internet/kubernetes.core
3
0
Fork 0
mirror of https://github.com/ansible-collections/kubernetes.core.git synced 2026-06-09 18:16:09 +00:00
Code Issues Projects Releases Wiki Activity

[ACA-5027] Add SonarQube Cloud Test Coverage Info (#1124)

Browse Source 
* Adding SonarQube coverage-related info

* README updates

* Fix all_green_check workflow

* Quality Gate fix

* Update sonarcloud workflow, update docs

* Add sonarcloud job to all_green_check and update docs accordingly
This commit is contained in:
Bianca Henderson
2026-05-21 13:46:18 -04:00
committed by GitHub
parent 248e0d7db9
commit cb7a932951
9 changed files with 305 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
.github/workflows/all_green_check.yaml vendored Normal file
View File

@@ -0,0 +1,141 @@
---
name: all_green
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
on: # yamllint disable-line rule:truthy
pull_request:
types:
- opened
- reopened
- synchronize
branches:
- main
- stable-*
push:
branches:
- main
- stable-*
jobs:
linters:
if: github.event_name == 'pull_request'
uses: ./.github/workflows/linters.yaml
sanity:
uses: ./.github/workflows/sanity-tests.yaml
units:
uses: ./.github/workflows/unit-tests.yaml
coverage:
name: Unit test coverage
runs-on: ubuntu-latest
needs:
- sanity
- units
env:
ANSIBLE_CORE_VERSION: "2.19.5"
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Ansible (ansible-test)
run: |
python -m pip install --upgrade pip
python -m pip install "ansible-core==${ANSIBLE_CORE_VERSION}"
- name: Run unit tests with coverage
run: ansible-test units --venv --coverage --python 3.12 --requirements
- name: Combine and emit coverage XML
run: |
ansible-test coverage combine --venv --python 3.12 --requirements
ansible-test coverage xml --venv --python 3.12 --requirements
- name: Prepare coverage.xml for SonarCloud
run: |
set -euo pipefail
mkdir -p "${GITHUB_WORKSPACE}"
xml=$(find tests/output/reports -maxdepth 1 -name '*.xml' ! -name '*powershell*' | head -1)
test -n "${xml}"
cp "${xml}" "${GITHUB_WORKSPACE}/coverage.xml"
# Strip workspace prefix so Sonar sees repo-relative paths (same idea as amazon.aws path rewrite)
sed -i "s#${GITHUB_WORKSPACE}/##g" "${GITHUB_WORKSPACE}/coverage.xml"
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage
path: ${{ github.workspace }}/coverage.xml
all_green:
if: ${{ always() }}
needs:
- linters
- sanity
- units
- coverage
runs-on: ubuntu-latest
steps:
- run: |
python -c "
import sys
required = ['sanity', 'units', 'coverage']
if '${{ github.event_name }}' == 'pull_request':
required = ['linters', 'sanity', 'units', 'coverage']
results = {
'linters': '${{ needs.linters.result }}',
'sanity': '${{ needs.sanity.result }}',
'units': '${{ needs.units.result }}',
'coverage': '${{ needs.coverage.result }}',
}
for name in required:
if results[name] == 'failure':
print(f'all_green: required job failed: {name} results={results}', file=sys.stderr)
sys.exit(1)
# cancel-in-progress superseded this run; do not fail (newer run is authoritative)
if any(v == 'cancelled' for v in results.values()):
print(
'all_green: one or more jobs cancelled (usually concurrency); skipping strict gate.',
results,
)
sys.exit(0)
not_ok = [j for j in required if results[j] != 'success']
if not_ok:
print(f'all_green: required jobs not success: {not_ok} results={results}', file=sys.stderr)
sys.exit(1)
for job, status in results.items():
if job not in required and status not in ('success', 'skipped'):
print(f'all_green: unexpected {job}={status} results={results}', file=sys.stderr)
sys.exit(1)
print('all_green OK', results)
"
sonarcloud:
name: SonarCloud scan
needs:
- all_green
- coverage
if: >-
${{ needs.all_green.result == 'success'
&& secrets.ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT != ''
&& (github.event_name == 'push'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name == github.repository)) }}
uses: ./.github/workflows/sonarcloud.yml
secrets:
ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT: ${{ secrets.ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT }}

1
.github/workflows/linters.yaml vendored
View File

@@ -5,6 +5,7 @@ concurrency:
cancel-in-progress: true
on:
workflow_call:
pull_request:
branches:
- main

1
.github/workflows/sanity-tests.yaml vendored
View File

@@ -5,6 +5,7 @@ concurrency:
cancel-in-progress: true
on:
workflow_call:
pull_request:
branches:
- main

86
.github/workflows/sonarcloud.yml vendored
View File

@@ -1,70 +1,68 @@
---
# SonarCloud analysis for kubernetes.core
## SonarCloud scan (reusable)
#
# Uses the same-repo + default-branch push model: GitHub does not expose org secrets to workflows
# from fork PRs (see https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
# This job is gated so the Sonar token is never available in untrusted fork contexts. A follow-up
# workflow triggered by workflow_run + artifacts is an alternative if the org later requires Sonar
# with coverage on fork PRs (see https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run).
# Invoked from **all_green** after the aggregate gate and **coverage** succeed. Uses the **caller's**
# **pull_request** / **push** event so **actions/checkout** can use **github.event.pull_request.head.sha**
# on PRs (Sonar-compliant). Not triggered by **workflow_run** + **workflow_run.head_sha** checkout.
---
name: SonarCloud
on:
push:
branches:
- main
- stable-*
pull_request:
branches:
- main
- stable-*
workflow_dispatch:
workflow_call:
secrets:
ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT:
required: true
permissions:
contents: read
pull-requests: read
jobs:
sonarqube:
name: SonarCloud Scan
scan:
name: SonarCloud scan
runs-on: ubuntu-latest
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
env:
# Pin ansible-test behavior; bump when raising supported ansible-core (see meta/runtime.yml).
ANSIBLE_CORE_VERSION: "2.19.5"
steps:
- name: Checkout
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
fetch-depth: 0
show-progress: false
- name: Set up Python
uses: actions/setup-python@v5
- name: Download coverage artifact
uses: actions/download-artifact@v4
with:
python-version: "3.12"
name: coverage
path: .
- name: Install Ansible (ansible-test)
- name: Set coverage report paths
run: |
pip install --upgrade pip
pip install "ansible-core==${ANSIBLE_CORE_VERSION}"
coverage_files=$(find . -name "coverage*.xml" -type f 2>/dev/null | tr '\n' ',' | sed 's/,$//')
echo "Found coverage files: ${coverage_files:-none}"
echo "COVERAGE_PATHS=${coverage_files}" >> "$GITHUB_ENV"
- name: Unit tests with coverage
run: ansible-test units --venv --coverage --python 3.12 --requirements
- name: Coverage combine and XML for Sonar
- name: Prepare SonarCloud args
env:
COMMIT_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
EVENT_NAME: ${{ github.event_name }}
PR_NUMBER: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || '' }}
PR_HEAD_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || '' }}
PR_BASE_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || '' }}
run: |
ansible-test coverage combine --venv --python 3.12 --requirements
ansible-test coverage xml --venv --python 3.12 --requirements
- name: Copy coverage report to repo root
run: |
set -euo pipefail
ls -la tests/output/reports/
xml=$(find tests/output/reports -maxdepth 1 -name '*.xml' ! -name '*powershell*' | head -1)
test -n "$xml"
cp "$xml" coverage.xml
SONAR_ARGS="-Dsonar.scm.revision=\"${COMMIT_SHA}\""
if [[ "${EVENT_NAME}" == "pull_request" ]]; then
SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.key=${PR_NUMBER}"
SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.branch=${PR_HEAD_REF}"
SONAR_ARGS="${SONAR_ARGS} -Dsonar.pullrequest.base=${PR_BASE_REF}"
fi
if [[ -n "${COVERAGE_PATHS:-}" ]]; then
SONAR_ARGS="${SONAR_ARGS} -Dsonar.python.coverage.reportPaths=${COVERAGE_PATHS}"
fi
echo "SONAR_ARGS=${SONAR_ARGS}" >> "$GITHUB_ENV"
- name: SonarCloud Scan
# Same pinned version as ansible-collections/amazon.aws sonarcloud.yml
uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
env:
SONAR_TOKEN: ${{ secrets.ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT }}
with:
args: ${{ env.SONAR_ARGS }}

