ci: rework sonar scan workflow (#927)

--- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
zxkane · May 5, 2024 · d9604d1 · d9604d1
1 parent 325e47a
commit d9604d1
Show file tree

Hide file tree

Showing 14 changed files with 83 additions and 74 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/sonar-check.yml b/.github/workflows/sonar-check.yml
@@ -14,6 +14,14 @@ jobs:
           - 9000:9000
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: yarn install --check-files && yarn --cwd example/ install --check-files
+      - name: Run unit tests
+        run: npx projen test
       - name: Configure sonarqube
         env:
           SONARQUBE_URL: http://localhost:9000
@@ -24,31 +32,24 @@ jobs:
         uses: sonarsource/sonarqube-scan-action@master
         env:
           SONAR_HOST_URL: http://sonarqube:9000
+          SONAR_TOKEN: ${{ env.SONARQUBE_TOKEN }}
         with:
           args: >
-            -Dsonar.login=admin
-            -Dsonar.password=${{ secrets.SONARQUBE_ADMIN_PASSWORD }}
             -Dsonar.projectKey=pr-${{ github.event.pull_request.number }}
       # Check the Quality Gate status.
-      # - name: SonarQube Quality Gate check
-      #   id: sonarqube-quality-gate-check
-      #   uses: sonarsource/sonarqube-quality-gate-action@master
-      #   # Force to fail step after specific time.
-      #   timeout-minutes: 10
-      #   env:
-      #     DEBUG: "true"
-      #     SONAR_TOKEN: ${{ env.SONARQUBE_TOKEN }}
-      #     SONAR_HOST_URL: http://localhost:9000
-
+      - name: SonarQube Quality Gate check
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@master
+        # Force to fail step after specific time.
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ env.SONARQUBE_TOKEN }}
+          SONAR_HOST_URL: http://localhost:9000
       - uses: phwt/sonarqube-quality-gate-action@v1
         id: quality-gate-check
+        if: always()
         with:
           sonar-project-key: pr-${{ github.event.pull_request.number }}
           sonar-host-url: http://sonarqube:9000
           sonar-token: ${{ env.SONARQUBE_TOKEN }}
           github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
-
-      - name: Output result
-        run: |
-          echo "${{ steps.quality-gate-check.outputs.project-status }}"
-          echo "${{ steps.quality-gate-check.outputs.quality-gate-result }}"  
diff --git a/.github/workflows/sonarqube/sonar-configure.sh b/.github/workflows/sonarqube/sonar-configure.sh
@@ -184,7 +184,7 @@ else
         status_code=$(echo "$token_gen_resp" | sed 's/^.*HTTPSTATUS://')
         if [ "$status_code" -eq 200 ]; then
             token=$(echo "$response_body" | jq -r '.token')
-            echo "SONARQUBE_TOKEN=${token}:" >> $GITHUB_ENV
+            echo "SONARQUBE_TOKEN=${token}" >> $GITHUB_ENV
             info  "admin-ci-token generated."
         else
             error "admin-ci-token generation failed."

diff --git a/.github/workflows/upgrade-main.yml b/.github/workflows/upgrade-main.yml
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projenrc.js b/.projenrc.js
@@ -78,7 +78,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
   license: 'Apache-2.0', /* License's SPDX identifier. */
   licensed: true, /* Indicates if a license should be added. */
   // maxNodeVersion: undefined,                                                /* Minimum node.js version to require via `engines` (inclusive). */
-  minNodeVersion: '16.20.0',
+  minNodeVersion: '20.12.2',
   // npmAccess: undefined,                                                     /* Access level of the npm package. */
   // npmDistTag: 'latest',                                                     /* Tags can be used to provide an alias instead of version numbers. */
   // npmRegistryUrl: 'https://registry.npmjs.org',                             /* The base URL of the npm package registry. */
@@ -127,6 +127,20 @@ const project = new awscdk.AwsCdkConstructLibrary({
     '---',
     'By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.',
   ],
+  githubOptions: {
+    pullRequestLintOptions: {
+      semanticTitleOptions: {
+        types: [
+          'feat',
+          'fix',
+          'chore',
+          'docs',
+          'ci',
+          'tests',
+        ],
+      },
+    },
+  },
   // releaseBranches: [ 'main' ],                                              /* Branches which trigger a release. */
   // releaseEveryCommit: true,                                                 /* Automatically release new versions every commit to one of branches in `releaseBranches`. */
   // releaseSchedule: undefined,                                               /* CRON schedule to trigger new releases. */

diff --git a/example/src/main.ts b/example/src/main.ts
@@ -139,7 +139,7 @@ const env = vpcId ? {
   region: process.env.CDK_DEFAULT_REGION,
 } : undefined;
 
-new SimpleNATStack(app, 'simple-nat-stack', {
+new SimpleNATStack(app, 'simple-nat-stack', { //NOSONAR
   env: env,
 });
 

diff --git a/package.json b/package.json
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -0,0 +1,29 @@
+# Customize sonar.sources, sonar.exclusions, sonar.coverage.exclusions, sonar.tests and sonar
+# unit test coverage reports based on your solutions
+
+# Refer to https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
+# for details on sources and exclusions. Note also .gitignore
+#
+sonar.sources=src/
+sonar.tests=test/
+
+# Focusing sonarqube analysis on non test code first and reducing noise from analysis of test code. Projects
+# can customize the exclusions to include analyzing of test code if desired
+sonar.exclusions=example/
+
+sonar.issue.ignore.multicriteria=e1,e2
+# exclude False Positive findings for instantiating CDK objects only
+sonar.issue.ignore.multicriteria.e1.ruleKey=typescript:S1848
+sonar.issue.ignore.multicriteria.e1.resourceKey=src/**/*.ts
+sonar.issue.ignore.multicriteria.e2.ruleKey=typescript:S3776
+sonar.issue.ignore.multicriteria.e2.resourceKey=src/index.ts
+
+# Code coverage Specific Properties
+sonar.coverage.exclusions=examples/**
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
+
+sonar.junit.reportPaths=test-reports/
+sonar.junit.reportFormat=xml
+
+# Encoding of the source files
+sonar.sourceEncoding=UTF-8
diff --git a/src/index.ts b/src/index.ts
@@ -109,7 +109,7 @@ export class SimpleNAT extends Resource {
   constructor(scope: Construct, id: string, props: SimpleNATProps) {
     super(scope, id);
 
-    var subnets;
+    let subnets;
     try {
       subnets = props.vpc.selectSubnets(props.natSubnetsSelection ?? {
         subnetType: SubnetType.PUBLIC,

diff --git a/yarn.lock b/yarn.lock