86,18 @@ jobs:
- name: Prepare pull request metadata
shell: bash
+ env:
+ PR_NUMBER: ${{ github.event.pull_request.number }}
+ PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+ PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+ PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+ TARGET_ARTIFACT_ID: ${{ steps.target-upload.outputs.artifact-id }}
run: |
- echo "${{ github.event.pull_request.number }}" > pr-event.txt
- echo "${{ github.event.pull_request.head.ref }}" >> pr-event.txt
- echo "${{ github.event.pull_request.base.ref }}" >> pr-event.txt
- echo "${{ github.event.pull_request.head.sha }}" >> pr-event.txt
- echo "${{ steps.target-upload.outputs.artifact-id }}" >> pr-event.txt
+ echo "$PR_NUMBER" > pr-event.txt
+ echo "$PR_HEAD_REF" >> pr-event.txt
+ echo "$PR_BASE_REF" >> pr-event.txt
+ echo "$PR_HEAD_SHA" >> pr-event.txt
+ echo "$TARGET_ARTIFACT_ID" >> pr-event.txt
- name: Upload pull request metadata
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml
index acfd4da7e1ed..fc02a1127fc8 100644
--- a/.github/workflows/sonar-scan.yml
+++ b/.github/workflows/sonar-scan.yml
@@ -28,7 +28,9 @@ concurrency:
jobs:
sonar:
+ # Temporarily disabled until SonarCloud quality gate is adjusted
(INFRA-27808)
if: >
+ false &&
github.event.workflow_run.conclusion == 'success' &&
github.repository == 'apache/camel'
name: Sonar Analysis
