ci(FS-7045): Update sonarqube-scan.yml

.github/workflows/blackduck-scan.yml

@@ -1,99 +0,0 @@
-###
-# Foundation-security BlackDuck workflow
-# version: 2.1
-###
-name: Foundation-Security/Black Duck Scan
-
-on:
-  push:
-    tags:
-      - "**"
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches:
-      - "**"
-  schedule:
-    - cron: "0 3 * * *" # 3:00 AM UTC / 10PM EST
-  workflow_dispatch:
-    inputs:
-      scan-mode:
-        description: "BlackDuck Scan mode"
-        required: true
-        type: choice
-        options:
-          - RAPID
-          - INTELLIGENT
-        default: RAPID
-      ref:
-        description: "Branch to scan"
-        required: true
-
-jobs:
-  Blackduck-Scan:
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Checkout source repository for dispatch runs
-        id: checkout-source-dispatch
-        if: github.event_name == 'workflow_dispatch'
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ github.repository }}
-          ref: ${{ inputs.ref }}
-          path: source
-          token: ${{ secrets.GH_SLONIK }}
-
-      - name: Set project name and version for dispatch runs
-        id: set-project-name-and-version-dispatch
-        if: github.event_name == 'workflow_dispatch'
-        run: |
-          echo "PROJECT_NAME=${{ github.event.repository.name }}" >> "$GITHUB_ENV"
-          echo "PROJECT_VERSION=${{ inputs.ref }}" >> "$GITHUB_ENV"
-
-      - name: Checkout source repository for non-dispatch runs
-        id: checkout-source
-        if: github.event_name != 'workflow_dispatch'
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ github.repository }}
-          ref: ${{ github.ref }}
-          path: source
-          token: ${{ secrets.GH_SLONIK }}
-
-      - name: Set project name and version for non-dispatch runs
-        id: set-project-name-and-version
-        if: github.event_name != 'workflow_dispatch'
-        run: |
-          echo "PROJECT_NAME=${{ github.event.repository.name }}" >> "$GITHUB_ENV"
-          echo "PROJECT_VERSION=${{ github.ref_name }}" >> "$GITHUB_ENV"
-
-      - name: Get short hash
-        shell: bash
-        if: ${{ inputs.scan-mode == 'INTELLIGENT' }}
-        run: |
-          cd source
-          echo "sha_short=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
-
-      - name: Checkout foundation-security repository
-        id: checkout-foundation-security
-        uses: actions/checkout@v4
-        with:
-          repository: EnterpriseDB/foundation-security
-          ref: v2
-          path: foundation-security
-          token: ${{secrets.GH_SLONIK}}
-
-      - name: BlackDuck Scan
-        id: call-bd-action
-        uses: ./foundation-security/actions/blackduck
-        with:
-          github-token: ${{ secrets.GH_SLONIK }}
-          cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}
-          commit-hash: ${{ env.sha_short }}
-          git-tag: ${{ github.tag }}
-          blackduck-url: ${{ vars.BD_URL }}
-          blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }}
-          project-name: ${{ env.PROJECT_NAME }}
-          project-version: ${{ env.PROJECT_VERSION }}

.github/workflows/sonarqube-scan.yml

@@ -0,0 +1,77 @@
+###
+# Foundation-security SonarQube workflow
+# version: 2.1
+###
+name: Foundation-Security/SonarQube Scan
+
+on:
+  push:
+    tags:
+      - "**"
+    branches:
+      - "*main*"
+      - "*master*"
+      - "*STABLE*"
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - "**"
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Branch to scan"
+        required: true
+        default: "main"
+
+jobs:
+  SonarQube-Scan:
+    name: SonarQube Scan Job
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout source repository for dispatch runs
+        id: checkout-source-dispatch
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ inputs.ref }}
+          path: source
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: Checkout source repository for non-dispatch runs
+        id: checkout-source
+        if: github.event_name != 'workflow_dispatch'
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
+          path: source
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: Checkout foundation-security repository
+        id: checkout-foundation-security
+        uses: actions/checkout@v4
+        with:
+          repository: EnterpriseDB/foundation-security
+          ref: v2
+          path: foundation-security
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: SonarQube Scan
+        id: call-sq-composite
+        uses: ./foundation-security/actions/sonarqube
+        with:
+          github-token: ${{ secrets.GH_SLONIK }}
+          github-ref: ${{ github.ref_name }}
+          sonarqube-url: ${{ vars.SQ_URL }}
+          sonarqube-token: ${{ secrets.SONARQUBE_TOKEN }}
+          project-name: ${{ github.event.repository.name }}
+          pull-request-key: ${{ github.event.number }}
+          pull-request-branch: ${{ github.head_ref }}
+          pull-request-base-branch: ${{ github.base_ref }}
+          foundation-security-sonarqube-token: ${{ secrets.FOUNDATION_SECURITY_SONARQUBE_TOKEN }}
+          cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}