chore(sage-monorepo): test new Sonar PR workflow

Related to #2590

Preview

Environment reviewer-based solution

This new approach requires a user from an environment reviewer list to review and approve the workflow before it can run. A benefit is that we can have a fine-grained control over this list compared to the list of users who can add labels to a PR (every users with Write permissions).

This approach requires the reviewer to approve ALL commits, compared to the label-based system that only needs the user to add the label once. Hence, a benefit of this approach is to save compute time.

Approaching the workflows takes more clicks (4-5) than when using a label.

Step 1

The "Sonar Scan" task requires an approval because the workflow needs access to a secret SONAR_TOKEN that could potentially be extracted by an ill-intentioned user.

Step 2

Click on "Details" for the "Sonar Scan" task. Note the orange clock icon that indicates that the workflow is waiting on a manual review.

Step 3

Click on "Review pending deployments"

Step 4

Approve the Sonar deployment.

Requires branches to be up-to-date

At least one check must be marked as Required in the branch protection to enable this feature.

The Developer has two options to update their feature branch:

Option 1: Click on "Update with merge commit". If more local development is required, the user can then do git pull to pull the update to their local feature branch.
Option 2: Update the feature branch with main from their local development environment, then git push to push the changes to the remote.

Sage-Bionetworks / sage-monorepo