SLLS-549 fix: resolve 5 SonarQube code quality issues #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: SCA Check | |
| on: | |
| pull_request: | |
| merge_group: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| verify-sca: | |
| runs-on: warp-custom-ubuntu-24-04 | |
| # `id-token: write` (above) makes GitHub mint an OIDC token, which the | |
| # check-sca composite action exchanges with Vault for SonarQube | |
| # credentials. Per the SonarSource OIDC standard, the `environment` | |
| # claim is mandatory: Vault role bindings include it in | |
| # `include_claim_keys` by default. A job with `id-token: write` but no | |
| # `environment:` produces a token without the claim, and Vault rejects | |
| # it: "OIDC error: the claim 'environment' cannot be null or empty". | |
| # `sca-checking` is appropriate here as it is a unique value and | |
| # will not be triggered on dev deploys. | |
| environment: sca-checking | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: SonarSource/ci-github-actions/check-sca@master |