search

trebol-ecommerce / trebol-backend-monolith

Monolithic eCommerce backend web application that exposes a RESTful API.
MIT License
16 stars 21 forks source link

Close issue #118 #123

Closed mepox closed 2 years ago

mepox commented 1 year ago

Hi @bglamadrid ! I have a technical question if you don't mind 😅 So how did you fix the SonarCloud check (workflow)? After this PR you somehow fixed it. I really curious how...

I have exactly the same issue in my project, when someone open a PR from a fork then the Sonar check fails... I spent days on it but I couldn't figure it out.

I mean I know what is the source of the problem, but what puzzles me that you fixed it/use your workflow in a way which would be impossible 😅 Let me briefly explain...

The main issue is that secrets (like SONAR_TOKEN) won't get passed to the workflow that runs on a PR which came from a fork if you use the workflow on the event pull_request. The only solution would be to use pull_request_target event but that comes with some security issues, so it's not recommended. After spending days on it, I found solutions that use tricks to get around this but those are a bit cumbersome for me. And these tricky solutions are also visible in the workflow file.

Meanwhile, you use your workflow on the pull_request event and everything works (without any tricks) 😱

This PR workflow log In the Build and analyze section, in Line 9: SONAR_TOKEN: so the TOKEN is empty and then there is an error in Line 485... This is normal as the pull_request event is used in the workflow file and this PR was from a fork.

Recent PR workflow log In the Build and analyze section, in Line 9: SONAR_TOKEN: so the TOKEN is empty here too! Which is normal as the pull_request event is used in the workflow file too BUT produce no error! 😕

I am completely clueless.

bglamadrid commented 1 year ago

Hi @mepox

Back when I had the same problem, I fiddled and searched every nook and cranny within the repo settings, the organization settings (because trebol-ecommerce is an organization I created to separate/organize the three pieces of the project as a whole) and the SonarCloud project settings.

Ultimately I did two things that I thought would fix the problem. The probable fix is that you go into the SonarCloud project settings, section Permissions (see picture below), make sure Anyone is allowed to Execute Analysis.

I also added you and Nyorja as verified collaborators of this GitHub repository, but I'm not sure if that was any help at all 😆

image

mepox commented 1 year ago

Hi @bglamadrid ! Thanks for your reply. I think you just solved the mystery of the year. 😄

Ultimately I did two things that I thought would fix the problem. The probable fix is that you go into the SonarCloud project settings, section Permissions (see picture below), make sure Anyone is allowed to Execute Analysis.

Yup, (probably) this is it!! As you allowed Anyone to execute the analysis, the TOKEN isn't even needed anymore. 😄 I need to test it out, but by looking at it I am sure that would solve the issue.

BUT you know that if Anyone can execute the analysis, then people could troll the analysis?? 😱 Anyone could run the maven command with any random project and add your projectKey (from SonarCloud) and then that random project analysis would show on your SonarCloud 😄 Atleast that's what I think.

bglamadrid commented 1 year ago

@mepox

BUT you know that if Anyone can execute the analysis, then people could troll the analysis?? 😱

At the very least, PRs made by first-time contributors will be blocked from analysis until a maintainer/project owner explicitly approves their execution on GitHub.

Anyone could run the maven command with any random project and add your projectKey (from SonarCloud) and then that random project analysis would show on your SonarCloud 😄 Atleast that's what I think.

Hmmm, I'm not sure. Never had a problem with, nor tried to do that. I don't think it would be allowed by SonarCloud since the project was created through, and is tied to, a GitHub integration.

I could be wrong though.

mepox commented 1 year ago

@bglamadrid

At the very least, PRs made by first-time contributors will be blocked from analysis until a maintainer/project owner explicitly approves their execution on GitHub.

I meant running the maven command outside the PRs, outside GitHub for example on a PC command line etc..

Hmmm, I'm not sure. Never had a problem with, nor tried to do that. I don't think it would be allowed by SonarCloud since the project was created through, and is tied to, a GitHub integration.

I could be wrong though.

Maybe you are right. I did a quick test with that permission settings. I tried to send an analysis from projectA to projectB (which is on SonarCloud) and it didn't let me. Got an error You are running manual analysis while Automatic Analysis is enabled. 😄

Of course this was just a quick test but it shows there are other limits built-in so it's not that easy to send analysis to a project from a random other project.

Case closed 😄 Thanks for your replies. 👍