ci: support sonar runs for forks

.github/workflows/integration-tests-v1.yaml

@@ -46,4 +46,4 @@ jobs:
           FIREBOLT_CLIENT_ID: ${{ secrets.SERVICE_ID_STG }}
           FIREBOLT_CLIENT_SECRET: ${{ secrets.SERVICE_SECRET_STG }}
         run: |
-          npm run test:ci integration/v1
+          npm run test:ci integration/v1

.github/workflows/pull-request.yaml

@@ -8,31 +8,29 @@ on:
 
 jobs:
   code-checks:
-
     runs-on: ubuntu-latest
 
     steps:
-    - name: Check out code
-      uses: actions/checkout@v6
-
-    - name: Set up node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: '16'
-
-    - name: Install dependencies
-      run: npm install
-
-    - name: Type check with typescript
-      run: |
-        npm run type-check
-
-    - name: Test with jest
-      run: |
-        npm test -- --coverage test/unit
-
-    - name: "Security Scan"
-      uses: SonarSource/sonarqube-scan-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '16'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Type check with typescript
+        run: npm run type-check
+
+      - name: Test with jest
+        run: npm test -- --coverage test/unit
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: coverage
+          path: coverage/
+          retention-days: 1

.github/workflows/release-workflow.yaml

@@ -23,18 +23,18 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     needs: integration-tests
-    steps:    
+    steps:
     - name: Check out code
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
         token: ${{ secrets.RELEASE_PAT }}
-    
+
     - name: Set up node.js
       uses: actions/setup-node@v6
       with:
         node-version: '16'
-    
+
     - name: Install dependencies
       run: |
         npm install 
@@ -43,7 +43,7 @@ jobs:
       run: |
         git config user.name "GitHub Actions Bot"
         git config user.email "<>"
-        
+
     - name: Build
       run: |
         npm run build

.github/workflows/sonar.yaml

@@ -0,0 +1,36 @@
+name: Sonar scan
+
+on:
+  workflow_run:
+    workflows: [ "PR checks" ]
+    types: [ completed ]
+
+jobs:
+  sonar:
+    runs-on: ubuntu-latest
+    # Only run if the triggering workflow succeeded
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Check out the exact commit that was tested, not the base branch
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+
+      - name: Download coverage report
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        with:
+          name: coverage
+          path: coverage/
+          # Pull the artifact from the run that triggered this workflow,
+          # not from this (sonar) run which has no artifacts of its own
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Security scan
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}