PFM-TASK-7338 - Backport Sonar Scan in github-actions (#118)

changelog: Frontend-Core: [PFM-TASK-7338] Fix: Backport Sonar and improve workflow permissions [PR github-actions#118]

Author: slaven3kopic

.github/workflow-templates/fe/fe-check-upmerge.yml

@@ -4,7 +4,11 @@ on:
     # Runs "At 18:00 every day" (see https://crontab.guru)
     - cron: '0 18 * * *'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 jobs:
   check-upmerge:

.github/workflow-templates/fe/fe-cleanup-snapshots.yml

@@ -4,7 +4,11 @@ on:
     # Runs "At 00:00 on day-of-month 28 in every 3rd month." (see https://crontab.guru)
     - cron: '0 0 28 */3 *'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 jobs:
   cleanup-snapshots:

.github/workflow-templates/fe/fe-licenses.yml

@@ -5,7 +5,11 @@ on:
       - 'package.json'
       - 'package-lock.json'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 env:
   NX_BRANCH: ${{ github.event.number }}

.github/workflow-templates/fe/fe-main.yml

@@ -5,7 +5,11 @@ on:
       - main
       - master
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 env:
   NX_BRANCH: ${{ github.event.number }}

.github/workflow-templates/fe/fe-pr-close.yml

@@ -5,7 +5,11 @@ on:
     branches:
       - '**'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 jobs:
   remove-artifacts:

.github/workflow-templates/fe/fe-pr-snapshot.yml

@@ -5,7 +5,11 @@ on:
     branches:
       - '**'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 jobs:
   publish-pr-snapshot:

.github/workflow-templates/fe/fe-pr.yml

@@ -4,7 +4,11 @@ on:
     branches:
       - '**'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 env:
   NX_BRANCH: ${{ github.event.number }}

.github/workflow-templates/fe/fe-release.yml

@@ -4,7 +4,11 @@ on:
     branches:
       - 'release/*'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 env:
   NX_BRANCH: ${{ github.event.number }}

.github/workflow-templates/fe/fe-tag-pushed.yml

@@ -4,7 +4,11 @@ on:
     tags:
       - '*/*'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  checks: write
 
 env:
   NX_BRANCH: ${{ github.event.number }}

.github/workflows/fe-code-quality.yml

@@ -1,6 +1,31 @@
 name: Frontend Code Quality Workflow
 
-on: workflow_call
+on:
+  workflow_call:
+    secrets:
+      SONAR_CLOUD_TOKEN:
+        required: false
+    inputs:
+      SONAR_CLOUD_ORG:
+        required: false
+        description: "SonarCloud organization key, e.g., 'my-org'"
+        type: string
+        default: "collaborationfactory"
+      SONAR_CLOUD_PROJECT_KEY:
+        required: false
+        description: "SonarCloud project key, e.g., 'my-project'"
+        type: string
+        default: ""
+      SONAR_PROPERTIES:
+        required: false
+        description: "Additional sonar-project.properties content"
+        type: string
+        default: ""
+      GITHUB_RUNNER:
+        required: false
+        description: "Github runner which is used to run sonar scan jobs"
+        type: string
+        default: 'medium'
 
 jobs:
   code-quality:
@@ -9,15 +34,17 @@ jobs:
       matrix:
         target: [ 'test' ]
         jobIndex: [ 1, 2, 3,4 ]
+      fail-fast: false # Continue running all matrix combinations even if one fails
     env:
       jobCount: 4
+      coverageEnabled: ${{ secrets.SONAR_CLOUD_TOKEN != '' }}
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 18.19.1
       - name: Cache Node Modules
@@ -33,11 +60,123 @@ jobs:
       - name: Linter
         run: npx nx affected --target=lint --parallel --configuration=dev --base=origin/${{ github.event.pull_request.base.ref }}
 
