@@ -2,6 +2,8 @@ name: Build Java Core Library
22
33on :
44 pull_request :
5+ pull_request_target : # Use pull_request_target so Dependabot PRs can run with repo context (secrets available)
6+ branches : [ "master" ]
57 push :
68 branches : [ "master" ]
79 workflow_dispatch :
@@ -81,15 +83,48 @@ jobs:
8183 retention-days : 5
8284
8385 - name : Run Sonar analysis
84- if : matrix.java == '17'
86+ # Skip Sonar on Dependabot in pull_request runs (no secrets there); handled by a separate job below
87+ if : matrix.java == '17' && github.actor != 'dependabot[bot]'
8588 env :
8689 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
8790 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
8891 run : ./gradlew sonar -x test --no-watch-fs
8992
93+ # Separate job to safely run Sonar on Dependabot PRs using pull_request_target context
94+ sonar-dependabot :
95+ name : Sonar (Dependabot PRs)
96+ # Only run when the event is pull_request_target and the actor is Dependabot
97+ if : github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
98+ runs-on : ubuntu-latest
99+ permissions :
100+ contents : read
101+ pull-requests : write
102+ checks : write
103+ steps :
104+ # IMPORTANT: pull_request_target defaults to checking out the base branch; explicitly use the PR HEAD SHA
105+ - name : Checkout PR HEAD
106+ uses : actions/checkout@v4
107+ with :
108+ ref : ${{ github.event.pull_request.head.sha }}
109+
110+ - name : Setup Java
111+ uses : actions/setup-java@v4
112+ with :
113+ distribution : temurin
114+ java-version : ' 17'
115+
116+ - name : Build (no tests)
117+ run : ./gradlew assemble -x test
118+
119+ - name : Sonar analysis (Dependabot)
120+ env :
121+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
122+ SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }} # Secrets are available in PR_TARGET context
123+ run : ./gradlew sonar -x test --no-watch-fs
124+
90125 build :
91126 runs-on : ubuntu-latest
92- needs : [test]
127+ needs : [ test ]
93128 steps :
94129 - name : Checkout code
95130 uses : actions/checkout@v4
0 commit comments