[Story] Review integration of Sonar with PRs

[tschaffter]

What product(s) is this story for?

Sage Monorepo

As a user, I want

No response

Description

Review the current integration of Sage Monorepo with Sonar. Especially in the context of reviewing PRs.

Acceptance criteria

No response

Tasks

No response

Anything else?

No response

Have you linked this story to a GitHub Project?

• [X] I have linked this story to a GitHub Project and set its metadata.

[tschaffter]

I configured the main branch so that the following check is required:

All PRs would now include a check that would only pass if the project schematic-api was to push a report to Sonar and if the report satisfies the code quality gateway configured for this project.

In the example above, the project schematic-api is not modified, so no report will be pushed to Sonar and the check will never pass. So we can't make this specific check required.

[tschaffter]

How to enable feedback from Sonar in PR thread?

See this example from Schematic:

Is it when the check shown in the above post is executed and completed?

[tschaffter]

Who can trigger Sonar scans and push reports to SonarCloud.io

Currently only pushing to the main branch triggers the scan with sonar. The last commit pushed to main that modified schematic-api created the check "[schematic-api] SonarCloud Code Analysis" (see screenshot).

Was this check triggered by the sonar scan executed in the CI/CD workflow?

Here is another commit to main that triggered the execution of the sonar scan for openchallenges-app and schematic-api.

[tschaffter]

Permission of the app SonarCloud

The app has the permission to write to the PR threads and GitHub checks.

[tschaffter]

Experiment: remove sonar scan from CI workflow

I removed the sonar scan from the CI workflow, then opened and merged a PR that modifies openchallenges-app. As a result, the checks did not include a Sonar check as reported in a post above.

As the execution of the CI workflow progress, here is what seems to happen:

• the CI workflow runs Sonar CLI
• the Sonar CLI sends the report to SonarCloud.io
• the SonarCloud GitHub app is notified and adds a check to the commit

[!NOTE]
I'm not sure why the runtime of the completed checks are different between the two screenshots. I'm almost sure that I tracked the same workflow.

[tschaffter]

What is triggering Sonar scan on Schematic repo?

Is the SonarCloud app triggering the scan?

~Is the reason why it doesn't do it on Sage Monorepo because the projects registered on SonarCloud are specified as belonging to a monorepo?~

Nevermind, this settings is marked as disabled for openchallenges-app and to only work with Azure repositories.

Another difference between Sage Monorepo and Schematic repo is that Sage Monorepo use the forking workflow and that the PR don't have access to the official repo secrets.

See also:

• https://community.sonarsource.com/t/code-analysis-on-pull-request-from-forked-repository-with-github-actions/43986
• https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request
• As of 9 days ago, scanning PRs created from forks is still not possible supported

[tschaffter]

Sage Monorepo uses https://github.com/apps/sonarcloud

A GitHub Action is available in the marketplace to make it easy for you (for projects where automatic analysis isn't available). SonarCloud also integrates smoothly with Jenkins, CircleCI, TravisCI, CirrusCI, and many other tools.

There is also a GitHub action: https://github.com/marketplace/actions/sonarcloud-scan. But the schematic repo does not seem to make use of it.

[tschaffter]

Experiment 2: Does the SonarCloud app scans PRs created from the official repo?

Try with branches that do not involve main to avoid coupling with the existing CI workflow.

See closed PR below and the closing comments. The SonarCloud app can't trigger or post scan report to PRs in monorepo.

[tschaffter]

Update

• Automatic analysis by the SonarCloud GitHub app is not support when Multiple projects are bound to a single repository (the monorepo strategy).
• Scanning PRs created from forks is still not supported

We will continue to run Sonar scans for commits added to trusted branches. The results of the scan are available in the "Details" section of the corresponding Sonar scan (see below).

[!NOTE]
The forking workflow prevents us from running the Sonar scan for branches created from forks. However, we should be able to block PRs from being merged if the code quality does not meet the requirements of the Sonar Code Quality gateway.

For non-monorepo project, see this Sage Confluence page to setup Sonar.