Integrate Sonarcloud to scan pull requests

We want to integrate Sonarcloud so that it can scan raised PRs and flag any potential issues/aid in reviewing them. - Integrate `lint` workflow into `rspec` workflow so that we can grab the Rubocop output. - Add `rspec-sonarqube-formatter` gem so that we can output rspec results in a format Sonarcloud understands. - Add `coverage.rake` task so that we can collate coverage reports from multiple test runners. - Add `sonar-project.properties` with a basic config for `sonarscanner`
DFE-Digital · Jan 31, 2025 · da0dace · da0dace
1 parent a4ebd4d
commit da0dace
Show file tree

Hide file tree

Showing 8 changed files with 246 additions and 111 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -27,21 +27,18 @@ permissions:
   security-events: write
 
 jobs:
-  lint:
-    name: Lint
-    uses: ./.github/workflows/lint.yml
-
   openapi:
     name: Lead Provider OpenAPI Check
     uses: ./.github/workflows/lead_provider_openapi_check.yml
 
   rspec:
     name: Run the RSpec tests
     uses: ./.github/workflows/rspec.yml
+    secrets: inherit
 
   permit-merge:
     name: Permit merge
-    needs: [lint, rspec]
+    needs: [rspec]
     runs-on: ubuntu-latest
     steps:
       - run: "echo 'Linting and tests passed, this branch is ready to be merged'"
@@ -117,7 +114,7 @@ jobs:
 
   deploy_staging:
     name: Deploy staging
-    needs: [docker, rspec, lint, brakeman]
+    needs: [docker, rspec, brakeman]
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     environment:

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
diff --git a/.github/workflows/rspec.yml b/.github/workflows/rspec.yml
@@ -7,8 +7,110 @@ on:
         type: boolean
         required: false
         default: true
-
+
+env:
+  code-coverage-artifact-name: code_coverage_${{github.run_number}}
+  unit-tests-artifact-name: unit_tests_${{github.run_number}}
+  rubocop-artifact-name: rubocop_results_${{github.run_number}}
+
 jobs:
+  ruby-linting:
+    name: "Lint ruby"
+    env:
+      GOVUK_NOTIFY_API_KEY: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Code
+
+      - name: Set up Ruby
+        uses: ruby/[email protected]
+        with:
+          ruby-version: ${{ inputs.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Lint Ruby
+        run: bundle exec rubocop --format json --out=out/rubocop-result.json
+
+      - name: Keep Rubocop output
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.rubocop-artifact-name }}
+          path: ${{ github.workspace }}/out/rubocop-result.json
+          include-hidden-files: true
+
+  js-linting:
+    name: "Lint JS"
+    env:
+      GOVUK_NOTIFY_API_KEY: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Code
+
+      - name: Set up Node
+        uses: actions/[email protected]
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: "yarn"
+
+      - name: Yarn install
+        run: npm i -g yarn && yarn
+
+      - name: Lint JS
+        run: |-
+          yarn lint
+
+  scss-linting:
+    name: "Lint SCSS"
+    env:
+      GOVUK_NOTIFY_API_KEY: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Code
+
+      - name: Set up Ruby
+        uses: ruby/[email protected]
+        with:
+          ruby-version: ${{ inputs.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Lint SCSS
+        run: |-
+          bundle exec rake lint:scss
+
+  erb_linting:
+    name: "Lint ERB"
+    env:
+      GOVUK_NOTIFY_API_KEY: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Code
+
+      - name: Set up Ruby
+        uses: ruby/[email protected]
+        with:
+          ruby-version: ${{ inputs.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Lint ERB Templates
+        if: false
+        run: |-
+          bundle exec erblint --lint-all
+
   tests:
     name: Run rspec
     runs-on: ubuntu-20.04
@@ -59,6 +161,22 @@ jobs:
         run: |-
           bundle exec rake "knapsack:rspec[--tag ~type:feature]"
 
