我如何让Sonarcloud运行在与Travis,Maven& github上 [英] How do I get Sonarcloud to run on pull requests from forks with Travis, Maven & github
问题描述
查看我最近的问题 Sonarcloud与Travis,Maven& github 我意识到我问的是错误的问题。我试图解决一个症状,而不是潜在的问题。
我工作的一个项目( 虽然Sonarcloud分析结果显示,当Travis运行外部拉取请求(来自分叉回购的请求)时,它不起作用。 p>基本问题是,目前我们运行sonarcloud的方式依赖于环境变量,出于安全原因,这些环境变量未针对外部请求进行填充: 我们的存储库设置为不关心Sonarcloud是否运行,但这意味着我们经常会合并因破坏sonarcloud规则的更改,因为我们没有意识到它们已被破坏。我们只看到那些规则在下次被破坏它们被直接推送到存储库的人更改。这将解决Sonarcloud发现的问题从协作者到提交者的负担。 请注意,这个问题似乎超出了在Travis Public Repository中如何添加一个对Pull请求起作用的安全变量
出于安全原因,加密的环境变量已被删除。
请参阅https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
正如你完全猜到的,除非你硬编码你的GitHub和SonarCloud令牌(显然你不想公开发布它们),目前没有办法分析外部请求。这在官方SonarCloud Travis插件页。
我们目前正在积极研究如何正确支持这个用例 - 我希望我们能在年底之前提出一些建议。
While looking into my recent question Sonarcloud failure with Travis, Maven & github I realised that I was asking the wrong question. I was trying to address a symptom rather than the underlying problem.
A project I work on (eclipse/scanning) uses Github as it's repository and Travis with Sonarcloud for continuous integration and code analysis.
While the Sonarcloud analysis runs fine on internal pull requests (pull requests from branches pushed directly to eclipse/scanning) it doesn't work when Travis runs for external pull requests (those from forked repos).
The underlying problem is that the way we are running sonarcloud at the moment relies on environment variables which aren't populated for external pull requests for security reasons:
Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
We have our repository set up to not care whether Sonarcloud is run, but that means that we often merge in changes which break sonarcloud rules because we don't realise they have been broken. We only see that those rules have been broken the next time they are changed by someone who does push directly to the repository. This moves the burden of fixing Sonarcloud discovered problems from collaborators to committers.
So,
- Is there a way to enable Sonarcloud analysis of pull requests from forked repositories without introducing security issues?
Note that this question seems to be one step beyond In Travis Public Repository how to add a Secure variable that works on Pull requests too which doesn't have an answer yet.
As you've perfectly guessed, unless you hard-code your GitHub and SonarCloud tokens (which obviously you don't want, to not publicly unveil them), there is currently no way to analyze external pull requests. This is documented on the official SonarCloud Travis Add-on page.
We are currently actively working on a way to properly support this use case - and I hope we'll come up with something before the end of the year.
这篇关于我如何让Sonarcloud运行在与Travis,Maven& github上的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
