DevOps: add SonarQube to the repo for code QC

[nlebovits]

Describe the task

We would like to integrate the community edition of SonarQube into the repository with GitHub actions. The goal is to improve our devops and reduce the load on our leads when reviewing PRs.

Acceptance Criteria

• [ ] SonarQube configuration files added to the repository
• [ ] SonarQube GitHub Actions Workflow added to the repository for both the Python and JavaScript/TypeScript parts of the codebase
• [ ] Relevant secrets stored in the GitHub repo (contact @CodeWritingCow or @nlebovits if you run into permissions issues)
• [ ] Add SonarQube configurations to the .vscode/settings.json to improve dev experience in VSCode

[csharpie]

Hello, I'd like to work on this issue. Please assign it to me.

[nlebovits]

@csharpie Assigned!

[csharpie]

Thanks Nissim.

Brad

On Wed, Jul 17, 2024 at 8:48 AM Nissim Lebovits @.***> wrote:

@csharpie https://github.com/csharpie Assigned!

— Reply to this email directly, view it on GitHub https://github.com/CodeForPhilly/clean-and-green-philly/issues/751#issuecomment-2233243267, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPKRGWVMYDVT2KHRB6RTKDZMZR25AVCNFSM6AAAAABK7ABBGKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZTGI2DGMRWG4 . You are receiving this because you were mentioned.Message ID: @.***>

[csharpie]

I'll add a note on Slack too but it looks like SonarQube's Community Edition (because it's installed locally) doesn't support Pull Request Decorations. However there's an unofficial GitHub repository that does support this. I plan to look into this to see the feasibility.

[CodeWritingCow]

Hello @csharpie, any update on this ticket? We normally reassign the ticket if there's no activity on it for 1 week. I wanted to reach out before doing that. Thanks!

[csharpie]

Hey Gary,

I spent some time on it yesterday and made significant progress I think. I will update the issue today and let you know where I’ve left off.

Thanks for following up.

Sincerely, Brad Steinberg

On Mon, Aug 5, 2024 at 3:20 PM Gary Pang @.***> wrote:

Hello @csharpie https://github.com/csharpie, any update on this ticket? We normally reassign the ticket if there's no activity on it for 1 week. I wanted to reach out before doing that. Thanks!

— Reply to this email directly, view it on GitHub https://github.com/CodeForPhilly/clean-and-green-philly/issues/751#issuecomment-2269749387, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPKRGQJHOGYJM2NJT33PVDZP7GABAVCNFSM6AAAAABK7ABBGKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRZG42DSMZYG4 . You are receiving this because you were mentioned.Message ID: @.***>

[csharpie]

Hi Team,

I unfortunately hit a bit of roadblock with getting the yml file built for this and I unfortunately don't have a working GitHub workflow yml file to commit. Here's what I've learned so far in hopes that this helps whomever takes this issue on next.

SonarQube is not available in a clouded hosted Community Edition but SonarCloud is and is available at the Free Tier for Open Source Projects! I'd highly recommend reading through this Dev.to article. These are articles and documentation that I found helpful for getting me up to speed on SonarCloud with GitHub Actions:

• https://dev.to/remast/go-for-sonarcloud-with-github-actions-3pmn
• https://medium.com/@rahulsharan512/integrating-sonarcloud-with-github-actions-for-secure-code-analysis-26a7fa206d40
• https://docs.sonarsource.com/sonarqube/latest/devops-platform-integration/github-integration/adding-analysis-to-github-actions-workflow/

[nlebovits]

I'm going to go ahead and say that this is too much work to justify. We're better off using lower-tech, static tools (e.g., vulture and pylint, plus writing tests).