From c2cfa51655fd8c0f17b196940da81a54921c8467 Mon Sep 17 00:00:00 2001 From: Bianca Henderson Date: Tue, 5 May 2026 13:09:24 -0400 Subject: [PATCH] [ACA-5027] Configure SonarQube Cloud (#1116) * Configure SonarQube Cloud * Update workflow file and add info to README * Resolve sanity errors * Add pinned version details to sonarcloud.yml --- .github/workflows/sonarcloud.yml | 70 ++++++++++++++++++++++++++++++++ .gitignore | 3 ++ README.md | 18 ++++++++ sonar-project.properties | 14 +++++++ 4 files changed, 105 insertions(+) create mode 100644 .github/workflows/sonarcloud.yml create mode 100644 sonar-project.properties diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 00000000..fda9ad17 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,70 @@ +--- +# SonarCloud analysis for kubernetes.core +# +# Uses the same-repo + default-branch push model: GitHub does not expose org secrets to workflows +# from fork PRs (see https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions). +# This job is gated so the Sonar token is never available in untrusted fork contexts. A follow-up +# workflow triggered by workflow_run + artifacts is an alternative if the org later requires Sonar +# with coverage on fork PRs (see https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run). +name: SonarCloud + +on: + push: + branches: + - main + - stable-* + pull_request: + branches: + - main + - stable-* + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + +jobs: + sonarqube: + name: SonarCloud Scan + runs-on: ubuntu-latest + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository + env: + # Pin ansible-test behavior; bump when raising supported ansible-core (see meta/runtime.yml). + ANSIBLE_CORE_VERSION: "2.19.5" + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Install Ansible (ansible-test) + run: | + pip install --upgrade pip + pip install "ansible-core==${ANSIBLE_CORE_VERSION}" + + - name: Unit tests with coverage + run: ansible-test units --venv --coverage --python 3.12 --requirements + + - name: Coverage combine and XML for Sonar + run: | + ansible-test coverage combine --venv --python 3.12 --requirements + ansible-test coverage xml --venv --python 3.12 --requirements + + - name: Copy coverage report to repo root + run: | + set -euo pipefail + ls -la tests/output/reports/ + xml=$(find tests/output/reports -maxdepth 1 -name '*.xml' ! -name '*powershell*' | head -1) + test -n "$xml" + cp "$xml" coverage.xml + + - name: SonarCloud Scan + # Same pinned version as ansible-collections/amazon.aws sonarcloud.yml + uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 + env: + SONAR_TOKEN: ${{ secrets.ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT }} diff --git a/.gitignore b/.gitignore index 6210f3b4..84baa731 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,6 @@ tests/integration/*-*.yml # VS Code settings .vscode/ + +# Root coverage report for SonarCloud (generated locally or in CI) +/coverage.xml diff --git a/README.md b/README.md index beab16b4..d62e5ec2 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,24 @@ This repository hosts the `kubernetes.core` (formerly known as `community.kubern The collection includes a variety of Ansible content to help automate the management of applications in Kubernetes and OpenShift clusters, as well as the provisioning and maintenance of clusters themselves. +## SonarCloud (code quality) + +Static analysis runs on [SonarCloud](https://sonarcloud.io) using `sonar-project.properties` and +`.github/workflows/sonarcloud.yml`. Coverage shown in Sonar comes from unit-test coverage exported as +`coverage.xml` at the repository root during CI. + +The SonarCloud project key must match `sonar.projectKey` (`ansible-collections_kubernetes.core`). Adding +or renaming the project is coordinated via Ansible Collections maintainers. + +GitHub does not expose organization secrets to workflows for pull requests opened from forks. The +Sonar job therefore only runs on pushes to this repository's branches and on pull requests where the +head branch is on `ansible-collections/kubernetes.core` (not from forks). That matches GitHub's +documented behavior for [secrets in Actions](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions). + +If the project later needs Sonar with coverage on **fork** PRs, maintainers typically add a separate +trusted job after a workflow that uploads coverage artifacts, using GitHub's `workflow_run` event. +See [workflow_run (GitHub Docs)](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run). + ## Communication * Join the Ansible forum: diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..923aea25 --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,14 @@ +# SonarCloud project configuration for kubernetes.core +# Parameters: https://docs.sonarqube.org/latest/analysis/analysis-parameters/ + +sonar.projectKey=ansible-collections_kubernetes.core +sonar.organization=ansible-collections +sonar.sources=. +sonar.projectName=kubernetes.core +sonar.python.coverage.reportPaths=coverage.xml + +sonar.tests=tests/unit,tests/integration +sonar.python.version=3.12 +sonar.newCode.referenceBranch=main + +sonar.exclusions=tests/**,.tox/**