sonar CI workflow keeps failing

[yegor256]

https://github.com/objectionary/eo/actions/workflows/sonar.yml

Let's find out what is the reason and fix

[yegor256]

@maxonfjvipon please, take a look

[yegor256]

@maxonfjvipon

this is the recent one: https://sonarcloud.io/project/issues?resolved=false&types=BUG&sinceLeakPeriod=true&severities=BLOCKER%2CCRITICAL%2CMAJOR%2CMINOR&id=com.objectionary%3Aeo

this is the failure in CI: https://github.com/objectionary/eo/actions/runs/7721848475/job/21049050225

maybe we should add Sonar to pull request checks?

[maxonfjvipon]

@c71n93 can you take it?

[c71n93]

@maxonfjvipon yeah, I can try.

[c71n93]

That's the output of sonar analysis:
Failed conditions
0.0% Coverage on New Code (required ≥ 80%)
E Reliability Rating on New Code (required ≥ A)

Issues with reliability of code is just places in code that was identified by sonar as bug. They needs to be fixed or ignored.
Issues with code coverage is sort of problem, it doesn't work properly. I created new project in sonar with my up to date fork of objectionary/eo for testing. I ran this locally:

$ mvn clean install -Pjacoco
$ mvn sonar:sonar -Dsonar.token=my-sonar-token

and there was the result: https://sonarcloud.io/summary/overall?id=c71n93_eo%3Aeo. Code coverage is correct here.
I suppose, that coverage data is not collected in our CI, because jacoco is not launched here before sonar analysis. Sonar requires jacoco.xml to show code coverage analysis.

I was trying to test my ideas in #2874, by adding "on pull-request" check to sonar workflow. But it doesn't work, because it requires SONAR_TOKEN (https://github.com/objectionary/eo/actions/runs/7873343508/job/21480455544?pr=2874).

@yegor256 How can I properly enable "on pull-request" check for this workflow? I need it to debug sonar CI locally in my PR.

[yegor256]

@c71n93 try this way: https://github.com/objectionary/eo/blob/master/.github/workflows/mvn.yml#L8-L11

[c71n93]

@yegor256 In master branch CI token is provided by the 'SONAR_TOKEN' environment variable:

mvn --batch-mode -DskipTests -Dinvoker.skip verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.qualitygate.wait=true
  shell: /usr/bin/bash -e {0}
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Zulu_jdk/20.0.2-9/x6[4](https://github.com/objectionary/eo/actions/runs/7887482792/job/21522819589#step:7:4)
    JAVA_HOME_20_X[6](https://github.com/objectionary/eo/actions/runs/7887482792/job/21522819589#step:7:6)4: /opt/hostedtoolcache/Java_Zulu_jdk/20.0.2-9/x64
    GITHUB_TOKEN: ***
    SONAR_TOKEN: ***

For some reasons in CI on PR the token is not provided.

mvn --batch-mode -DskipTests -Dinvoker.skip verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.qualitygate.wait=true
  shell: /usr/bin/bash -e {0}
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Zulu_jdk/20.0.2-9/x6[4](https://github.com/objectionary/eo/actions/runs/7914383347/job/21604003667?pr=2874#step:7:4)
    JAVA_HOME_20_X[6](https://github.com/objectionary/eo/actions/runs/7914383347/job/21604003667?pr=2874#step:7:6)4: /opt/hostedtoolcache/Java_Zulu_jdk/20.0.2-9/x64
    GITHUB_TOKEN: ***
    SONAR_TOKEN:

I don't have access to this token, it is private.

@yegor256 Do you know how to make this token accessible from CI on PR? This token needs to see analysis results in SonarCloud.

[c71n93]

@yegor256 It looks like secrets.SONAR_TOKEN is not accessible from CI on pull-request. I think this issue from stackoverflow is related to our issue.

[c71n93]

@yegor256 So what about adding Sonar to PR checks? Do we need it now?

I need to add Sonar to PR checks here #2874 just to make sure if the test coverage in sonar will be fixed. Or we can just merge this changes. I'm 90% sure it will fix test coverage in sonar because I tried it on my fork of eo (#2251 (comment)).

[yegor256]

@c71n93 I merged #2874

[c71n93]

@yegor256 the coverage is working: https://sonarcloud.io/summary/new_code?id=com.objectionary%3Aeo. Now this 5 bugs need to be fixed.

But now CI in PRs will fail because I added Sonar to PR check. We have to remove this PR check or fix issue with sonar token.

[yegor256]

@c71n93 let's fix these five bugs

[c71n93]

@yegor256 Okay, I will check this bugs and create issues

[c71n93]

Some useful materials about sharing secrets with workflows on PRs from forks:
Stackoverflow (safe pull_request_target)
Stackoverflow (using workflow_run event on PR)

[0pdd]

@yegor256 4 puzzles #3298, #3299, #3300, #3301 are still not solved.