error-prone-support/.github/workflows/sonarcloud.yml

# Analyzes the code base using SonarCloud. See
# https://sonarcloud.io/project/overview?id=PicnicSupermarket_error-prone-support.
name: SonarCloud analysis
on:
  pull_request:
  push:
    branches: [ master ]
  schedule:
    - cron: '0 4 * * 1'
permissions:
  contents: read
jobs:
  analyze:
    # Analysis of code in forked repositories is skipped, as such workflow runs
    # do not have access to the requisite secrets.
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    permissions:
      contents: read
    runs-on: ubuntu-22.04
    steps:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.adoptium.net:443
            api.sonarcloud.io:443
            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
            github.com:443
            objects.githubusercontent.com:443
            repo.maven.apache.org:443
            sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
            scanner.sonarcloud.io:443
            sonarcloud.io:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0
        with:
          checkout-fetch-depth: 0
          java-version: 17.0.10
          java-distribution: temurin
          maven-version: 3.9.6
      - name: Create missing `test` directory
        # XXX: Drop this step in favour of actually having a test.
        run: mkdir refaster-compiler/src/test
      - name: Perform SonarCloud analysis
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: mvn -T1C jacoco:prepare-agent verify jacoco:report sonar:sonar -Dverification.skip -Dsonar.projectKey=PicnicSupermarket_error-prone-support