1
.github/workflows/unit-tests.yaml vendored
View File

@@ -4,6 +4,7 @@ concurrency:
cancel-in-progress: true
on:
workflow_call:
pull_request:
branches:
- main

5
CI.md
View File

@@ -15,6 +15,7 @@ The following tests run on every pull request:
| [Sanity](.github/workflows/sanity-tests.yaml) | Runs ansible sanity checks | See compatibility table below | devel, stable-2.18, stable-2.19, stable-2.20 |
| [Unit tests](.github/workflows/unit-tests.yaml) | Executes unit test cases | See compatibility table below | devel, stable-2.16, stable-2.17, stable-2.18, stable-2.19, stable-2.20 |
| [Integration](.github/workflows/integration-tests.yaml) | Executes integration test suites using KinD cluster (split across 8 jobs, tests with Turbo mode enabled/disabled) | 3.12 | milestone |
| [all_green](.github/workflows/all_green_check.yaml) | Linters (PR only), sanity, units, coverage XML, aggregate gate, and SonarCloud scan (same-repo PR / push when org secret is set) | (see jobs) | (see jobs) |
**Note:** Integration tests require a KinD (Kubernetes in Docker) cluster and test both with Turbo mode enabled and disabled.
@@ -30,3 +31,7 @@ These are outlined in the collection's [tox.ini](tox.ini) file (`envlist`) and G
| stable-2.18 | 3.11, 3.12, 3.13 | 3.11, 3.12, 3.13 |
| stable-2.17 | 3.10, 3.11, 3.12 | 3.10, 3.11, 3.12 |
| stable-2.16 | 3.10, 3.11 | 3.10, 3.11 |
## SonarCloud
SonarCloud analysis runs from **[`all_green_check.yaml`](.github/workflows/all_green_check.yaml)** via the **`sonarcloud`** job, which calls **[`sonarcloud.yml`](.github/workflows/sonarcloud.yml)** (**`workflow_call`**) after the **`all_green`** gate and **coverage** succeed. The reusable workflow checks out the PR head or push SHA, downloads the **`coverage`** artifact, and runs the pinned **SonarSource** scan action. Same-repo **`pull_request`** and **`push`** only (fork PRs skip Sonar when the org secret is unavailable). Details: [SONARCLOUD.md](SONARCLOUD.md).

