exasol · ArBridgeman · Jun 12, 2025 · May 28, 2025 · Jun 3, 2025 · Jun 3, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,26 +1,21 @@
 name: CI
 
 on:
-  push:
-    branches-ignore:
-      - "github-pages/*"
-      - "gh-pages/*"
-      - "main"
-      - "master"
+  pull_request:
+      types: [opened, synchronize, reopened]
   schedule:
-    # “At 00:00 on every 7th day-of-month from 1 through 31.” (https://crontab.guru)
+    # At 00:00 on every 7th day-of-month from 1 through 31. (https://crontab.guru)
     - cron: "0 0 1/7 * *"
 
 jobs:
-
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
     permissions:
       contents: read
-
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read
diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml
@@ -25,5 +25,6 @@ jobs:
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -35,6 +35,9 @@ jobs:
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
+      - name: Upload to sonar
+        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4.6.2
         with:

diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@ odbcconfig/odbcinst.ini
 .html-documentation
 
 .coverage
+.sonar
 
 _build/
 

diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -1 +1,29 @@
 # Unreleased
+
+## Summary
+This version of the PTB adds nox task `sonar:check`, see #451. This allows us to
+use SonarQube Cloud to analyze, visualize, & track linting, security, & coverage. In
+order to properly set it up, you'll need to do the following instruction for each **public** project.
+At this time, PTB currently does not support setting up SonarQube for a **private** project.
+
+1. Specify in the `noxconfig.py` the relative path to the project's source code in `Config.source`
+    ```python
+        source: Path = Path("exasol/toolbox")
+    ```
+2. Add the 'SONAR_TOKEN' to the 'Organization secrets' in GitHub (this requires a person being a GitHub organization owner).
+3. Activate the SonarQubeCloud App
+4. Create a project on SonarCloud
+5. Add the following information to the project's file `pyproject.toml`
+    ```toml
+        [tool.sonar]
+        projectKey = "com.exasol:<project-key>"
+        hostUrl = "https://sonarcloud.io"
+        organization = "exasol"
+    ```
+6. Post-merge, update the branch protections to include SonarQube analysis
+
+## ✨ Features
+* #451: Added nox task to execute pysonar & added Sonar to the CI
+
+## ⚒️ Refactorings
+* #451: Reduced scope of nox tasks `lint:code` (pylint) and `lint:security` (bandit) to analyze only the package code
diff --git a/doc/user_guide/getting_started.rst b/doc/user_guide/getting_started.rst
@@ -179,8 +179,8 @@ forward, and you just can use the example *noxfile.py* below.
 
 .. _toolbox tasks:
 
-7. Setup for deploying documentation (optional)
-+++++++++++++++++++++++++++++++++++++++++++++++
+7. Set up for deploying documentation (optional)
+++++++++++++++++++++++++++++++++++++++++++++++++
 Within the `gh-pages.yml`, we use the GitHub `upload-pages-artifact` and `deploy-pages`
 actions. In order to properly deploy your pages, you'll need to reconfigure the GitHub
 Pages settings for the repo:
@@ -199,8 +199,32 @@ We also need to configure settings for github-pages environment:
 5. In the 'Deployment branches and tags', click 'Add deployment branch or tag rule'
 6. Select 'Ref type' to be 'Tag' and set the 'Name pattern' to `[0-9]*.[0-9]*.[0-9]*` (or whatever matches that repo's tags)
 
+8. Set up for Sonar
++++++++++++++++++++
+PTB supports using SonarQube Cloud to analyze, visualize, & track linting, security, &
+coverage. In order to properly set it up, you'll need to do the following instructions
+for each **public** project. At this time, PTB currently does not support setting up
+SonarQube for a **private** project.
 
-8. Go 🥜
+1. Specify in the `noxconfig.py` the relative path to the project's source code in `Config.source`
+    .. code-block:: python
+
+        source: Path = Path("exasol/toolbox")
+2. Add the 'SONAR_TOKEN' to the 'Organization secrets' in GitHub (this requires a person being a GitHub organization owner).
+3. Activate the SonarQubeCloud App
+4. Create a project on SonarCloud
+5. Add the following information to the project's file `pyproject.toml`
+    .. code-block:: toml
+
+        [tool.sonar]
+        projectKey = "com.exasol:<project-key>"
+        hostUrl = "https://sonarcloud.io"
+        organization = "exasol"
+6. Post-merge, update the branch protections to include SonarQube analysis
+
+
+
+9. Go 🥜
 +++++++++++++
 You are ready to use the toolbox. With *nox -l* you can list all available tasks.
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ odbcconfig/odbcinst.ini @@
     .html-documentation
     .coverage
+    .sonar
     _build/
@@ Expand Down @@