Skip to content

ci: Remove Fossa add Sonarcloud #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 6, 2022
Merged

ci: Remove Fossa add Sonarcloud #26

merged 10 commits into from
Oct 6, 2022

Conversation

@ptiurin
Copy link
Contributor

@ptiurin ptiurin commented Oct 5, 2022
edited
Loading

Fossa is no longer supported in Firebolt. We're now relying on dependabot for dependency scanning and sonarcloud for code smells.

@ptiurin ptiurin marked this pull request as ready for review October 5, 2022 10:20
stepansergeevitch
stepansergeevitch reviewed Oct 5, 2022
View reviewed changes
.github/workflows/build.yaml
npm test test/unit
npm test -- --coverage test/unit
- name: "Security Scan"
Copy link
Contributor

@stepansergeevitch stepansergeevitch Oct 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to make this a part of build? Do we have any other cases where we want to do security scan without build?
Maybe we should make it depend on build in case it's required for scan?

Copy link
Contributor Author

@ptiurin ptiurin Oct 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SonarCloud unit test coverage requires build in order to be calculated so it would always require build. Now, the opposite question is also valid, does build require sonarcloud to run all the time? Looking through the other GH workflows in the repo, build is not reused. Release workflow actually does a build step, which is different from this one. I'd argue this workflow should be named "PR checks", similar to what we have in Python SDK, and left as is.

Copy link
Contributor Author

@ptiurin ptiurin Oct 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Especially since it does type checking, test running and now SC the name fits better.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 6, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@ptiurin ptiurin merged commit ce1e155 into main Oct 6, 2022
@ptiurin ptiurin deleted the ci-security-scan branch October 6, 2022 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jeseeq Jeseeq Jeseeq approved these changes

+1 more reviewer

@stepansergeevitch stepansergeevitch stepansergeevitch left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ptiurin @Jeseeq @stepansergeevitch