Skip to content

fix(sage-monorepo): use GH token to push images to GHCR #557

fix(sage-monorepo): use GH token to push images to GHCR

fix(sage-monorepo): use GH token to push images to GHCR #557

name: Sonar Scan
on:
# Warning: using the pull_request_target event without the cautionary measures may allow
# unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
pull_request_target:
types: [opened, synchronize, reopened, labeled]
jobs:
sonar:
environment: ${{ github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository && 'sonar' || 'none' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare
# against.
fetch-depth: 0
persist-credentials: false
# By default, actions/checkout@v4 will checkout the main branch instead of the merge
# commit when when using pull_request_target. It is currently difficult to checkout the
# merge commit in this context. The current solution is to checkout the PR HEAD insteand
# and enable the branch protection rule "Require branches to be up to date before
# merging".
ref: ${{ github.event.pull_request.head.sha }}
- name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@v4
- name: Set up the dev container
env:
SONAR_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: ./.github/actions/setup-dev-container
- name: Scan the affected projects with Sonar
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=sonar"