如何让 Sonarcloud 在来自带有 Travis、Maven 和github
在查看我最近的问题时 Sonarcloud 在 Travis、Maven 和github 我意识到我问错了问题.我试图解决症状而不是根本问题.
While looking into my recent question Sonarcloud failure with Travis, Maven & github I realised that I was asking the wrong question. I was trying to address a symptom rather than the underlying problem.
我从事的一个项目(eclipse/scanning)使用 Github 作为其存储库,使用 Travis 和 Sonarcloud持续集成和代码分析.
A project I work on (eclipse/scanning) uses Github as it's repository and Travis with Sonarcloud for continuous integration and code analysis.
虽然 Sonarcloud 分析在内部拉取请求(来自分支的拉取请求直接推送到 eclipse/scanning)上运行良好,但在 Travis 为外部拉取请求(来自分叉存储库的那些)运行时不起作用.
While the Sonarcloud analysis runs fine on internal pull requests (pull requests from branches pushed directly to eclipse/scanning) it doesn't work when Travis runs for external pull requests (those from forked repos).
潜在的问题是,我们目前运行 sonarcloud 的方式依赖于环境变量,出于安全原因,这些环境变量未填充用于外部拉取请求:
The underlying problem is that the way we are running sonarcloud at the moment relies on environment variables which aren't populated for external pull requests for security reasons:
Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
我们将存储库设置为不关心 Sonarcloud 是否运行,但这意味着我们经常合并违反 sonarcloud 规则的更改,因为我们没有意识到它们已被破坏.我们只看到这些规则在下次被直接推送到存储库的人更改时被打破.这将修复 Sonarcloud 发现的问题的负担从合作者转移到了提交者.
We have our repository set up to not care whether Sonarcloud is run, but that means that we often merge in changes which break sonarcloud rules because we don't realise they have been broken. We only see that those rules have been broken the next time they are changed by someone who does push directly to the repository. This moves the burden of fixing Sonarcloud discovered problems from collaborators to committers.
所以,
- 有没有办法在不引入安全问题的情况下启用 Sonarcloud 分析来自分叉存储库的拉取请求?
请注意,这个问题似乎比 In Travis Public Repository 如何添加适用于 Pull 的 Secure 变量更进一步也有请求,还没有答案.
Note that this question seems to be one step beyond In Travis Public Repository how to add a Secure variable that works on Pull requests too which doesn't have an answer yet.
推荐答案
正如你已经猜到的那样,除非你硬编码你的 GitHub 和 SonarCloud 令牌(显然你不想公开它们),目前无法分析外部拉取请求.这记录在 官方 SonarCloud Travis 插件页面一个>.
As you've perfectly guessed, unless you hard-code your GitHub and SonarCloud tokens (which obviously you don't want, to not publicly unveil them), there is currently no way to analyze external pull requests. This is documented on the official SonarCloud Travis Add-on page.
我们目前正在积极研究适当支持此用例的方法 - 我希望我们能在今年年底之前提出一些建议.
We are currently actively working on a way to properly support this use case - and I hope we'll come up with something before the end of the year.
相关文章