From 1d3452cdb052cd83685c49502aae7727ef442fe9 Mon Sep 17 00:00:00 2001
From: Lars Strojny <lars@strojny.net>
Date: Wed, 23 Nov 2022 14:43:12 +0100
Subject: [PATCH] Separate SonarCloud step to safely run it on PRs

---
 .github/workflows/build.yml | 36 ++++++++++++-------------
 .github/workflows/sonar.yml | 53 +++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 19 deletions(-)
 create mode 100644 .github/workflows/sonar.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 693b896..1926256 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,23 +10,21 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - { node-version: 10.x, lint: false, static-analysis: false, tests: false }
-          - { node-version: 11.x, lint: false, static-analysis: false, tests: false }
-          - { node-version: 12.x, lint: false, static-analysis: false, tests: false }
-          - { node-version: 13.x, lint: false, static-analysis: false, tests: false }
-          - { node-version: 14.x, lint: true, static-analysis: false, tests: true }
-          - { node-version: 15.x, lint: false, static-analysis: false, tests: true }
-          - { node-version: 16.x, lint: true, static-analysis: false, tests: true }
-          - { node-version: 17.x, lint: true, static-analysis: false, tests: true }
-          - { node-version: 18.x, lint: true, static-analysis: true, tests: true }
-          - { node-version: 19.x, lint: true, static-analysis: false, tests: true }
+          - { node-version: 10.x, lint: false, tests: false }
+          - { node-version: 11.x, lint: false, tests: false }
+          - { node-version: 12.x, lint: false, tests: false }
+          - { node-version: 13.x, lint: false, tests: false }
+          - { node-version: 14.x, lint: true, tests: true }
+          - { node-version: 15.x, lint: false, tests: true }
+          - { node-version: 16.x, lint: true, tests: true }
+          - { node-version: 17.x, lint: true, tests: true }
+          - { node-version: 18.x, lint: true, tests: true }
+          - { node-version: 19.x, lint: true, tests: true }
 
-    name: Node.js ${{ matrix.node-version }}${{ matrix.lint && ', lint' || '' }}${{ matrix.tests && ', test' || '' }}${{ matrix.static-analysis && ', static analysis' || ''}}, build
+    name: nodejs ${{ matrix.node-version }} (${{ matrix.lint && 'lint → ' || '' }}${{ matrix.tests && 'test → ' || '' }}build)
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
@@ -81,12 +79,12 @@ jobs:
         run: npm test
         if: ${{ matrix.tests }}
 
-      - name: SonarCloud scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        if: ${{ matrix.static-analysis }}
+      - name: Upload code coverage
+        uses: actions/upload-artifact@v3
+        with:
+          name: code-coverage
+          path: coverage/lcov.info
+        if: ${{ matrix.node-version == '18.x' }}
 
       - name: Build the project
         run: npm run build
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
new file mode 100644
index 0000000..843f3be
--- /dev/null
+++ b/.github/workflows/sonar.yml
@@ -0,0 +1,53 @@
+on:
+  workflow_run:
+    workflows: [Build]
+    types: [completed]
+
+jobs:
+  sonar:
+    name: Sonar
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+
+      - name: 'Download code coverage'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "code-coverage"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/code-coverage.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip code coverage'
+        run: unzip code-coverage.zip -d coverage
+
+      - name: SonarCloud scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
+            -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
+            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
+            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}