Different build.yml for complete analysis and PR decoration?

SonarCloud
1

Hi team,

Is it okay if in my repository I have two files inside .github/workflows ? one build.yml for the complete analysis of the repository on CodePipeline, and a pr_build.yml for just PR decoration in GitHub Actions

build.yml

name: Build
on:
  push:
    branches:
      - develop
      - pre-production
      - production
jobs:
  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

pr_build.yml

name: Pull Request
on:
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloud:
    name: PR Decoration
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} 
            -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} 
            -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} 
            -Dsonar.pullrequest.provider=GitHub

I was doing a complete analysis on CodePipeline for testing with just with the pr_build.yml in my code, and this is the first time I do see a New Code and Overall Code results on the same branch. How do I interpret this behaviour?

Screenshot 2023-03-08 at 13.18.39
Screenshot 2023-03-08 at 13.18.391203×624 42.3 KB

2

Also,

How do I know which is taken as New Code ?

On my project, I have set as New Code on this project will be based on Previous version

Screenshot 2023-03-08 at 13.57.13
Screenshot 2023-03-08 at 13.57.131238×612 43.8 KB

Is there a way I can setup New Code to analyze only PR decorations?

Thanks

3

Hey there.

It shouldn’t be necessary to have separate GitHub Actions for PRs vs. your main branch, at least so far as SonarCloud analysis is concerned.

A single one like this covers both cases:

name: Build
on:
  push:
    branches:
      - develop
      - pre-production
      - production
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

You do not need to specify sonar.pullrequest.* parameters in your GitHub Actions YAML – as it can automatically be inferred from the environment.

Pull Request Analysis will appear under the Pull Requests section of your code, not under the main branch. You do not need to specify a New Code Definition to analyze pull requests.

4

Hi Colin!

Thank you so much for providing an example. I have tested it out and it’s working as expected.

Regarding not needing to specify a New Code Definition to analyze pull request, does this mean the image that I put is only for complete analysis? Because on the image I put for New Code options, there is no way to clear any option (I mean, I have to select one of the options I have, previous version, specific version, number of days or specific date)

Thanks Colin!

5

Yes, it’s only for the analysis of long-lived branches (like your main branch). For pull requests, SonarQube can detect from the SCM which files/lines have changed just in the PR, and that is what is considered new code.

6

Thanks Colin!

7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.