Deployment of Plugin - areebniyas/code-quality-tools GitHub Wiki
Introduction
This documentation will cover the deployment aspect of our WSO2 Code Specific plugin and how it can be integrated with GitHub! This plugin allows you to integrate static code analysis into your development workflow, helping you to improve the quality and security of your code.
The plugin will be deployed on your SonarQube instance, and can be triggered by commenting on a pull request on GitHub. This will initiate a workflow which will run the static analysis on the code and provide feedback to developers. This documentation will also cover how to interpret the results of the analysis and use them to make informed decisions about code changes. Let's get started!
How to deploy
To deploy a plugin in SonarQube, you will need to do the following:
-
Build the plugin: Before deploying the plugin, you will need to build it using Maven. This will create a JAR file that contains the plugin and all of its dependencies.
-
Copy the plugin JAR file: Next, you will need to copy the plugin JAR file and paste it to the extensions/plugins directory of your SonarQube instance. This is typically located at $SONARQUBE_HOME/extensions/plugins.
-
Restart SonarQube: After copying the plugin JAR file, you will need to restart your SonarQube instance for the plugin to take effect. You can do this by stopping and starting the SonarQube server, or by running the sonar.sh restart command if you are using the standalone distribution.
That's it! Your plugin should now be installed and activated in your SonarQube instance.
How it works on GitHub
The Sonar plugin can be integrated with GitHub through the use of a workflow. This workflow is triggered when a comment is made on a pull request that includes the words "run analysis" and is made by an owner or collaborator of the repository. Upon triggering the workflow, static analysis is run on the code using the Sonar plugin. The report generated by the analysis can be viewed in SonarQube, where developers can identify and fix any issues that were detected.
Workflow file
on:
issue_comment:
types: [created]
jobs:
build:
concurrency: "1"
if: ${{ github.event.issue.pull_request && github.event.comment.author_association == 'OWNER' && github.event.comment.body == 'run analysis' }}
name: Build and analyze
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Checkout Pull Request
run: hub pr checkout ${{ github.event.issue.number }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=${{ insert your project key here }}
Comment
As specified in the workflow file, static analysis will only be run if the comment on the pull request includes the words "run analysis" and is made by the repository owner. It is possible to configure the workflow to allow analysis to be triggered by comments from both owners and collaborators. To do this, simply modify the workflow file to reflect the desired behavior.
Summary
This documentation covers the deployment of the Sonar plugin and its integration with GitHub. The plugin can be deployed by copying the modified .jar file to the extensions/plugins directory of the SonarQube instance. The integration with GitHub is achieved through the use of a workflow, which is triggered by a comment on a pull request or code change. The workflow runs static analysis on the code using the Sonar plugin and sends the results to the SonarQube instance. This allows developers to identify and fix issues in the code, improving its quality and security.