168
README.md
View File

@@ -1,3 +1,11 @@
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=coverage)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=bugs)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=ansible-collections_kubernetes.core&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=ansible-collections_kubernetes.core)
# Kubernetes Collection for Ansible
This repository hosts the `kubernetes.core` (formerly known as `community.kubernetes`) Ansible Collection.
@@ -6,62 +14,6 @@ This repository hosts the `kubernetes.core` (formerly known as `community.kubern
The collection includes a variety of Ansible content to help automate the management of applications in Kubernetes and OpenShift clusters, as well as the provisioning and maintenance of clusters themselves.
## SonarCloud (code quality)
Static analysis runs on [SonarCloud](https://sonarcloud.io) using `sonar-project.properties` and
`.github/workflows/sonarcloud.yml`. Coverage shown in Sonar comes from unit-test coverage exported as
`coverage.xml` at the repository root during CI.
The SonarCloud project key must match `sonar.projectKey` (`ansible-collections_kubernetes.core`). Adding
or renaming the project is coordinated via Ansible Collections maintainers.
GitHub does not expose organization secrets to workflows for pull requests opened from forks. The
Sonar job therefore only runs on pushes to this repository's branches and on pull requests where the
head branch is on `ansible-collections/kubernetes.core` (not from forks). That matches GitHub's
documented behavior for [secrets in Actions](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
If the project later needs Sonar with coverage on **fork** PRs, maintainers typically add a separate
trusted job after a workflow that uploads coverage artifacts, using GitHub's `workflow_run` event.
See [workflow_run (GitHub Docs)](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run).
## Communication
* Join the Ansible forum:
* [Get Help](https://forum.ansible.com/c/help/6): get help or help others.
* [Posts tagged with 'kubernetes'](https://forum.ansible.com/tag/kubernetes): subscribe to participate in collection-related conversations.
* [Social Spaces](https://forum.ansible.com/c/chat/4): gather and interact with fellow enthusiasts.
* [News & Announcements](https://forum.ansible.com/c/news/5): track project-wide announcements including social events.
* The Ansible [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn): used to announce releases and important changes.
For more information about communication, see the [Ansible communication guide](https://docs.ansible.com/ansible/devel/community/communication.html).
## Requirements
<!--start requires_ansible-->
## Ansible version compatibility
This collection has been tested against the following Ansible versions: **>=2.16.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions.
A collection may contain metadata that identifies these versions.
PEP440 is the schema used to describe the versions of Ansible.
<!--end requires_ansible-->
### Helm Version Compatibility
This collection supports Helm v3.x and newer. Please note that specific modules or certain parameters may have additional version requirements.
### Python Support
* Collection supports 3.9+
Note: Python2 is deprecated from [1st January 2020](https://www.python.org/doc/sunset-python-2/). Please switch to Python3.
### Kubernetes Version Support
This collection supports Kubernetes versions >= 1.24.
### Included Content
Click on the name of a plugin or module to view that content's documentation:
@@ -109,6 +61,32 @@ Name | Description
<!--end collection content-->
## Requirements
<!--start requires_ansible-->
### Ansible version compatibility
This collection has been tested against the following Ansible versions: **>=2.16.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions.
A collection may contain metadata that identifies these versions.
PEP440 is the schema used to describe the versions of Ansible.
<!--end requires_ansible-->
### Helm Version Compatibility
This collection supports Helm v3.x and newer. Please note that specific modules or certain parameters may have additional version requirements.
### Python Support
* Collection supports 3.9+
Note: Python2 is deprecated from [1st January 2020](https://www.python.org/doc/sunset-python-2/). Please switch to Python3.
### Kubernetes Version Support
This collection supports Kubernetes versions >= 1.24.
## Installation
Before using the Kubernetes collection, you need to install it with the Ansible Galaxy CLI:
@@ -128,7 +106,9 @@ collections:
Content in this collection requires the [Kubernetes Python client](https://pypi.org/project/kubernetes/) to interact with Kubernetes' APIs. You can install it with:
pip3 install kubernetes
```bash
pip3 install kubernetes
```
## Use Cases
@@ -218,12 +198,6 @@ defined in the playbook using `environment` keyword as above, you must set it us
Please read more about Ansible Turbo mode - [here](https://github.com/ansible-collections/kubernetes.core/blob/main/docs/ansible_turbo_mode.rst).
## Contributing to this Collection
If you want to develop new content for this collection or improve what's already here, the easiest way to work on the collection is to clone it into one of the configured [`COLLECTIONS_PATHS`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths), and work on it there.
See [Contributing to kubernetes.core](CONTRIBUTING.md).
## Testing
[![Linters](https://img.shields.io/github/actions/workflow/status/ansible-collections/kubernetes.core/linters.yaml?label=linters)](https://github.com/ansible-collections/kubernetes.core/actions/workflows/linters.yaml) [![Integration tests](https://img.shields.io/github/actions/workflow/status/ansible-collections/kubernetes.core/integration-tests.yaml?label=integration%20tests)](https://github.com/ansible-collections/kubernetes.core/actions/workflows/integration-tests.yaml) [![Sanity tests](https://img.shields.io/github/actions/workflow/status/ansible-collections/kubernetes.core/sanity-tests.yaml?label=sanity%20tests)](https://github.com/ansible-collections/kubernetes.core/actions/workflows/sanity-tests.yaml) [![Unit tests](https://img.shields.io/github/actions/workflow/status/ansible-collections/kubernetes.core/unit-tests.yaml?label=unit%20tests)](https://github.com/ansible-collections/kubernetes.core/actions/workflows/unit-tests.yaml) [![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/kubernetes.core)](https://app.codecov.io/gh/ansible-collections/kubernetes.core)
@@ -245,7 +219,40 @@ There are also integration tests in the `molecule` directory which are meant to
kind create cluster
make test-molecule
## Publishing New Versions
## Contributing to this Collection
If you want to develop new content for this collection or improve what is already here, clone the Git repository into one of the configured [`COLLECTIONS_PATHS`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths) and work on it there.
See [Contributing to kubernetes.core](https://github.com/ansible-collections/kubernetes.core/blob/main/CONTRIBUTING.md).
Join the Ansible community:
* [Get Help](https://forum.ansible.com/c/help/6)
* [Posts tagged with 'kubernetes'](https://forum.ansible.com/tag/kubernetes)
* [Social Spaces](https://forum.ansible.com/c/chat/4)
* [News & Announcements](https://forum.ansible.com/c/news/5)
The Ansible [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn) announces releases and important changes. For more information, see the [Ansible communication guide](https://docs.ansible.com/ansible/devel/community/communication.html).
### Code of Conduct
This project follows the [Ansible Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html). If you encounter abusive behavior, see the [policy violations](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html#policy-violations) section for how to raise a complaint.
## Support
As Red Hat Ansible Certified Content, this collection is entitled to support through the Ansible Automation Platform (AAP) using the **Create issue** button on the top right corner. If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there may be community help available on the [Ansible Forum](https://forum.ansible.com/).
> **Note:** The `stable-4` branch (all `4.x.y` releases) is no longer supported. No backports or releases are performed on `stable-4`.
We announce releases and important changes through Ansible's [The Bullhorn newsletter](https://github.com/ansible/community/wiki/News#the-bullhorn). Subscribe via [this link](https://eepurl.com/gZmiEP).
We take part in the global quarterly [Ansible Contributor Summit](https://github.com/ansible/community/wiki/Contributor-Summit). Track The Bullhorn and join when announced.
For the latest supported versions, see [Release Notes and Roadmap](https://github.com/ansible-collections/kubernetes.core/blob/main/README.md#release-notes-and-roadmap).
Report bugs, request features, or ask questions by opening an issue in the [GitHub repository](https://github.com/ansible-collections/kubernetes.core/).
## Release Notes and Roadmap
Releases are automatically built and pushed to Ansible Galaxy for any new tag. Before tagging a release, make sure to do the following:
@@ -262,37 +269,24 @@ Releases are automatically built and pushed to Ansible Galaxy for any new tag. B
After the version is published, verify it exists on the [Kubernetes Collection Galaxy page](https://galaxy.ansible.com/kubernetes/core).
The process for uploading a supported release to Automation Hub is documented separately.
The process for [uploading a supported release to Automation Hub](https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.1/html/uploading_content_to_red_hat_automation_hub/proc-upload-collection) is documented separately.
## Support
## Related Information
<!--List available communication channels. In addition to channels specific to your collection, we also recommend to use the following ones.-->
* [Using Ansible collections](https://docs.ansible.com/ansible/devel/user_guide/collections_using.html)
* [Ansible communication guide](https://docs.ansible.com/ansible/devel/community/communication.html)
* [Continuous integration (CI) overview](https://github.com/ansible-collections/kubernetes.core/blob/main/CI.md)
* [SonarCloud integration](https://github.com/ansible-collections/kubernetes.core/blob/main/SONARCLOUD.md)
* [Ansible Turbo mode (tech preview)](https://github.com/ansible-collections/kubernetes.core/blob/main/docs/ansible_turbo_mode.rst)
> **Note:** The `stable-4` branch, which handles all `4.x.y` releases of this collection, is no longer supported. This means that no backports nor releases will be performed on the `stable-4` branch.
We announce releases and important changes through Ansible's [The Bullhorn newsletter](https://github.com/ansible/community/wiki/News#the-bullhorn). Be sure you are [subscribed](https://eepurl.com/gZmiEP).
We take part in the global quarterly [Ansible Contributor Summit](https://github.com/ansible/community/wiki/Contributor-Summit) virtually or in-person. Track [The Bullhorn newsletter](https://eepurl.com/gZmiEP) and join us.
For more information about communication, refer to the [Ansible Communication guide](https://docs.ansible.com/ansible/devel/community/communication.html).
For the latest supported versions, refer to the release notes below.
If you encounter issues or have questions, you can submit a support request through the following channels:
- GitHub Issues: Report bugs, request features, or ask questions by opening an issue in the [GitHub repository](https://github.com/ansible-collections/kubernetes.core/).
## Release Notes
See the [raw generated changelog](https://github.com/ansible-collections/kubernetes.core/blob/main/CHANGELOG.rst).
## Code of Conduct
### Code of conduct
We follow the [Ansible Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html) in all our interactions within this project.
If you encounter abusive behavior, please refer to the [policy violations](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html#policy-violations) section of the Code for information on how to raise a complaint.
## License
## License Information
GNU General Public License v3.0 or later
See LICENSE to see the full text.
See [LICENSE](https://github.com/ansible-collections/kubernetes.core/blob/main/LICENSE) to see the full text.

