gnodet opened a new pull request, #22346: URL: https://github.com/apache/camel/pull/22346
## Summary Add two-workflow pattern for secure SonarCloud analysis on pull requests (including PRs from forks): - **`sonar-build.yml`**: triggered on `pull_request`, builds the project with `mvn install -Dquickly` and uploads compiled classes + PR metadata as artifacts. No secrets needed. - **`sonar-scan.yml`**: triggered on `workflow_run` completion of `SonarBuild`, downloads artifacts and runs `sonar:sonar` in the main repo context with access to `SONARCLOUD_TOKEN`. This follows the same pattern used by [Apache Ignite (IGNITE-20466)](https://github.com/apache/ignite/blob/master/.github/workflows/sonar-pr-from-fork-scan.yml) and [Apache Kvrocks](https://github.com/apache/kvrocks/blob/unstable/.github/workflows/sonar.yaml) for safe SonarCloud analysis on fork PRs. ### How it works 1. PR is opened → `SonarBuild` runs (no secrets, just compiles and uploads artifacts) 2. `SonarBuild` completes → `Sonar Quality Pull Request Analysis` triggers via `workflow_run` (has access to `SONARCLOUD_TOKEN`) 3. SonarCloud decorates the PR with quality gate results and inline comments ### Prerequisites - `SONARCLOUD_TOKEN` secret must be configured in the repository settings - SonarCloud project `apache_camel` under the `apache` organization (already exists) ### Tested on Validated end-to-end on [gnodet/camel#10](https://github.com/gnodet/camel/pull/10) — SonarCloud successfully posted quality gate results on the PR. ## Test plan - [x] Tested on fork (gnodet/camel) with full build + scan chain - [ ] Verify `SONARCLOUD_TOKEN` is available in apache/camel secrets - [ ] Verify the workflow_run chain triggers correctly on apache/camel -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
