From 71b462e2a103089383c3aabf88114c7792f17704 Mon Sep 17 00:00:00 2001
From: Johann Beleites <johann.beleites@sonarsource.com>
Date: Wed, 3 Sep 2025 15:20:23 +0200
Subject: [PATCH] Add shadow scan github workflow

Running an analysis each night on SQC EU & US in addition to the
analysis on next on every commit.
---
 .github/workflows/shadow_scans.yml | 42 ++++++++++++++++++++++++++++++
 .mise.toml                         |  3 +++
 build.gradle.kts                   |  2 +-
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/shadow_scans.yml
 create mode 100644 .mise.toml

diff --git a/.github/workflows/shadow_scans.yml b/.github/workflows/shadow_scans.yml
new file mode 100644
index 000000000..d1444273d
--- /dev/null
+++ b/.github/workflows/shadow_scans.yml
@@ -0,0 +1,42 @@
+name: Shadow scans
+on:
+  schedule:
+    # Run the workflow every day at 04:00 UTC
+    - cron: "0 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: github-ubuntu-latest-s
+    name: Scan on shadow platforms
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+            development/kv/data/sonarcloud token | SQC_EU_TOKEN;
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - uses: SonarSource/ci-github-actions/build-gradle@master # dogfood
+        env:
+          ARTIFACTORY_PRIVATE_USERNAME: vault-{REPO_OWNER_NAME_DASH}-private-reader
+          ARTIFACTORY_PRIVATE_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        with:
+          run-shadow-scans: true
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+          gradle-args: -Dsonar.organization=sonarsource -Dsonar.exclusions="**/build/**/*,**/its/**,**/kotlin-checks-test-sources/**"
+      - name: Run IRIS Analysis
+        uses: SonarSource/unified-dogfooding-actions/run-iris@v1
+        with:
+          primary_project_key: "org.sonarsource.kotlin:kotlin"
+          primary_platform: "Next"
+          shadow1_project_key: "org.sonarsource.kotlin:kotlin"
+          shadow1_platform: "SQC-EU"
+          shadow2_project_key: "org.sonarsource.kotlin:kotlin"
+          shadow2_platform: "SQC-US"
diff --git a/.mise.toml b/.mise.toml
new file mode 100644
index 000000000..6a236e7d1
--- /dev/null
+++ b/.mise.toml
@@ -0,0 +1,3 @@
+[tools]
+java = "17.0"
+gradle = "8.10.1"
\ No newline at end of file
diff --git a/build.gradle.kts b/build.gradle.kts
index 9a4c8aafe..270463626 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -234,7 +234,7 @@ sonarqube {
         property("sonar.links.scm", "https://github.com/SonarSource/sonar-kotlin")
         property("sonar.links.issue", "https://jira.sonarsource.com/browse/SONARKT")
         property("sonar.exclusions", "**/build/**/*")
-        property("sonar.sca.exclusions", "**/its/**,**/kotlin-checks-test-sources/**")
+        property("sonar.sca.exclusions", "**/its/**,**/kotlin-checks-test-sources/**,**/test/resources/**,**/test/samples/**")
     }
 }