Add Sonar analysis to repository by jonas-wielage-sonarsource · Pull Request #90 · SonarSource/cloud-native-gradle-modules

jonas-wielage-sonarsource · 2025-12-11T11:15:06Z

No description provided.

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.publishing-configuration.gradle.kts

mstachniuk

LGTM and please see my comments.

One thing is strange, the build-gradle step tooks 20 minutes, (the 18 minutes the regular build)

https://github.com/SonarSource/cloud-native-gradle-modules/actions/runs/20237588101/job/58096368092?pr=90#step:6:1443

Any idea why is it so slow?

.github/workflows/build.yml

.github/workflows/shadow-scan.yml

.github/workflows/build.yml

sonarqube-next · 2025-12-16T08:13:16Z

Quality Gate passed for 'cloud-native-gradle-modules'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

sonarqube-cloud-us · 2025-12-16T08:14:12Z

SonarQube reviewer guide

Important

We are currently testing different models for AI Summary.
Please give us your feedback by filling this form.

Model A:

Summary: Add GitHub Actions caching, SonarQube integration, and shadow scan workflow

Review Focus: The custom Gradle cache key generation using md5sum of multiple files; the new shadow-scan workflow configuration with IRIS analysis; migration from direct Gradle command to SonarSource's build-gradle action with disabled caching.

Start review at: .github/workflows/build.yml. This file contains the core build pipeline changes that affect all builds, including the critical caching strategy and the migration to a standardized build action.

Model B:

Summary: Refactor CI/CD pipelines to use standardized SonarSource build actions with Gradle caching, add shadow scan workflow, and configure root build.gradle with SonarQube plugin.

Review Focus:

The Gradle caching implementation in build.yml uses MD5 checksums of configuration files as cache keys—verify this approach is performant and handles cache invalidation correctly.
New shadow-scan.yml workflow runs on schedule and pull requests with 'shadow_scan' label—ensure IRIS analysis configuration and permissions are appropriate for your infrastructure.
Transition from inline ./gradlew build to standardized SonarSource/ci-github-actions/build-gradle@v1 action with disable-caching: 'true'—confirm this setting aligns with the new explicit caching strategy above.

Start review at: .github/workflows/build.yml. This is the primary CI workflow where the most significant functional changes occur: replacement of direct gradle invocation with a reusable action, introduction of explicit Gradle dependency caching, and integration with Develocity. Understanding these changes is critical to validating the new build pipeline behavior.

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-12-16T08:14:59Z

SonarQube reviewer guide

Important

We are currently testing different models for AI Summary.
Please give us your feedback by filling this form.

Model A:

Summary: Add SonarQube analysis with shadow scans and improve Gradle caching in CI workflows.

Review Focus: The custom Gradle cache key generation logic using MD5 hashing of build files is duplicated across workflows and could be error-prone. Verify the shadow scan configuration correctly targets the three different SonarQube platforms (Next, SQC-EU, SQC-US). Ensure the disable-caching: 'true' flag doesn't conflict with the new Gradle cache setup.

Start review at: .github/workflows/shadow-scan.yml. This is a new workflow that introduces multi-platform SonarQube scanning infrastructure and defines the core scanning strategy for the project.

Model B:

Summary: Refactor CI/CD build process with Gradle caching optimization and add new shadow scan workflow for security analysis.

Review Focus:

The Gradle caching implementation in build.yml uses MD5 checksums of build files as cache keys—verify the hash computation logic is robust and handles all relevant dependency files
New shadow-scan.yml workflow includes conditional execution based on PR labels; ensure the label-matching logic aligns with team practices
The migration from direct ./gradlew build to SonarSource/ci-github-actions/build-gradle@v1 action changes build behavior; confirm all parameters (deploy, develocity, artifactory roles) are correctly configured

Start review at: .github/workflows/build.yml. This is the primary workflow file where the core build process is refactored with caching strategy and action migration, affecting all CI builds.

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

jonas-wielage-sonarsource · 2025-12-16T08:47:30Z

@mstachniuk It's not always this slow, the last run took 2m. I don't know why it happens, seems to be flaky / sleeping github runners...

jonas-wielage-sonarsource force-pushed the jw/add-sonar-analysis branch 13 times, most recently from c88f850 to a789054 Compare December 12, 2025 13:52

github-advanced-security bot found potential problems Dec 12, 2025

View reviewed changes

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.publishing-configuration.gradle.kts Fixed Show fixed Hide fixed

jonas-wielage-sonarsource force-pushed the jw/add-sonar-analysis branch from a789054 to 36010c5 Compare December 12, 2025 13:57

jonas-wielage-sonarsource added the shadow_scan label Dec 12, 2025

jonas-wielage-sonarsource force-pushed the jw/add-sonar-analysis branch 3 times, most recently from 0c37dee to f10f947 Compare December 15, 2025 15:17

Add Sonar analysis to repository

25fa5ce

jonas-wielage-sonarsource force-pushed the jw/add-sonar-analysis branch from f10f947 to 25fa5ce Compare December 15, 2025 15:24

jonas-wielage-sonarsource requested a review from mstachniuk December 15, 2025 15:48

mstachniuk approved these changes Dec 15, 2025

View reviewed changes

.github/workflows/build.yml Show resolved Hide resolved

.github/workflows/shadow-scan.yml Show resolved Hide resolved

.github/workflows/build.yml Show resolved Hide resolved

PR Review

848f9b4

jonas-wielage-sonarsource merged commit 33f7469 into master Dec 16, 2025
5 checks passed

jonas-wielage-sonarsource deleted the jw/add-sonar-analysis branch December 16, 2025 08:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Sonar analysis to repository#90

Add Sonar analysis to repository#90
jonas-wielage-sonarsource merged 2 commits intomasterfrom
jw/add-sonar-analysis

jonas-wielage-sonarsource commented Dec 11, 2025

Uh oh!

Uh oh!

mstachniuk left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqube-next bot commented Dec 16, 2025

Uh oh!

sonarqube-cloud-us bot commented Dec 16, 2025

Uh oh!

sonarqubecloud bot commented Dec 16, 2025

Uh oh!

jonas-wielage-sonarsource commented Dec 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

jonas-wielage-sonarsource commented Dec 11, 2025

Uh oh!

Uh oh!

mstachniuk left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqube-next bot commented Dec 16, 2025

Quality Gate passed for 'cloud-native-gradle-modules'

Uh oh!

sonarqube-cloud-us bot commented Dec 16, 2025

SonarQube reviewer guide

Model A:

Model B:

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Dec 16, 2025

SonarQube reviewer guide

Model A:

Model B:

Quality Gate passed

Uh oh!

jonas-wielage-sonarsource commented Dec 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants