matrix-js-sdk/.github/workflows/sonarcloud.yml

# Must only be called from a workflow_run in the context of the upstream repo
name: SonarCloud
on:
    workflow_call:
        secrets:
            SONAR_TOKEN:
                required: true
            # No longer used
            ELEMENT_BOT_TOKEN:
                required: false
        inputs:
            sharded:
                type: boolean
                required: false
                description: "Whether to combine multiple LCOV and sonar-report files in coverage artifact"
            version-pkg-json-dir:
                type: string
                default: "."
                description: "Relative path of the directory containing package.json with the `version` to use."
permissions: {}
jobs:
    sonarqube:
        runs-on: ubuntu-24.04
        if: |
            github.event.workflow_run.conclusion == 'success' &&
            github.event.workflow_run.event != 'merge_group'
        permissions:
            actions: read
            statuses: write
            id-token: write # sonar
        steps:
            # We create the status here and then update it to success/failure in the `report` stage
            # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: pending
                  context: ${{ github.workflow }} / SonarCloud (${{ github.event.workflow_run.event }} => ${{ github.event_name }})
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

            - name: "🧮 Checkout code"
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  ref: ${{ github.event.workflow_run.head_branch }} # checkout commit that triggered this workflow
                  fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
                  persist-credentials: false

            - name: 📥 Download artifact
              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
              if: ${{ !inputs.sharded }}
              with:
                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  name: coverage
                  path: coverage
            - name: 📥 Download sharded artifacts
              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
              if: inputs.sharded
              with:
                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  pattern: coverage-*
                  path: coverage
            - name: Check coverage artifact
              run: |
                  if [ ! -d coverage ]; then
                      echo "Coverage not found. Exiting with failure."
                      exit 1
                  fi

            - id: extra_args
              run: |
                  coverage=$(find coverage -type f -name '*lcov.info' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
                  echo "sonar.javascript.lcov.reportPaths=$coverage" >> sonar-project.properties
                  reports=$(find coverage -type f -name '*sonar-report*.xml' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
                  echo "sonar.testExecutionReportPaths=$reports" >> sonar-project.properties

            - name: "🩻 SonarCloud Scan"
              id: sonarcloud
              uses: matrix-org/sonarcloud-workflow-action@13968a27c924fa19b1dacbce6ca3ff217daa775b
              # workflow_run fails report against the develop commit always, we don't want that for PRs
              continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }}
              with:
                  skip_checkout: true
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  is_pr: ${{ github.event.workflow_run.event == 'pull_request' }}
                  skip_coverage_label: Z-Skip-Coverage
                  version_cmd: "cat ${{ inputs.version-pkg-json-dir }}/package.json | jq -r .version"
                  branch: ${{ github.event.workflow_run.head_branch }}
                  revision: ${{ github.event.workflow_run.head_sha }}
                  token: ${{ secrets.SONAR_TOKEN }}

            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              if: always()
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: ${{ steps.sonarcloud.outcome == 'success' && 'success' || 'failure' }}
                  context: ${{ github.workflow }} / SonarCloud (${{ github.event.workflow_run.event }} => ${{ github.event_name }})
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}