SonarCloud check status not available in Github - github

Currently, I'm using SonarCloud to analyze some of the repositories in my project. But in some of them, the check status is not present (I want to make this mandatory).
The CI/CD server is CircleCI and SonarCloud it is working ok (PR branch is available).

In order to activate Github webhook, you must check that
The project in sonar has the icon of GitHub (relationship it's ok)
You have to create another branch and make a Pull Request
Call the Gradle task with PR params
./gradlew -Dsonar.pullrequest.branch=${CIRCLE_BRANCH} -Dsonar.pullrequest.base=master -Dsonar.pullrequest.key=${CIRCLE_PULL_REQUEST##*/}
Make sure that any of your repos don't override project keys

Related

Not authorized to execute any SonarQube analysis when building pull request from a forket repo on Travis CI

I'm setting up a project with Travis CI and SonarQube.com, everything goes smoothly when a pull request comes out of a branch from the repository but it is failing when Travis runs a build off a pull request from a forked repository.
A build out of a PR from the repository: https://travis-ci.org/PistachoSoft/dummy-calculator/builds/162905730
A build out of a PR from a forked repository: https://travis-ci.org/PistachoSoft/dummy-calculator/builds/162892678
The repository: https://github.com/PistachoSoft/dummy-calculator
As it can be seen in the build log this is the error:
You're not authorized to execute any SonarQube analysis. Please contact your SonarQube administrator.
Things I've tried out but didn't work out:
Updating the sonar token.
Using an encrypted token granted by another person from the organization.
Granting 'sonar-users' and 'Anyone' the 'Execute Analysis' permission on the SonarQube project.
What can I do to fix this?
First, I raise your attention on one important point: you should not run a "standard" SonarQube analysis on PR - otherwise your project on SonarQube.com will be "polluted" by intermediate analyses that have nothing to do with each other. Standard analyses must be executed only on the main development branch - which is usually the "master" branch. Please read the runSonarQubeAnalysis.sh file of our sample projects to see how to achieve that.
Now, why your attempt does not work? Simply because the SONAR_TOKEN environment variable (that you've set as "secure" in your YML file) will not be decoded by Travis when the PR is coming "from the outside world" (i.e when it's not a PR of your own). This is a security constraint to prevent anybody to fork your repo, update the YML file with a echo $SONAR_TOKEN, submit a PR and genlty wait that Travis executes it to unveil the secured environment variable.
Analyzing "external" PR is something that we'll soon be working on so that this is easy, straightforward and yet secured for OSS projects to benefit from this feature.