32
SONARCLOUD.md Normal file
View File

@@ -0,0 +1,32 @@
# SonarCloud
Dashboard:
[SonarCloud project overview](https://sonarcloud.io/project/overview?id=ansible-collections_kubernetes.core)
## CI integration
Sonar analysis is implemented in **[.github/workflows/sonarcloud.yml](.github/workflows/sonarcloud.yml)** as a **reusable workflow** (`on: workflow_call` only). It is **not** triggered by `workflow_run`.
**[.github/workflows/all_green_check.yaml](.github/workflows/all_green_check.yaml)** runs **linters** (on pull requests), **sanity**, **units**, and **coverage**, passes the aggregate **`all_green`** gate, then calls **`sonarcloud.yml`** via a **`sonarcloud`** job when the conditions below are met. The **coverage** job uploads a **`coverage`** artifact; the Sonar job downloads it in the **same** workflow run.
The caller runs on **`pull_request`** or **`push`**, so the reusable workflow inherits that **`github.event`**. **`actions/checkout`** uses **`github.event.pull_request.head.sha`** on pull requests and **`github.sha`** on push (Sonar-friendly checkout). PR parameters (**`sonar.pullrequest.*`**) are taken from **`github.event.pull_request`** (no `gh` API calls in **`sonarcloud.yml`**).
The scan step uses **`SonarSource/sonarqube-scan-action`** (pinned SHA in the workflow file) with **`sonar.python.coverage.reportPaths`** set from any **`coverage*.xml`** files found under the workspace after the artifact download. The overall flow (coverage in CI, then Sonar with XML) follows the same idea as [ansible-collections/amazon.aws#2871](https://github.com/ansible-collections/amazon.aws/pull/2871), using **`workflow_call`** from **`all_green`** instead of a separate **`workflow_run`** finalize workflow.
Workflow files:
- [.github/workflows/all_green_check.yaml](.github/workflows/all_green_check.yaml) -- **`all_green`** gate, **coverage** artifact upload, and **`sonarcloud`** job (**`uses: ./.github/workflows/sonarcloud.yml`**, passing only **`ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT`**) after **`all_green`** and **`coverage`** succeed, gated for **`push`** and same-repo **`pull_request`** when that secret is set.
- [.github/workflows/sonarcloud.yml](.github/workflows/sonarcloud.yml) -- **`scan`** job: checkout, download **`coverage`**, **`SONAR_ARGS`**, SonarCloud scan.
Scanner configuration lives in [sonar-project.properties](sonar-project.properties).
The **coverage** job (in **`all_green`**) uses **`ansible-test`** (`units --coverage`, then **`coverage combine`** / **`coverage xml`**), then writes **`coverage.xml`** with workspace paths normalized for Sonar. **`pytest-cov`** is listed in **`tests/unit/requirements.txt`** for parity and any direct pytest runs; **`ansible-test`** still owns the coverage data used in CI.
**`sonarcloud.yml`** declares a required secret **`ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT`** and **`permissions: contents: read`**, **`pull-requests: read`**.
Org secrets and fork PR behavior follow GitHub's [secrets in Actions](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) documentation. The **`sonarcloud`** job is **`if:`**-gated so the org token is not used for fork-head checkouts; fork PRs still run **`all_green`** for CI without running Sonar.
## Branch protection (repository settings)
If **`SonarCloud scan`** or **`all_green`** should block merges, add them under **Settings** > **Branches** > **Required status checks** for the protected branch. That is not configured in YAML.

1
tests/unit/requirements.txt
View File

@@ -1,3 +1,4 @@
pytest
pytest-cov
PyYAML
kubernetes