diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml deleted file mode 100644 index 1918c16..0000000 --- a/.github/workflows/sonar.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: SonarCloud - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - workflow_dispatch: - -jobs: - sonar: - name: Build, test & analyze - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 # full history for accurate new-code/blame attribution - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '17' # required by the Sonar scanner engine - - - name: Setup .NET - uses: actions/setup-dotnet@v5 - with: - dotnet-version: 8.0.x - - - name: Cache SonarCloud packages - uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - - name: Install Sonar + coverage tools - run: | - dotnet tool install --global dotnet-sonarscanner - dotnet tool install --global dotnet-coverage - - - name: Build, test & analyze - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # If SONAR_TOKEN is not configured yet, skip analysis instead of failing the build. - run: | - if [ -z "$SONAR_TOKEN" ]; then - echo "SONAR_TOKEN secret is not set - skipping SonarCloud analysis." - echo "See SONAR_SETUP.md to finish the one-time setup." - exit 0 - fi - dotnet sonarscanner begin \ - /k:"PFalkowski_Extensions.Standard" \ - /o:"pfalkowski" \ - /d:sonar.host.url="https://sonarcloud.io" \ - /d:sonar.token="${SONAR_TOKEN}" \ - /d:sonar.cs.vscoveragexml.reportsPaths="coverage.xml" - dotnet build --configuration Release - dotnet-coverage collect "dotnet test --configuration Release --no-build" -f xml -o coverage.xml - dotnet sonarscanner end /d:sonar.token="${SONAR_TOKEN}" diff --git a/CHANGELOG.md b/CHANGELOG.md index be0ddbb..49834af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ All notable changes to this project are documented here. The format is based on ### Added - Black-box test coverage for previously-untested public surface (`HsVtoArgb`, `Head`/`Tail`/ `HeadAndTail`, `PluralizeWhenNeeded`, `AsTime(TimeSpan)`, `FindMinMaxInOn`, `Scale()`, `MaxIndex`). -- Code coverage upload to Codecov from CI, and a SonarCloud analysis workflow (see `SONAR_SETUP.md`). +- Code coverage upload to Codecov from CI, and tokenless SonarCloud Automatic Analysis (see `SONAR_SETUP.md`). ## [11.0.0] diff --git a/SONAR_SETUP.md b/SONAR_SETUP.md index 0f6497e..565a24c 100644 --- a/SONAR_SETUP.md +++ b/SONAR_SETUP.md @@ -1,32 +1,22 @@ -# SonarCloud setup (one-time) +# SonarCloud setup (one-time, no secrets) -SonarCloud (now "SonarQube Cloud") is free for public repositories. The -[`.github/workflows/sonar.yml`](.github/workflows/sonar.yml) workflow runs the analysis on every -push/PR to `master`. It needs a one-time account setup plus a `SONAR_TOKEN` repository secret. Until -the secret exists the workflow is a no-op (it logs a message and exits 0), so it will not turn CI red. +SonarCloud ("SonarQube Cloud") is free for public repositories and analyzes C# via **Automatic +Analysis** — driven by the SonarCloud GitHub App, with **no CI workflow, no config file, and no +`SONAR_TOKEN` secret**. (This is how the sibling `PFalkowski/LoggerLite` repo is set up.) ## Steps 1. Go to and **log in with GitHub**. -2. **Analyze a new project** → choose the GitHub organization, then import +2. **Analyze a new project** → choose the GitHub organization → import `PFalkowski/Extensions.Standard`. -3. When prompted for the analysis method, pick **"With GitHub Actions"** (CI-based analysis — - required for C#; automatic analysis does not support C#). -4. SonarCloud shows your **Organization Key** and **Project Key**. Confirm they match the values in - `sonar.yml`: - - `/o:` → Organization Key (the workflow assumes `pfalkowski`) - - `/k:` → Project Key (the workflow assumes `PFalkowski_Extensions.Standard`) - - If SonarCloud generated different values, update those two lines in `sonar.yml`. -5. SonarCloud generates a token. In GitHub: **Settings → Secrets and variables → Actions → New - repository secret**, name it `SONAR_TOKEN`, paste the value. -6. (Recommended) In the SonarCloud project under **Administration → Analysis Method**, turn **off** - "Automatic Analysis" so it does not conflict with the CI-based analysis. +3. Leave the analysis method on the default **Automatic Analysis**. SonarCloud now analyzes on every + push/PR automatically. That's it — nothing to add to the repo. ## Notes -- Coverage is collected with Microsoft's `dotnet-coverage` tool and handed to Sonar via - `sonar.cs.vscoveragexml.reportsPaths=coverage.xml`. -- The scanner engine runs on Java 17, which the workflow installs. -- A green PR badge / quality gate can be added to `README.md` once the project exists: +- **No token, no workflow.** Automatic Analysis and a CI-based scanner are mutually exclusive, which + is why this repo intentionally has no `sonar.yml`. +- **Coverage** is not imported by Automatic Analysis; test coverage is tracked separately in + [Codecov](https://codecov.io/gh/PFalkowski/Extensions.Standard) (uploaded from `ci.yml`). +- Optional quality-gate badge for `README.md` once the project exists: `[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=PFalkowski_Extensions.Standard&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=PFalkowski_Extensions.Standard)`