name: SonarCloud Analysis

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  workflow_dispatch:

permissions:
  contents: read

env:
  NPM_CONFIG_FUND: '0'
  NPM_CONFIG_AUDIT: '0'
  SUPPRESS_SUPPORT: '1'
  NO_UPDATE_NOTIFIER: 'true'

jobs:
  build:
    name: SonarCloud Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
    if: |
      github.event_name != 'pull_request' ||
      github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            binaries.sonarsource.com:443
            github.com:443
            npm.pkg.github.com:443
            objects.githubusercontent.com:443
            registry.npmjs.org:443
            api.sonarcloud.io:443
            analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
            sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
            scanner.sonarcloud.io:443
            sonarcloud.io:443

      - name: Check out the source code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Set up Node.js environment
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: lts/*
          cache: npm

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm run test:sonarqube
        continue-on-error: true

      - name: Grab info
        id: info
        run: |
          echo "packageName=$(jq -r .name package.json)" >> "${GITHUB_OUTPUT}"
          echo "packageVersion=$(jq -r .version package.json)" >> "${GITHUB_OUTPUT}"

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
        env:
          GITHUB_TOKEN: ${{ github.token }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.projectName=${{ steps.info.outputs.packageName }}
            -Dsonar.projectVersion=${{ steps.info.outputs.packageVersion }}
            -Dsonar.links.homepage=${{ github.event.repository.homepage }}
            -Dsonar.links.issue=${{ github.event.repository.html_url }}/issues
            -Dsonar.links.scm=${{ github.repositoryUrl }}
            -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
            -Dsonar.testExecutionReportPaths=test-report.xml