is there a way to make SonarQube be part of GitLab merge request approvals? If the SonarQube analysis reports a PASS, it should add an approval via GitLab API. On the other hand, if the quality gate reports a FAIL, it should remove its approval via GitLab API, if it approved the MR before.
This should be triggered from both sides (I think?), GitLab pipelines as well as SonarQube project status changes, from red to green and vice versa within SonarQube.
However, for us, this exact workflow would be the most important:
GitLab pipeline is run
SonarScanner does its thing
SonarQube reports FAIL
Issues are fixed on the SonarQube side (“wontfix” for example)
SonarQube triggers GitLab to run the pipeline again
SonarScanner does its thing again
SonarQube reports PASS this time and approves the merge request
Code is changed
GitLab pipeline is triggered via push
SonarScanner does its thing again
SonarQube reports FAIL and removes its merge request approval
Personally, I agree we could go further with our Gitlab integration. I just want to check if this post is reallya different topic from what you’re asking about in your other thread, and if so how?
If not, I’d just as rather keep the conversation to one thread.
thanks for your answer! These two issues are similar, but different in say “goals”. Making API calls from SonarQube to GitLab and triggering Pipelines and such underlies both issues. But this issue aims more at adding/removing approvals, whereas the other issue aims more at merge request decorations themselves. It would be nice to have both, though.
Since both issues should be treated separately, I will edit my original post and remove the MR decoration part for more clarity.
@Farah, I think was responding to your second point when she responded here. She and I had a little behind the scenes chat about it (this approvals API has been on my radar for a while).
Just to reiterate: This specific issue (second point) is about the “Approve” button of a GitLab merge request:
The SonarQube QG = PASS event (no matter what triggers it) should “click” that button via API, so to speak. And the SonarQube QG = FAILED event should click the “Revoke approval” button via API.