TECH-9562: add code scanning and coverage with sonar for python (#46)

goes-funky · Sep 8, 2022 · 107e5c2 · 107e5c2
1 parent aa4c5e5
commit 107e5c2
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 12 deletions.
diff --git a/.github/workflows/build-python.yaml b/.github/workflows/build-python.yaml
@@ -43,12 +43,19 @@ name: Build Python
         type: boolean
         description: Whether to skip checking type hints with mypy
         default: true
+      skip-sonar:
+        type: boolean
+        description: Whether to skip sonarcloud scans
+        default: true
     secrets:
       ssh-private-key:
         description: SSH private key used to authenticate to GitHub with, in order to fetch private dependencies
         required: true
+      sonar_token:
+        description: Token for sonarcloud.io scans
+        required: false
       codecov-token:
-        description: Token to upload coverage reports to codecov
+        description: Keep around until all workflows are migrated
         required: false
 jobs:
   deps:
@@ -208,13 +215,17 @@ jobs:
         run: |-
           poetry run coverage run -m pytest
           poetry run coverage xml
-      - name: Upload Coverage to Codecov
+      - name: Sonarcloud check
         env:
-          CODECOV_TOKEN: ${{ secrets.codecov-token }}
-        if: env.CODECOV_TOKEN != null
-        uses: codecov/codecov-action@v2
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        if: '!inputs.skip-sonar'
+        uses: SonarSource/sonarcloud-github-action@master
         with:
-          token: ${{ secrets.codecov-token }}
+          args: |-
+            -Dsonar.python.coverage.reportPaths=coverage.xml
+            -Dsonar.projectKey=${{github.repository_owner}}_${{github.event.repository.name}}
+            -Dsonar.organization=${{github.repository_owner}}
   mypy:
     name: Mypy
     if: '!inputs.skip-mypy'

diff --git a/pkg/workflows/build-python.cue b/pkg/workflows/build-python.cue
@@ -84,10 +84,19 @@ common.#build_workflow & {
 					description: "Whether to skip checking type hints with mypy"
 					default:     true
 				}
+				"skip-sonar": {
+					type:        "boolean"
+					description: "Whether to skip sonarcloud scans"
+					default:     true
+				}
 			}
 			secrets: {
+				"sonar_token": {
+					description: "Token for sonarcloud.io scans"
+					required:    false
+				}
 				"codecov-token": {
-					description: "Token to upload coverage reports to codecov"
+					description: "Keep around until all workflows are migrated"
 					required:    false
 				}
 			}
@@ -194,11 +203,20 @@ common.#build_workflow & {
 						"""
 				},
 				{
-					name: "Upload Coverage to Codecov"
-					env: CODECOV_TOKEN: "${{ secrets.codecov-token }}"
-					if:   "env.CODECOV_TOKEN != null"
-					uses: "codecov/codecov-action@v2"
-					with: token: "${{ secrets.codecov-token }}"
+					name: "Sonarcloud check"
+					env: {
+						GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+						SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+					}
+					if: "!inputs.skip-sonar"
+					uses: "SonarSource/sonarcloud-github-action@master"
+					with: {
+						args: """
+							-Dsonar.python.coverage.reportPaths=coverage.xml
+							-Dsonar.projectKey=${{github.repository_owner}}_${{github.event.repository.name}}
+							-Dsonar.organization=${{github.repository_owner}}
+							"""
+					}
 				},
 			]
 		}