Skip to content

Update Sonar actions to be able to run on Dependabot PR's #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 6, 2025
Merged

Update Sonar actions to be able to run on Dependabot PR's #70

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 37 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ name: Build Java Core Library

on:
pull_request:
pull_request_target: # Use pull_request_target so Dependabot PRs can run with repo context (secrets available)
branches: [ "master" ]
push:
branches: [ "master" ]
workflow_dispatch:
Expand Down Expand Up @@ -81,15 +83,48 @@ jobs:
retention-days: 5

- name: Run Sonar analysis
if: matrix.java == '17'
# Skip Sonar on Dependabot in pull_request runs (no secrets there); handled by a separate job below
if: matrix.java == '17' && github.actor != 'dependabot[bot]'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: ./gradlew sonar -x test --no-watch-fs

# Separate job to safely run Sonar on Dependabot PRs using pull_request_target context
sonar-dependabot:
name: Sonar (Dependabot PRs)
# Only run when the event is pull_request_target and the actor is Dependabot
if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
checks: write
steps:
# IMPORTANT: pull_request_target defaults to checking out the base branch; explicitly use the PR HEAD SHA
- name: Checkout PR HEAD
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: '17'

- name: Build (no tests)
run: ./gradlew assemble -x test

- name: Sonar analysis (Dependabot)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Secrets are available in PR_TARGET context
run: ./gradlew sonar -x test --no-watch-fs

build:
runs-on: ubuntu-latest
needs: [test]
needs: [ test ]
steps:
- name: Checkout code
uses: actions/checkout@v4
Expand Down