Skip to content

Add SonarQube scan workflow with security-hardened permissions #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add SonarQube scan workflow with security-hardened permissions #1

Copilot wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Nov 17, 2025
edited
Loading

Adds GitHub Actions workflow for SonarQube code analysis triggered on pushes to maintree/main.

Changes

  • Created .github/workflows/build.yml with SonarSource scan action v5
  • Configured explicit permissions: contents: read to limit GITHUB_TOKEN scope
  • Enabled full git history checkout (fetch-depth: 0) for accurate analysis
  • Included commented quality gate action for optional deployment gates

Configuration Required

Repository secrets needed:

  • SONAR_TOKEN - SonarQube authentication token
  • SONAR_HOST_URL - SonarQube server endpoint

Existing sonar-project.properties already configured with project key.

Original prompt

create this for meee

.github/workflows/build.yml

name: Build

on:
push:
branches:
- maintree/main

jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest

steps:
  - uses: actions/checkout@v4
    with:
      fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
  - uses: SonarSource/sonarqube-scan-action@v5
    env:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
  # If you wish to fail your job when the Quality Gate is red, uncomment the
  # following lines. This would typically be used to fail a deployment.
  # - uses: SonarSource/sonarqube-quality-gate-action@v1
  #   timeout-minutes: 5
  #   env:
  #     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Nov 17, 2025
@vercel
Copy link

vercel bot commented Nov 17, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
vibe-prompting Ready Ready Preview Comment Nov 17, 2025 7:05am

@Addy-shetty
Add GitHub Actions build workflow with SonarQube scan
7213997 
Co-authored-by: Addy-shetty <50735760+Addy-shetty@users.noreply.github.com>
@Addy-shetty
Add explicit permissions to workflow for security best practices
02b8c1a 
Co-authored-by: Addy-shetty <50735760+Addy-shetty@users.noreply.github.com>
Copilot AI changed the title [WIP] Add build workflow configuration Add SonarQube scan workflow with security-hardened permissions Nov 17, 2025
Copilot AI requested a review from Addy-shetty November 17, 2025 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Addy-shetty Addy-shetty Awaiting requested review from Addy-shetty

Assignees

@Addy-shetty Addy-shetty

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Addy-shetty