+      - name:  Keep Code Coverage Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.code-coverage-artifact-name }}_${{ matrix.ci_node_index }}_tests
+          path: ./coverage
+          include-hidden-files: true
+
+      - name:  Keep Unit Tests Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.unit-tests-artifact-name }}_${{ matrix.ci_node_index }}_tests
+          path: ./test-report/*
+          include-hidden-files: true
+
   feature-tests:
     name: Run rspec (features)
     runs-on: ubuntu-20.04
@@ -109,6 +227,22 @@ jobs:
         run: |-
           bundle exec rake "knapsack:rspec[--tag type:feature --fail-fast]"
 
+      - name:  Keep Code Coverage Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.code-coverage-artifact-name }}_${{ matrix.ci_node_index }}_feature_tests
+          path: ./coverage
+          include-hidden-files: true
+
+      - name:  Keep Unit Tests Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.unit-tests-artifact-name }}_${{ matrix.ci_node_index }}_feature_tests
+          path: ./test-report/*
+          include-hidden-files: true
+
   e2e-scenarios:
     if: ${{ inputs.run-end-to-end-tests }}
     name: Run end to end scenarios
@@ -158,3 +292,75 @@ jobs:
           CI_NODE_TOTAL: ${{ matrix.ci_node_total }}
           CI_NODE_INDEX: ${{ matrix.ci_node_index }}
         run: bundle exec bin/scenarios_ci
+
+  sonar-scanner:
+    name: Sonar Scanner
+    runs-on: ubuntu-24.04
+    needs: [ tests, feature-tests, ruby-linting ]
+    if: github.ref != 'refs/heads/main' && github.actor != 'dependabot[bot]'
+    environment:
+      name: staging
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ inputs.ruby-version }}
+
+      - name: Install gems
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+
+      - name: Setup sonarqube
+        uses: warchant/setup-sonar-scanner@v8
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+
+      - name: Combine Coverage Reports
+        run: |-
+          # Copy files from separate artifacts into one directory
+          mkdir ${{github.workspace}}/code_coverage
+          cp -r ${{github.workspace}}/${{ env.code-coverage-artifact-name }}_*/ ${{github.workspace}}/code_coverage
+          bundle exec rake coverage:collate
+        env:
+          COVERAGE_DIR: ${{github.workspace}}/code_coverage
+
+      - name: Login Azure
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Fetch secrets from key vault
+        uses: azure/CLI@v2
+        id: keyvault-yaml-secret
+        with:
+          inlineScript: |
+            SONAR_TOKEN=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "s189t01-cpdnpq-te-app-kv" --query "value" -o tsv)
+            echo "::add-mask::$SONAR_TOKEN"
+            echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_OUTPUT
+
+      - name: Run sonarqube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: sonar-scanner
+           -Dsonar.token=${{ steps.keyvault-yaml-secret.outputs.SONAR_TOKEN }}
+           -Dsonar.organization=dfe-digital
+           -Dsonar.host.url=https://sonarcloud.io/
+           -Dsonar.projectKey=DFE-Digital_npq-registration
+           -Dsonar.testExecutionReportPaths=${{github.workspace}}/${{env.unit-tests-artifact-name}}_0_tests/test-report-0.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_1_tests/test-report-1.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_2_tests/test-report-2.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_3_tests/test-report-3.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_4_tests/test-report-4.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_5_tests/test-report-5.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_6_tests/test-report-5.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_0_feature_tests/test-report-1.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_1_feature_tests/test-report-2.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_2_feature_tests/test-report-3.xml,\
+            ${{github.workspace}}/${{env.unit-tests-artifact-name}}_3_feature_tests/test-report-4.xml
+           -Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/coverage/coverage.json
+           -Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/${{env.rubocop-artifact-name}}/rubocop-result.json
diff --git a/Gemfile b/Gemfile
@@ -178,6 +178,7 @@ group :test do
   gem "pundit-matchers", "~> 1.9.0"
   gem "rails-controller-testing", "~> 1.0.5"
   gem "rspec-default_http_header", "~> 0.0.6"
+  gem "rspec-sonarqube-formatter", require: false
   gem "selenium-webdriver"
   gem "shoulda-matchers", "~> 5.3"
   gem "simplecov"