+      - name: Fetch base branch
+        run: git fetch origin ${{ github.event.pull_request.base.ref }}:${{ github.event.pull_request.base.ref }} || true
+
       - name: Unit Tests
+        id: test
         uses: collaborationFactory/github-actions/.github/actions/run-many@release/25.2
+        continue-on-error: true
         with:
           target: ${{ matrix.target }}
           jobIndex: ${{ matrix.jobIndex }}
           jobCount: ${{ env.jobCount }}
           base: ${{ github.event.pull_request.base.ref }}
           ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Upload Coverage Reports
+        if: ${{ env.coverageEnabled == 'true' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.jobIndex }}
+          path: coverage/
+          retention-days: 7
+
+      - name: Fail pipeline if test step failed
+        run: |
+          if [ "${{ steps.test.outcome }}" = "failure" ]; then
+            echo "Unit tests step failed, failing the pipeline."
+            exit 1
+          fi
+
+  check-sonar:
+    name: Check SonarCloud Configuration
+    runs-on: ubuntu-latest
+    outputs:
+      has_token: ${{ steps.check.outputs.has_token }}
+    steps:
+      - name: Check if SONAR_CLOUD_TOKEN exists
+        id: check
+        run: |
+          if [ -n "${{ secrets.SONAR_CLOUD_TOKEN }}" ]; then
+            echo "has_token=true" >> $GITHUB_OUTPUT
+            echo "SonarCloud token is configured"
+          else
+            echo "has_token=false" >> $GITHUB_OUTPUT
+            echo "SonarCloud token is not configured, skipping SonarCloud analysis"
+          fi
+
+  sonar:
+    name: SonarCloud
+    needs: [code-quality, check-sonar]
+    if: needs.check-sonar.outputs.has_token == 'true'
+    runs-on: {{ inputs.GITHUB_RUNNER }}
+    steps:
+      - name: Set SonarCloud Project Key
+        id: set-project-key
+        run: |
+          if [ -z "${{ inputs.SONAR_CLOUD_PROJECT_KEY }}" ]; then
+            echo "project_key=collaborationFactory_${{ github.event.repository.name }}" >> $GITHUB_OUTPUT
+          else
+            echo "project_key=${{ inputs.SONAR_CLOUD_PROJECT_KEY }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Write sonar-project.properties
+        run: |
+          echo "sonar.host.url=https://sonarcloud.io" > sonar-project.properties
+          echo "sonar.organization=${{ inputs.SONAR_CLOUD_ORG }}" >> sonar-project.properties
+          echo "sonar.projectKey=${{ steps.set-project-key.outputs.project_key }}" >> sonar-project.properties
+          echo "sonar.test.inclusions=**/*.spec.ts,**/*.test.ts,**/*.spec.tsx,**/*.test.tsx" >> sonar-project.properties
+          echo "sonar.javascript.lcov.reportPaths=./coverage/lcov.info" >> sonar-project.properties
+          if [ -n "${{ inputs.SONAR_PROPERTIES }}" ]; then
+            echo "${{ inputs.SONAR_PROPERTIES }}" >> sonar-project.properties
+          fi
+          cat sonar-project.properties
+
+      - name: download coverage report
+        uses: actions/download-artifact@v4
+        with:
+          path: ./coverage
+          pattern: coverage-*
+          merge-multiple: true
+
+      - name: Check for LCOV files
+        id: check-lcov
+        run: |
+          if find ./coverage -name "lcov*.info" -type f | grep -q .; then
+            echo "lcov_exists=true" >> $GITHUB_OUTPUT
+            echo "LCOV files found, will proceed with merge"
+          else
+            echo "lcov_exists=false" >> $GITHUB_OUTPUT
+            echo "No LCOV files found, skipping merge"
+          fi
+
+      - name: Merge matrix coverage reports
+        if: steps.check-lcov.outputs.lcov_exists == 'true'
+        run: |
+          echo "=== Finding all LCOV files ==="
+          find ./coverage -name "lcov*.info" -type f
+          echo ""
+          echo "=== Merging coverage files ==="
+          npx lcov-result-merger "coverage/**/lcov*.info" coverage/lcov.info
+          echo ""
+          echo "=== Merge completed ==="
+          ls -lh ./coverage/lcov.info
+
+      - name: Normalize LCOV paths for Linux
+        if: steps.check-lcov.outputs.lcov_exists == 'true'
+        run: |
+          if [ -f "./coverage/lcov.info" ]; then
+            sed -i 's|\\|/|g' ./coverage/lcov.info
+            echo "Normalized LCOV paths to Unix format"
+          fi
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_CLOUD_TOKEN }}