How to trigger a Jenkins 2.0 Pipeline job from a GitHub pull request

It looks like the GitHubPullRequestBuilder is not compatible with Jenkins v2.0 pipeline jobs.
How do you configure a pipeline job to be triggered from a GitHub pull request event?
The documentation on this topic is sparse and I cannot find any examples of this. Or is it better to create a web-hook in GitHub to trigger the pipeline job on the PR event?
I had similar issue. Here’s what worked for me
Pre-req
Jenkins ver. 2+ (I was using Jenkins 2.60)
Github (or Githhub
enterprise) account
Your github and Jenkins must be able to talk to
each other.
On Github
create a github Personal Access Token (PAT) with relevant rights.
For your repo, create a webhook with
URL as YourJenkinsURL/github-webhook/
Choose ‘Let me select individual events’ and check ‘Pull Request’
Add a Jenkinsfile to the root folder of your repo. For testing purpose you could put content as a basic hello world like below
pipeline {
agent any
stages {
stage('Test') {
steps {
echo 'Hello World ...'
}
}
}
}
On Jenkins
Install GitHub Pull Request Builder plugin. (You also need “Github” plugin but that should normally be installed as part of Jenkins ver 2+)
Jenkins – Credentials
Add github Personal Access Token (PAT) as a ‘secret text’ credential.
Add github username-password as ‘username-password’ credential.
Manage Jenkins – Configure System
Github – Github Servers : This is part of the Github plugin. Add a github server. ‘API URL’ It will default to https://api.github.com. If you are using enterprise github, replace with enterprise github url followed by /api/v3. For credential select the PAT option. Test the connection. ‘Manage Hooks’ is checked.
GitHub Pull Request Builder : for ‘GitHub Server API URL’ use same url as specified in Github Server section. Leave ‘Shared Secret’ blank. For credentials use ‘username-password’ credential. Test credentials to ensure its working. In my settings, ‘Auto-manage webhooks’ was checked.
Pipeline Job
Create a new item using ‘Pipeline’ option. Note: This is the vanilla Pipeline job, not Multibranch Pipeline.
General Section: Check ‘Github Project’ – Project URL : Enter your github repo url
Build Triggers: Check ‘GitHub Pull Request Builder’
For ‘GitHub API credentials’ select option you set for GitHub pull request builder in ‘Manage Jenkins – Configure System’ screen
For admin list: add your username
Check Use github hooks for build triggering
Pipeline:
Select ‘Pipeline Script from SCM’. Note this assumes that the root folder of your repo will contain a ‘Jenkinsfile’
SCM: Select ‘Git’
Repositories – enter repo detail. For credentials use ‘username-password’ based credentials.
Click Advanced and add refspec as +refs/pull/*:refs/remotes/origin/pr/*
Branch – should be ${sha1}
Script Path: defaulted to Jenkinsfile, leave as is.
Lightweight Checkout - Uncheck this (https://github.com/jenkinsci/ghprb-plugin/issues/507)
That’s it. You are all set. Creating a PR on master branch of your repo should now trigger your Jenkins Pipeline job
Some observations
Redelivering the webhook payload of a PR from github does not trigger the pipeline but opening a new PR or even re-opening a closed PR on github, triggers the pipeline job
In Pipeline Job Configuration, if you choose “Pipeline Script” and paste your pipeline script in there, the job doesn't trigger !!!
The flow in a nutshell can go like this:
You create your pipeline as code and save it in a file called Jenkinsfile at the root dir of your project. That code should describe how your project will get built. See here for examples: https://jenkins.io/doc/pipeline/examples/
Then you should create a new "Multibranch Pipeline Project" item in your Jenkins. You should set this up so as to scan your repo of step 1.
Now whenever you get a new PR branch opened on your step 1 repo, the branch will be checked-out and will get built according to the Jenkinsfile instructions included with it. You can set up more conditions on what gets built and when if you want to.
Notes:
"Multibranch Pipeline Project" example documentation: https://jenkins.io/doc/book/pipeline-as-code/ (scroll down to Multibranch Pipeline Projects)
Keep in mind that getting the plugin to build a PR after commending on the PR does not work. There is a discussion analyzing this here: https://github.com/jenkinsci/gitlab-plugin/issues/298 There are workarounds (also described in that discussion) but they are quite messy to set up.
The most straightforward way to use Pipeline with GitHub pull requests is to put the script into your repository under the name Jenkinsfile and then install the GitHub Branch Source plugin. Documentation
Follow the Below Steps for Triggering Jenkins Job Automatically on Pull request generated on GitHub
Create a web hook on GitHub i.e. http:///generic-
webhook-trigger/invoke
Content Type :application/json
Select Pull Request as event Now github Configuration Part is done.
Jenkins Job Configuration
Download Generic Webhook Trigger in Jenkins
Git Hub Configuration On Jenkins
Git Hub Configuration
7.Select Generic Webhook Trigger on jenkins
8.Generic Webhook Trigger Configuration on Jenkinsand follow step 9
9.After doing step 7 Jenkins job will get trigger on PullRequest
10.Step 8 required to get information from Pull request Payload
11.Branch configuration inside Generic Webhook Trigger to get Branch details from Pull Request
Thanks

github plugin for SonarQube not working

Almost breaking my head over this for last few days but the github plugin for sonarqube (v 5.3) just does not seem to work.
I have my java app code in github, and have configured Jenkins to run mvn sonar:sonar goal on pull request.
The maven settings are:
clean site sonar:sonar
-Dsonar.analysis.mode=preview
-Dsonar.github.oauth=<OAUTH_TOKEN>
-Dsonar.github.repository=<ORG>/<REPO>
-Dsonar.github.pullRequest=${ghprbPullId}
-Dsonar.github.endpoint=<ENT_GITHUB_API_BASE__URI>
For sonar.analysis.mode, I tried 'issues' too
Now I perform foll:
make change to a fork (introduce a violation as per configured quality gate)
commit and push to fork repo
Create a pull request
run the jenkins job using above configuration
The analysis is successful, and the plugin always reports that all checks have passed and changes can be merged. I am just not able to understand why the github plugin in sonar is not able to show violation occured and checks have failed.
Now if I merge the pull request and run sonar analysis in publish mode on the master repo, it says quality gate failed and I am able to see this in SonarQube dashboard for the project with the statement that Quality gate has failed
What am I doing wrong here? My guess is the github plugin not able to compare the changes in the pull request with that in the master repo and hence not able to report the violation. How do I fix that?
Update:
If at the end, I merge the pull request to master repo and re-run the sonar analysis on the original pull request (the one that got merged), it does report the violation as comments in the Pull Request conversation. (But what is the point if sonar is going to report the violations after the pull request is merged???)

Build pull requests to specific branch using TeamCity and Github

I want TeamCity to build all pull requests to specific target branch, e.g. develop.
So, I want to build following pull requests:
develop...foo_branch
develop...bar_branch
and skip this:
master...foo_branch
master...bar_branch
In TeamCity I can define branch specification to build all pull requests:
+:refs/pull/*/head
or define filter by source branch:
-:refs/heads/(spikes-*)
But I need filter by target branch. Is it possible?
I've written a script to work around this issue. It can be run as one of the first build steps in TC's build configuration. The script will ask for pull request details from Github, parse the response and inject source and target branch names as TeamCity parameters and environment variables. In the next build steps, you'll be able to abort the build or do whatever else you need based on these variables.
https://gist.github.com/dzzh/a6d8631e9617777fb5237bc9ec7b356b
For the script to work, you'll have to submit PR's id as a command-line argument. We use the recommended refspec (refs/pulls/*/head) to run our builds, I extract the PR id from it and invoke the script with it.
Currently it's not possible to differentiate pull request branches based on their target branch in TeamCity. Please watch/vote for the request https://youtrack.jetbrains.com/issue/TW-43759 which is planned for the upcoming release.
Build Feature: Pull Request
Pull request support is implemented as a build feature in TeamCity. The feature extends the VCS root’s original branch specification to include pull requests that match the specified filtering criteria.
To configure the pull requests support for a build configuration, go to Build Configuration Settings | Build Features, click Add build feature, and select the Pull Requests feature from the dropdown list in the dialog.
Source: https://blog.jetbrains.com/teamcity/2019/08/building-github-pull-requests-with-teamcity/
So the filtering is done with the Build Feature: Pull Request, where By target branch: should be set to the targetet branch for example refs/head/master or refs/head/myspecialbranch

Run CI build on pull request merge in TeamCity

I have a CI build that is setup in TeamCity that will trigger when a pull request is made in BitBucket (git). It currently builds against the source branch of the pull request but it would be more meaningful if it could build the merged pull request.
My research has left me with the following possible solutions:
Script run as part of build - rather not do it this way if possible
Server/agent plugin - not found enough documentation to figure out if this is possible
Has anyone done this before in TeamCity or have suggestions on how I can achieve it?
Update: (based on John Hoerr answer)
Alternate solution - forget about TeamCity doing the merge, use BitBucket web hooks to create a merged branch like github does and follow John Hoerr's answer.
Add a Branch Specification refs/pull-requests/*/merge to the project's VCS Root. This will cause TeamCity to monitor merged output of pull requests for the default branch.
It sounds to me like the functionality you're looking for is provided via the 'Remote Run' feature of TeamCity. This is basically a personal build with the merged sources and the target merge branch.
https://confluence.jetbrains.com/display/TCD8/Branch+Remote+Run+Trigger
"These branches are regular version control branches and TeamCity does not manage them (i.e. if you no longer need the branch you would need to delete the branch using regular version control means).
By default TeamCity triggers a personal build for the user detected in the last commit of the branch. You might also specify TeamCity user in the name of the branch. To do that use a placeholder TEAMCITY_USERNAME in the pattern and your TeamCity username in the name of the branch, for example pattern remote-run/TEAMCITY_USERNAME/* will match a branch remote-run/joe/my_feature and start a personal build for the TeamCity user joe (if such user exists)."
Then setup a custom "Pull Request Created" Webhook in Bitbucket.
https://confluence.atlassian.com/display/BITBUCKET/Tutorial%3A+Create+and+Trigger+a+Webhook
So for your particular use case with BitBucket integration, you could utilize the WebHook you create, and then have a shell / bash script (depending on your TeamCity Server OS) that runs the remote run git commands automatically, which will in turn automatically trigger the TeamCity Remote Run CI build on your server. You'll then be able to go to the TeamCity UI, +HEAD:remote-run/my_feature branch, and view the Remote Run results on a per-feature basis, and be confident in the build results of the code you merge to your main line of code.
Seems that BitBucket/Stash creates branches for pull requests under:
refs/pull-requests//from
You should be able to setup a remote run for that location, either by the Teamcity run-from-branch feature, or by a http post receive hook in BitBucket/Stash.
You can also use this plugin : https://github.com/ArcBees/teamcity-plugins/wiki/Configuring-Bitbucket-Pull-Requests-Plugin
(Full disclosure : I'm the main contributor :P, and I use it every day)