53 lines
2.1 KiB
Markdown
53 lines
2.1 KiB
Markdown
# Sonar Runner — CI Image
|
|
|
|
Pre-baked build environment for KollectAI-ETL's SonarQube unified scan workflow. Extends [`ci/java-builder`](../java-builder/) with the standalone `sonar-scanner` CLI.
|
|
|
|
## What's included
|
|
|
|
Everything from [`java-builder`](../java-builder/) (Java 25, Maven 3.9.x, Node + pnpm, buf, ORAS, OWASP NVD database, jq/git/curl), plus:
|
|
|
|
- `sonar-scanner` CLI at `/opt/sonar-scanner` with its `bin/` on `PATH`
|
|
|
|
## Build
|
|
|
|
```bash
|
|
# Prerequisite: java-builder must already exist in the registry.
|
|
docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
|
|
docker push kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
|
|
```
|
|
|
|
### Build args
|
|
|
|
| Arg | Default | Description |
|
|
|-----|---------|-------------|
|
|
| `REGISTRY` | `kcr.kollect.biz` | Registry hostname for the parent `java-builder` pull |
|
|
| `JAVA_BUILDER_TAG` | `latest` | Tag of `java-builder` to extend |
|
|
| `SONAR_SCANNER_VERSION` | `8.1.0.6389` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` |
|
|
|
|
## Usage in CI
|
|
|
|
```yaml
|
|
jobs:
|
|
scan:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0 # blame-aware analysis
|
|
- run: ./mvnw -f backend/pom.xml compile test-compile -DskipTests -q
|
|
- run: sonar-scanner
|
|
env:
|
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
|
```
|
|
|
|
No more runtime `curl`-install or cache restore step — the scanner is on `PATH` from the moment the container starts.
|
|
|
|
## Maintenance
|
|
|
|
- Sonar-scanner version bump: edit the `SONAR_SCANNER_VERSION` ARG default and rebuild. Keep the matching `SONAR_SCANNER_VERSION` env in `KollectAI-ETL/.gitea/workflows/sonar.yml` in sync.
|
|
- Java/Maven/etc. bumps: just rebuild — they come from the parent `java-builder` image.
|
|
- Build order: `java-builder` first, then `sonar-runner`. The CI workflow's auto-discovery handles this naturally as long as both images exist; for manual builds invoke them in that order.
|