sonarcloud.yml

name: SonarCloud Analysis
on:
    # Trigger analysis when pushing in master or pull requests, and when creating
    # a pull request.
    push:
      branches:
        - master
        - dev
    pull_request:
        types: [opened, synchronize, reopened]

permissions:
  contents: read

jobs:
    sonarcloud:
      permissions:
        contents: read  # for actions/checkout to fetch code
        pull-requests: read  # for sonarsource/sonarcloud-github-action to determine which PR to decorate
      runs-on: ubuntu-latest
      steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0

      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@eb211723266fe8e83102bac7361f0a05c3ac1d1b # v3.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}