Add check-sca workflow for validation#86
Closed
mostafa-mohammed-sonarsource wants to merge 2 commits into
Closed
Conversation
Add the required check-sca workflow using SonarSource/ci-github-actions/check-sca@v1 on pull_request and merge_group. For this first iteration, do not pass an explicit project key so the workflow uses automatic key discovery. This is intentional to validate the hypothesis that check-sca may be resolving the wrong key in sslr. This branch is meant for observation and validation before deciding whether to pin project-key to org.sonarsource.sslr:sslr in a follow-up change.
Set explicit project-key for check-sca to match the actual Sonar project key used by analysis. This avoids fallback discovery to SonarSource_sslr and makes check-sca query org.sonarsource.sslr:sslr directly.
|
Contributor
Author
|
Test is done, and fix hopefully 🤞 is in #87 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Required SCA Checkworkflow onpull_requestandmerge_groupSonarSource/ci-github-actions/check-sca@v1project-keyto validate current key auto-discovery behavior in this repoWhy
The repo already runs Sonar analysis from the build workflow, but DX/SCA status remains red. This draft PR is meant to validate whether
check-scais failing because discovered project keys do not match the effective analysis key.Follow-up
If the run confirms key mismatch, we can pin
project-key: org.sonarsource.sslr:sslrin this workflow in a follow-up commit.