Skip to content

chore: add openssf scorecard workflow (#359) #546

chore: add openssf scorecard workflow (#359)

chore: add openssf scorecard workflow (#359) #546

Workflow file for this run

---
name: Code Coverage Check
on:
push:
branches:
- main
pull_request:
paths:
- '**.py'
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
- name: Set up poetry and install
uses: ./.github/actions/setup-poetry
with:
python-version: "3.9"
- name: Run tests
run: make test-code-cov
- name: Upload artifact
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4
with:
name: coverage
path: coverage.xml
sonarcloud:
if: ${{ github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url }}
name: SonarCloud
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Get coverage
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # pin@v4
with:
name: coverage
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # pin@49e6cd3b187936a73b8280d59ffd9da69df63ec9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.python.coverage.reportPaths=coverage.xml -Dsonar.tests=tests/ -Dsonar.sources=trestlebot/ -Dsonar.python.version=3.10 -Dsonar.projectKey=rh-psce_trestle-bot -Dsonar.organization=rh-psce
- name: SonarQube Quality Gate check
uses: sonarsource/sonarqube-quality-gate-action@f9fe214a5be5769c40619de2fff2726c36d2d5eb # pin@f9fe214a5be5769c40619de2fff2726c36d2d5eb
# Force to fail step after specific time
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}