This change ensures we run SonarCloud analysis in context of PR, while having access to repo secrets. However, we must protect from outside PR's 'stealing' our secrets. This problem is solved by requiring external contribs/PR's to be manually approved before this workflow can run, by adding a minimum of 1 reviewer to environment protection rules on env 'external'.
This change ensures we run SonarCloud analysis in context of PR, while having access to repo secrets. However, we must protect from outside PR's 'stealing' our secrets. This problem is solved by requiring external contribs/PR's to be manually approved before this workflow can run, by adding a minimum of 1 reviewer to environment protection rules on env 'external'.
This mechanism is described in this blog: https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets