From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:23:39 +0200 Subject: [PATCH 01/13] Create sonarqube.yaml --- code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 code-scanning/sonarqube.yaml diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml new file mode 100644 index 0000000..c6fbfce --- /dev/null +++ b/code-scanning/sonarqube.yaml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from Developer Edition) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarQube analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@v1.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:29:30 +0200 Subject: [PATCH 02/13] Added comments --- code-scanning/sonarqube.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index c6fbfce..e9b8d98 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,15 +13,16 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarQube, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) +# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) name: SonarQube analysis From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:57:24 +0200 Subject: [PATCH 03/13] Added reference to documentation --- code-scanning/sonarqube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index e9b8d98..f34d48e 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -5,7 +5,7 @@ # This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. -# (this feature is available starting from Developer Edition) +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) # 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:23:48 +0100 Subject: [PATCH 04/13] Update sonarqube.yaml --- code-scanning/sonarqube.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index f34d48e..23f79da 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,10 +13,10 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL # # * c. Copy/paste the project Key into the args parameter below # (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:25:29 +0100 Subject: [PATCH 05/13] Rename sonarqube.yaml to sonarqube.yml --- code-scanning/{sonarqube.yaml => sonarqube.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml similarity index 100% rename from code-scanning/sonarqube.yaml rename to code-scanning/sonarqube.yml From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:27:23 +0100 Subject: [PATCH 06/13] Create sonarqube.properties.json --- code-scanning/properties/sonarqube.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/sonarqube.properties.json diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json new file mode 100644 index 0000000..9912c51 --- /dev/null +++ b/code-scanning/properties/sonarqube.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarQube", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarqube", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:28:50 +0100 Subject: [PATCH 07/13] Add files via upload --- icons/SonarQube icon.svg | 1 + 1 file changed, 1 insertion(+) create mode 100644 icons/SonarQube icon.svg diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg new file mode 100644 index 0000000..b5c23d8 --- /dev/null +++ b/icons/SonarQube icon.svg @@ -0,0 +1 @@ +SonarQube icon \ No newline at end of file From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:29:30 +0100 Subject: [PATCH 08/13] Rename SonarQube icon.svg to sonarqube.svg --- icons/{SonarQube icon.svg => sonarqube.svg} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename icons/{SonarQube icon.svg => sonarqube.svg} (94%) diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg similarity index 94% rename from icons/SonarQube icon.svg rename to icons/sonarqube.svg index b5c23d8..a4bba35 100644 --- a/icons/SonarQube icon.svg +++ b/icons/sonarqube.svg @@ -1 +1 @@ -SonarQube icon \ No newline at end of file +SonarQube icon From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 06:55:46 +0000 Subject: [PATCH 09/13] Add instructions to test templates --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7ff406f..1048694 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` * `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day + +## How to test templates before publishing + +### Disable template for public +The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +Example `properties.json` file: +```json +{ + "name": "Node.js", + "description": "Build and test a Node.js project with npm.", + "iconName": "nodejs", + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"], + "labels": ["preview"] +} +``` + +Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. + +### Enable template for public +Remove the `labels` array from `properties.json` file to publish the template to public From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 13:06:55 +0530 Subject: [PATCH 10/13] Apply suggestions from code review Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1048694..e455e13 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as ## How to test templates before publishing ### Disable template for public -The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL. Example `properties.json` file: ```json { @@ -66,7 +66,7 @@ Example `properties.json` file: } ``` -Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. +For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`. ### Enable template for public Remove the `labels` array from `properties.json` file to publish the template to public From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:08:17 +0100 Subject: [PATCH 11/13] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/sonarqube.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 23f79da..68585a9 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Analyze with SonarQube + - name: Analyze with SonarQube # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 @@ -52,7 +52,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) # mandatory -Dsonar.projectKey= @@ -63,4 +63,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:13:18 +0100 Subject: [PATCH 12/13] added SHA to action definition --- code-scanning/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 68585a9..f01b9dc 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -45,7 +45,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 - uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:38:34 +1300 Subject: [PATCH 13/13] Update Go version to 1.19 Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released. --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 4d95674..e89f6c9 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - name: Build run: go build -v ./...