matrix-js-sdk/.github/workflows/sonarcloud.yml

# Must only be called from a workflow_run in the context of the upstream repo
name: SonarCloud
on:
    workflow_call:
        secrets:
            SONAR_TOKEN:
                required: true
            # No longer used
            ELEMENT_BOT_TOKEN:
                required: false
        inputs:
            sharded:
                type: boolean
                required: false
                description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact"
permissions: {}
jobs:
    sonarqube:
        runs-on: ubuntu-24.04
        if: |
            github.event.workflow_run.conclusion == 'success' &&
            github.event.workflow_run.event != 'merge_group'
        permissions:
            actions: read
            statuses: write
            id-token: write # sonar
        steps:
            # We create the status here and then update it to success/failure in the `report` stage
            # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
            - uses: guibranco/github-status-action-v2@741ea90ba6c3ca76fe0d43ba11a90cda97d5e685
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: pending
                  context: ${{ github.workflow }} / SonarCloud (${{ github.event.workflow_run.event }} => ${{ github.event_name }})
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

            - name: "🧮 Checkout code"
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
              with:
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  ref: ${{ github.event.workflow_run.head_branch }} # checkout commit that triggered this workflow
                  fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

            - name: 📥 Download artifact
              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
              if: ${{ !inputs.sharded }}
              with:
                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  name: coverage
                  path: coverage
            - name: 📥 Download sharded artifacts
              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
              if: inputs.sharded
              with:
                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  pattern: coverage-*
                  path: coverage
                  merge-multiple: true
            - name: Check coverage artifact
              run: |
                  if [ ! -d coverage ]; then
                      echo "Coverage not found. Exiting with failure."
                      exit 1
                  fi

            - id: extra_args
              run: |
                  coverage=$(find coverage -type f -name '*lcov.info' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
                  echo "sonar.javascript.lcov.reportPaths=$coverage" >> sonar-project.properties
                  reports=$(find coverage -type f -name '*sonar-report*.xml' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
                  echo "sonar.testExecutionReportPaths=$reports" >> sonar-project.properties

            - name: "🩻 SonarCloud Scan"
              id: sonarcloud
              uses: matrix-org/sonarcloud-workflow-action@820f7c2e9e94ba9e35add0f739691e5c7e23fa25 # v4.0
              # workflow_run fails report against the develop commit always, we don't want that for PRs
              continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }}
              with:
                  skip_checkout: true
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  is_pr: ${{ github.event.workflow_run.event == 'pull_request' }}
                  version_cmd: "cat package.json | jq -r .version"
                  branch: ${{ github.event.workflow_run.head_branch }}
                  revision: ${{ github.event.workflow_run.head_sha }}
                  token: ${{ secrets.SONAR_TOKEN }}

            - uses: guibranco/github-status-action-v2@741ea90ba6c3ca76fe0d43ba11a90cda97d5e685
              if: always()
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: ${{ steps.sonarcloud.outcome == 'success' && 'success' || 'failure' }}
                  context: ${{ github.workflow }} / SonarCloud (${{ github.event.workflow_run.event }} => ${{ github.event_name }})
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}