Add shadow scan github workflow

johann-beleites-sonarsource · johann-beleites-sonarsource · commit 71b462e2a103 · 2025-10-29T09:40:32.000+01:00
Running an analysis each night on SQC EU &amp; US in addition to the
analysis on next on every commit.
diff --git a/.github/workflows/shadow_scans.yml b/.github/workflows/shadow_scans.yml
@@ -0,0 +1,42 @@
+name: Shadow scans
+on:
+  schedule:
+    # Run the workflow every day at 04:00 UTC
+    - cron: "0 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: github-ubuntu-latest-s
+    name: Scan on shadow platforms
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+            development/kv/data/sonarcloud token | SQC_EU_TOKEN;
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - uses: SonarSource/ci-github-actions/build-gradle@master # dogfood
+        env:
+          ARTIFACTORY_PRIVATE_USERNAME: vault-{REPO_OWNER_NAME_DASH}-private-reader
+          ARTIFACTORY_PRIVATE_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        with:
+          run-shadow-scans: true
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+          gradle-args: -Dsonar.organization=sonarsource -Dsonar.exclusions="**/build/**/*,**/its/**,**/kotlin-checks-test-sources/**"
+      - name: Run IRIS Analysis
+        uses: SonarSource/unified-dogfooding-actions/run-iris@v1
+        with:
+          primary_project_key: "org.sonarsource.kotlin:kotlin"
+          primary_platform: "Next"
+          shadow1_project_key: "org.sonarsource.kotlin:kotlin"
+          shadow1_platform: "SQC-EU"
+          shadow2_project_key: "org.sonarsource.kotlin:kotlin"
+          shadow2_platform: "SQC-US"
diff --git a/.mise.toml b/.mise.toml
@@ -0,0 +1,3 @@
+[tools]
+java = "17.0"
+gradle = "8.10.1"
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -234,7 +234,7 @@ sonarqube {
         property("sonar.links.scm", "https://github.com/SonarSource/sonar-kotlin")
         property("sonar.links.issue", "https://jira.sonarsource.com/browse/SONARKT")
         property("sonar.exclusions", "**/build/**/*")
-        property("sonar.sca.exclusions", "**/its/**,**/kotlin-checks-test-sources/**")
+        property("sonar.sca.exclusions", "**/its/**,**/kotlin-checks-test-sources/**,**/test/resources/**,**/test/samples/**")
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[tools]`
	`2`	`+java = "17.0"`
	`3`	`+gradle = "8.10.1"`
Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ sonarqube {`
`234`	`234`	`property("sonar.links.scm", "https://github.com/SonarSource/sonar-kotlin")`
`235`	`235`	`property("sonar.links.issue", "https://jira.sonarsource.com/browse/SONARKT")`
`236`	`236`	`property("sonar.exclusions", "/build//*")`
`237`		`- property("sonar.sca.exclusions", "/its/,/kotlin-checks-test-sources/")`
	`237`	`+ property("sonar.sca.exclusions", "/its/,/kotlin-checks-test-sources/,/test/resources/,/test/samples/")`
`238`	`238`	`}`
`239`	`239`	`}`
`240`	`240`