fix(sage-monorepo): use GH token to push images to GHCR #557
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Sonar Scan | |
on: | |
# Warning: using the pull_request_target event without the cautionary measures may allow | |
# unauthorized GitHub users to open a “pwn request” and exfiltrate secrets. | |
pull_request_target: | |
types: [opened, synchronize, reopened, labeled] | |
jobs: | |
sonar: | |
environment: ${{ github.event_name == 'pull_request_target' && | |
github.event.pull_request.head.repo.full_name != github.repository && 'sonar' || 'none' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# We need to fetch all branches and commits so that Nx affected has a base to compare | |
# against. | |
fetch-depth: 0 | |
persist-credentials: false | |
# By default, actions/checkout@v4 will checkout the main branch instead of the merge | |
# commit when when using pull_request_target. It is currently difficult to checkout the | |
# merge commit in this context. The current solution is to checkout the PR HEAD insteand | |
# and enable the branch protection rule "Require branches to be up to date before | |
# merging". | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Derive appropriate SHAs for base and head for `nx affected` commands | |
uses: nrwl/nx-set-shas@v4 | |
- name: Set up the dev container | |
env: | |
SONAR_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
uses: ./.github/actions/setup-dev-container | |
- name: Scan the affected projects with Sonar | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=sonar" |