Merge pull request #7 from digitalservicebund/enable-sonar

Enable sonarqube scan for frontend code
digitalservicebund · Dec 16, 2024 · ce7bb5f · ce7bb5f
2 parents 1f0cfa4 + da0789d
commit ce7bb5f
Show file tree

Hide file tree

Showing 6 changed files with 277 additions and 57 deletions.
diff --git a/.github/workflows/frontend-jobs.yml b/.github/workflows/frontend-jobs.yml
@@ -106,57 +106,102 @@ jobs:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
       #
       #
-# Disabled as these got stuck somehow
-#
-# e2e-tests-frontend:
-#   runs-on: ubuntu-latest
-#   steps:
-#     - uses: actions/checkout@v4
-#     - name: Setup Node
-#       uses: actions/setup-node@v4
-#       with:
-#         node-version-file: ./frontend/package.json
-#         cache: npm
-#         cache-dependency-path: ./frontend/package-lock.json
-#     - name: Cache node_modules
-#       uses: actions/cache@v4
-#       id: node-modules-cache
-#       with:
-#         path: |
-#           ./frontend/node_modules
-#         key: modules-${{ hashFiles('./frontend/package-lock.json') }}
-#     - name: Install dependencies
-#       if: steps.node-modules-cache.outputs.cache-hit != 'true'
-#       run: |
-#         npm ci
-#       working-directory: ./frontend
-#     - name: Get Playwright version
-#       working-directory: ./frontend
-#       run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
-#     - name: Cache browser binaries
-#       id: cache-browser-binaries
-#       uses: actions/cache@v4
-#       with:
-#         path: ~/.cache/ms-playwright
-#         key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
-#     - name: Install playwright browsers
-#       if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
-#       run: |
-#         npx --yes playwright install --with-deps
-#     - name: e2e tests
-#       run: |
-#         npm run test:e2e
-#       working-directory: ./frontend
-#     # TODO: enable later
-#     #
-#     # - name: Send status to Slack
-#     #   # Third-party action, pin to commit SHA!
-#     #   # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-#     #   uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
-#     #   if: ${{ failure() && github.ref == 'refs/heads/main' }}
-#     #   with:
-#     #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-#
-#
+  # Disabled as these got stuck somehow
+  #
+  # e2e-tests-frontend:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - name: Setup Node
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         node-version-file: ./frontend/package.json
+  #         cache: npm
+  #         cache-dependency-path: ./frontend/package-lock.json
+  #     - name: Cache node_modules
+  #       uses: actions/cache@v4
+  #       id: node-modules-cache
+  #       with:
+  #         path: |
+  #           ./frontend/node_modules
+  #         key: modules-${{ hashFiles('./frontend/package-lock.json') }}
+  #     - name: Install dependencies
+  #       if: steps.node-modules-cache.outputs.cache-hit != 'true'
+  #       run: |
+  #         npm ci
+  #       working-directory: ./frontend
+  #     - name: Get Playwright version
+  #       working-directory: ./frontend
+  #       run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
+  #     - name: Cache browser binaries
+  #       id: cache-browser-binaries
+  #       uses: actions/cache@v4
+  #       with:
+  #         path: ~/.cache/ms-playwright
+  #         key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
+  #     - name: Install playwright browsers
+  #       if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
+  #       run: |
+  #         npx --yes playwright install --with-deps
+  #     - name: e2e tests
+  #       run: |
+  #         npm run test:e2e
+  #       working-directory: ./frontend
+  #     # TODO: enable later
+  #     #
+  #     # - name: Send status to Slack
+  #     #   # Third-party action, pin to commit SHA!
+  #     #   # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+  #     #   uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+  #     #   if: ${{ failure() && github.ref == 'refs/heads/main' }}
+  #     #   with:
+  #     #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  #
+  #
 
-#TODO sonar analysis
+  check-code-quality-with-sonarqube:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ./frontend/package.json
+          cache: npm
+          cache-dependency-path: ./frontend/package-lock.json
+      - name: Cache npm cache
+        uses: actions/cache@v4
+        id: cache-npm-cache
+        with:
+          # The docs discourage caching `node-modules`, cf. https://github.com/actions/cache/blob/main/examples.md#node---npm
+          path: /home/runner/.npm
+          key: npm-cache-${{ hashFiles('./frontend/package-lock.json') }}
+      - name: Install node modules
+        run: npm ci
+        working-directory: ./frontend
+      - name: Install SonarScanner
+        uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e # v1.0.0
+      - name: Scan with SonarQube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          npm run coverage
+          sonar-scanner
+        working-directory: ./frontend
+      - name: Check SonarQube Quality Gate
+        uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df
+        with:
+          scanMetadataReportFile: frontend/.scannerwork/report-task.txt
+        timeout-minutes: 3
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      # - name: Send status to Slack
+      #   # Third-party action, pin to commit SHA!
+      #   # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+      #   uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+      #   if: ${{ failure() }}
+      #   with:
+      #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -6,7 +6,8 @@ on:
     paths-ignore:
       - "**/*.md"
   pull_request:
-    branches: [main]
+    # TODO: restrict later
+    # branches: [main]
   # Allow to run this workflow manually
   workflow_dispatch:
 

diff --git a/.talismanrc b/.talismanrc
@@ -1,3 +1,6 @@
+scopeconfig:
+  - scope: node # ignore e.g. package-lock.json
+
 fileignoreconfig:
   - filename: lefthook.yml
     checksum: 921432fe344ffab3de5f502c7144f9d67b07ed2e34ed6b53cdca521cba30813c
@@ -6,12 +9,16 @@ allowed_patterns:
   # SHA-pinned versions of GitHub actions
   - "uses: aquasecurity/trivy-action@cf990b19d84bbbe1eb8833659989a7c1029132e3"
   - "uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf"
+  - "uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e"
   - "uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb"
+  - "uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df"
   # patterns with "secret"
   - secrets-scan-with-talisman
   - "secrets: inherit"
   - "SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}"
   - "# scan for secrets that were published by mistake"
   # patterns with "key"
   - "key: modules-"
-  - "key:.+runner.os"
+  - "key:.+runner.os"
+  - "key: npm-cache"
+  - "sonar.projectKey=digitalservicebund_ris-adm-vwv"