Skip to content

Commit d3eac53

Browse files
Mehdi-BlMehdi-Bl
committed
ci: gate Sonar secret access to trusted PR contexts
1 parent 5f34baf commit d3eac53

1 file changed

Lines changed: 10 additions & 0 deletions

File tree

.github/workflows/sonarcloud.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,22 @@ jobs:
3030
- name: Run tests with coverage
3131
run: make coverage-sonar
3232

33+
- name: Skip SonarCloud on untrusted fork PR
34+
if: ${{ github.event_name == 'pull_request' && (github.event.pull_request.head.repo.fork || !contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
35+
run: |
36+
echo "Skipping SonarCloud token retrieval for untrusted PR context."
37+
echo "Fork PRs and non-collaborator authors do not receive Vault-backed token access."
38+
3339
- name: Azure login (OIDC)
40+
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
3441
uses: azure/login@v2
3542
with:
3643
client-id: ${{ vars.AZURE_CLIENT_ID }}
3744
tenant-id: ${{ vars.AZURE_TENANT_ID }}
3845
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
3946

4047
- name: Read SonarCloud token from Key Vault
48+
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
4149
id: sonar_token
4250
shell: bash
4351
run: |
@@ -53,6 +61,7 @@ jobs:
5361
echo "value=$SONAR_TOKEN" >> "$GITHUB_OUTPUT"
5462
5563
- name: SonarCloud scan
64+
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
5665
uses: SonarSource/sonarcloud-github-action@ffc3010689be73b8e5ae0c57ce35968afd7909e8
5766
env:
5867
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -67,6 +76,7 @@ jobs:
6776
-Dsonar.enableIssueAnnotation=true
6877
6978
- name: SonarCloud quality gate
79+
if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.fork == false && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)) }}
7080
uses: SonarSource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b
7181
with:
7282
scanMetadataReportFile: dist/quality/sonar/scannerwork/report-task.txt

0 commit comments

Comments
 (0)