[
https://issues.apache.org/jira/browse/RAT-293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056071#comment-18056071
]
ASF subversion and git services commented on RAT-293:
-----------------------------------------------------
Commit 2da9c897a2c13457e255f362807cd148f9c8ba88 in creadur-rat's branch
refs/heads/dependabot/maven/com.gradle-develocity-maven-extension-2.3.3 from
Philipp Ottlinger
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=2da9c897 ]
RAT-293: Do not run SonarCloud scan if triggered by dependabot
> Configure SonarCloud integration for RAT
> ----------------------------------------
>
> Key: RAT-293
> URL: https://issues.apache.org/jira/browse/RAT-293
> Project: Apache RAT
> Issue Type: Task
> Reporter: Philipp Ottlinger
> Assignee: Philipp Ottlinger
> Priority: Major
> Fix For: 0.18
>
>
> Configure repo to be included in
> [https://sonarcloud.io/organizations/apache/projects]
> Requested access via INFRA-22683.
> [https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis]
> h2. DevHint
> This task cannot be accomplished as the sonarcloud integration is >JDK8 and
> fails the animal-sniffer-plugin configured to only allow JDK8 contents in RAT!
> h2. What happened here
> * Configuration done via PR#33
> * INFRA created the projects and made [~pottlinger] me admin
> * Authorization happened via logging in via github at
> [https://sonarcloud.io/summary/overall?id=apache_creadur-rat&branch=master]
> ** Set SONAR_TOKEN as repo secret (generated by SonarCloud)
> ** Add new build script sonarcloud.yml
> * Set maven-sonar-plugin-version in pom.xml
> * Add SONAR_TOKEN to mvn call during analysis to fix authentication failures
> on GHA; explicit parameter is necessary, but sonar.login is deprecated, use
> sonar.token instead
> * Add badge to project readme
> * https://www.jacoco.org/jacoco/trunk/doc/maven.html - to see test coverage
> metrics via https://github.com/apache/creadur-rat/pull/603 (required multiple
> action runs)
> *
> https://community.sonarsource.com/t/sonarcloud-analysis-on-master-branch-results-in-broken-builds-on-all-other-prs-on-github/172249
> - all PR builds are broken due to a problem within the SonarCloud build on
> non-master branches
> h2. Open problem:
> * via INFRA-27608: removed manually configured SONAR_TOKEN and replaced it
> with the ASF documented solution from
> https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=INFRA&title=Github+Secrets+and+Tokens
> (i.e. SONARCLOUD_TOKEN instead of secrets.SONAR_TOKEN) => same problem as
> before, master works, while dependabot branches fail the sonar build.
> * Dependabot branches do not have access to global secrets due to security
> reasons - disabled via
> https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions#troubleshooting-failures-when-dependabot-triggers-existing-workflows
> * regular branches can be built as they access the secrets set on
> organisation level
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
