wpallstars/wp-plugin-starter-template-for-ai-coding
Template
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fix/sonarcloud-s7636-hotspots
wp-plugin-starter-template-…/.github/workflows/sonarcloud.yml
marcusquinn 523574a93e fix: move secret expansion from run blocks to env blocks (SonarCloud S7636) 
Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106
2026-03-19 03:17:06 +00:00

69 lines
2.3 KiB
YAML
Raw Permalink Blame History

name: SonarCloud Analysis
# DISABLED: Using SonarCloud Automatic Analysis instead of CI-based analysis.
# Custom Quality Gates require a paid plan, which isn't suitable for FOSS projects.
# The free Automatic Analysis provides code quality feedback without coverage requirements.
#
# To re-enable CI-based analysis:
# 1. Uncomment the triggers below
# 2. Disable Automatic Analysis on SonarCloud.io
# 3. Consider upgrading to a paid plan for custom Quality Gate settings
on:
# Disabled - using Automatic Analysis instead
# push:
# branches: [ main, feature/* ]
# pull_request:
# branches: [ main ]
# types: [opened, synchronize, reopened]
workflow_dispatch: # Keep manual trigger for testing
permissions:
contents: read
pull-requests: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Check if SonarCloud token is set
id: check_token
env:
SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
run: |
if [ -z "$SONARCLOUD_GITHUB" ]; then
echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
echo "skip=true" >> $GITHUB_OUTPUT
else
echo "skip=false" >> $GITHUB_OUTPUT
fi
- name: SonarCloud Scan
if: steps.check_token.outputs.skip != 'true'
uses: SonarSource/sonarqube-scan-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONARCLOUD_GITHUB }}
with:
args: >
-Dsonar.projectKey=wpallstars_wp-plugin-starter-template-for-ai-coding
-Dsonar.organization=wpallstars
-Dsonar.sources=.
-Dsonar.tests=tests
-Dsonar.sourceEncoding=UTF-8
-Dsonar.cpd.exclusions=tests/**
-Dsonar.exclusions=vendor/**,node_modules/**,tests/**,bin/**,build/**,dist/**,.github/**,.git/**,cypress/**,playground/**,.wiki/**
-Dsonar.php.coverage.reportPaths=coverage.xml
-Dsonar.php.tests.reportPath=test-report.xml
Reference in New Issue View Git Blame Copy Permalink