From b93c249c2e9df15a2d8616c4c877a4ae4e107a0c Mon Sep 17 00:00:00 2001
From: Rain Ramm <rain@bitweb.ee>
Date: Mon, 6 Oct 2025 10:33:00 +0300
Subject: [PATCH] Update Sonar actions to be able to run on Dependabot PR's

---
 .github/workflows/build.yml | 39 +++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 256623d..e2acb56 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,8 @@ name: Build Java Core Library
 
 on:
   pull_request:
+  pull_request_target: # Use pull_request_target so Dependabot PRs can run with repo context (secrets available)
+    branches: [ "master" ]
   push:
     branches: [ "master" ]
   workflow_dispatch:
@@ -81,15 +83,48 @@ jobs:
           retention-days: 5
 
       - name: Run Sonar analysis
-        if: matrix.java == '17'
+        # Skip Sonar on Dependabot in pull_request runs (no secrets there); handled by a separate job below
+        if: matrix.java == '17' && github.actor != 'dependabot[bot]'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: ./gradlew sonar -x test --no-watch-fs
 
+  # Separate job to safely run Sonar on Dependabot PRs using pull_request_target context
+  sonar-dependabot:
+    name: Sonar (Dependabot PRs)
+    # Only run when the event is pull_request_target and the actor is Dependabot
+    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
+    steps:
+      # IMPORTANT: pull_request_target defaults to checking out the base branch; explicitly use the PR HEAD SHA
+      - name: Checkout PR HEAD
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
+      - name: Build (no tests)
+        run: ./gradlew assemble -x test
+
+      - name: Sonar analysis (Dependabot)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}  # Secrets are available in PR_TARGET context
+        run: ./gradlew sonar -x test --no-watch-fs
+
   build:
     runs-on: ubuntu-latest
-    needs: [test]
+    needs: [ test ]
     steps:
       - name: Checkout code
         uses: actions/checkout@v4