Skip to content
SonarCloud Analysis

chore: update sonarlint documentation #5

Sign in to view logs

chore: update sonarlint documentation

chore: update sonarlint documentation #5

Workflow file for this run

.github/workflows/sonarcloud.yml at 9540919
# ═══════════════════════════════════════════════════════════════════════════
# SONARCLOUD CODE QUALITY ANALYSIS WORKFLOW
# ═══════════════════════════════════════════════════════════════════════════
#
# Purpose: Performs deep code quality and security analysis using SonarCloud
# to identify bugs, vulnerabilities, code smells, and coverage gaps.
#
# Triggers:
# - Push to develop branch
# - Pull requests targeting develop branch
#
# Key Features:
# - Comprehensive code quality analysis with SonarCloud
# - Security vulnerability detection
# - Code coverage integration
# - Technical debt tracking
# - Quality gate enforcement
# - PR decoration with inline feedback
#
# DX Benefits:
# - Early detection of security vulnerabilities
# - Consistent code quality standards across the monorepo
# - Detailed code smell and bug detection
# - Automated PR feedback with actionable insights
# - Tracks quality metrics over time
# ═══════════════════════════════════════════════════════════════════════════
name: SonarCloud Analysis
on:
push:
branches: [develop]
pull_request:
types: [opened, synchronize, reopened]
branches: [develop]
permissions:
contents: read
pull-requests: write # For PR comments
jobs:
# Main SonarCloud analysis job that scans the entire monorepo
# This job complements existing linting tools (Biome/Ultracite) with
# advanced security and quality analysis
sonarcloud:
name: SonarCloud Scan
runs-on: ubuntu-latest
# Skip analysis for bots and when explicitly requested
if: "!contains(github.event.head_commit.message, 'skip sonar') && github.actor != 'dependabot[bot]'"
steps:
# Step 1: Check out the repository with full history
# Full history is required for accurate blame information and new code detection
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for better analysis
# Step 2: Set up Node.js environment
# Required for running tests and generating coverage reports
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
# Step 3: Install pnpm package manager
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
run_install: false
# Step 4: Get pnpm store directory for caching
- name: Get pnpm store directory
id: pnpm-store
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
# Step 5: Set up pnpm cache to speed up dependency installation
- name: Setup pnpm cache
uses: actions/cache@v4
with:
path: ${{ steps.pnpm-store.outputs.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store-
# Step 6: Install project dependencies
- name: Install dependencies
run: pnpm install --no-frozen-lockfile
# Step 7: Run tests with coverage for SonarCloud
# This generates coverage reports that SonarCloud will use
- name: Run tests with coverage
run: pnpm test -- --coverage --run
# Step 8: Run SonarCloud analysis
# Analyzes code quality, security vulnerabilities, and test coverage
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
# Enhanced PR analysis arguments
args: >
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
-Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
-Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
# PR-specific arguments only apply when it's a pull request
if: github.event_name == 'pull_request'
# Step 8b: Run SonarCloud analysis for push events
- name: SonarCloud Scan (Push)
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Standard analysis for push events
if: github.event_name == 'push'
# Step 9: Comment PR with quality gate status (optional)
# This provides immediate feedback to developers on PRs
- name: SonarCloud Quality Gate check
id: sonarcloud-quality-gate-check
uses: sonarsource/sonarqube-quality-gate-action@master
# Force to fail step after specific time
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Step 10: Add comment to PR with analysis results
- name: Comment PR
if: github.event_name == 'pull_request' && steps.sonarcloud-quality-gate-check.outputs.quality-gate-status
uses: actions/github-script@v7
with:
script: |
const status = '${{ steps.sonarcloud-quality-gate-check.outputs.quality-gate-status }}';
const emoji = status === 'PASSED' ? '✅' : '❌';
const statusText = status === 'PASSED' ? 'Passed' : 'Failed';
// Fetch additional metrics
const coverageInfo = `
📊 **Code Quality Metrics:**
- Quality Gate: ${emoji} ${statusText}
- Coverage: Check the [detailed report](https://sonarcloud.io/summary/new_code?id=zopiolabs_zopio_test_fork&pullRequest=${{ github.event.pull_request.number }})
💡 **Next Steps:**
${status === 'PASSED'
? '- Your code meets quality standards! ✨'
: '- Please address the issues found in the SonarCloud report\n- Focus on new code coverage and security issues'}
🔗 [View Full Analysis on SonarCloud](https://sonarcloud.io/dashboard?id=zopiolabs_zopio_test_fork&pullRequest=${{ github.event.pull_request.number }})
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: coverageInfo
});