From: Kevin Sandi Date: Mon, 14 Nov 2022 06:19:14 +0000 (-0600) Subject: Feat: use credential for sonarcloud token X-Git-Tag: v0.83.0~1^2 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?p=releng%2Fglobal-jjb.git;a=commitdiff_plain;h=1653ce48afb56c73068cf76f428949c4c28ff801 Feat: use credential for sonarcloud token Signed-off-by: Kevin Sandi Change-Id: I4c2b513a32d44795cc40832622dc6054640940a0 --- diff --git a/.jjb-test/lf-maven-jobs/maven-sonarcloud.yaml b/.jjb-test/lf-maven-jobs/maven-sonarcloud.yaml index fae97296..39acf4b5 100644 --- a/.jjb-test/lf-maven-jobs/maven-sonarcloud.yaml +++ b/.jjb-test/lf-maven-jobs/maven-sonarcloud.yaml @@ -12,7 +12,7 @@ sonarcloud: true sonarcloud-project-key: KEY sonarcloud-project-organization: ORGANIZATION - sonarcloud-api-token: TOKEN + sonarcloud-api-token-cred-id: TOKEN scan-dev-branch: false sonarcloud-qualitygate-wait: false @@ -29,7 +29,7 @@ sonarcloud: true sonarcloud-project-key: KEY sonarcloud-project-organization: ORGANIZATION - sonarcloud-api-token: TOKEN + sonarcloud-api-token-cred-id: TOKEN sonar-prescan-script: | echo "Run script at start of job." scan-dev-branch: false @@ -48,6 +48,6 @@ sonarcloud: true sonarcloud-project-key: KEY sonarcloud-project-organization: ORGANIZATION - sonarcloud-api-token: TOKEN + sonarcloud-api-token-cred-id: TOKEN scan-dev-branch: true sonarcloud-qualitygate-wait: true diff --git a/docs/jjb/lf-c-cpp-jobs.rst b/docs/jjb/lf-c-cpp-jobs.rst index 51e1bace..ef34b1e8 100644 --- a/docs/jjb/lf-c-cpp-jobs.rst +++ b/docs/jjb/lf-c-cpp-jobs.rst @@ -285,7 +285,6 @@ configuration does not support multi-branch. :build-node: The node to run build on. :jenkins-ssh-credential: Credential to use for SSH. (Configure in defaults.yaml) - :sonarcloud-api-token: SonarCloud API Token. :sonarcloud-organization: SonarCloud project organization. :sonarcloud-project-key: SonarCloud project key. @@ -305,6 +304,9 @@ configuration does not support multi-branch. setting up dependencies. (default: '') :sonar-scanner-version: Version of sonar-scanner to install. (see YAML for default value; e.g., 3.3.0.1492) + :sonarcloud-api-token-cred-id: Jenkins credential ID which has the SonarCloud API Token. + This one SHOULDN'T be overwritten as per we are standarizing the credential ID for all + projects (default: 'sonarcloud-api-token') :submodule-recursive: Whether to checkout submodules recursively. (default: true) :submodule-timeout: Timeout (in minutes) for checkout operation. diff --git a/docs/jjb/lf-maven-jobs.rst b/docs/jjb/lf-maven-jobs.rst index c3ab35b3..c9208a18 100644 --- a/docs/jjb/lf-maven-jobs.rst +++ b/docs/jjb/lf-maven-jobs.rst @@ -39,7 +39,6 @@ Runs Sonar against a Maven project and pushes results to SonarCloud. :mvn-settings: Maven settings.xml file containing credentials to use. :sonarcloud-project-key: SonarCloud project key. :sonarcloud-project-organization: SonarCloud project organization. - :sonarcloud-api-token: SonarCloud API Token. :sonarcloud-java-version: Version of Java to run the Sonar scan. (default: openjdk11) :sonarcloud-qualitygate-wait: SonarCloud flag that forces the analysis step to wait for the quality gate result. (default: false) @@ -526,7 +525,9 @@ multi-branch configuration. :sonarcloud-project-key: SonarCloud project key. (default: '') :sonarcloud-project-organization: SonarCloud project organization. (default: '') - :sonarcloud-api-token: SonarCloud API Token. (default: '') + :sonarcloud-api-token-cred-id: Jenkins credential ID which has the SonarCloud API Token. + This one SHOULDN'T be overwritten as per we are standarizing the credential ID for all + projects (default: 'sonarcloud-api-token') :sonarcloud-java-version: Version of Java to use for the Sonar scan. (default: openjdk11) :stream: Keyword that represents a release code-name. Often the same as the branch. (default: master) @@ -589,7 +590,9 @@ This job runs on dev branches and its triggered on new patchsets. :sonarcloud-project-key: SonarCloud project key. (default: '') :sonarcloud-project-organization: SonarCloud project organization. (default: '') - :sonarcloud-api-token: SonarCloud API Token. (default: '') + :sonarcloud-api-token-cred-id: Jenkins credential ID which has the SonarCloud API Token. + This one SHOULDN'T be overwritten as per we are standarizing the credential ID for all + projects (default: 'sonarcloud-api-token') :sonarcloud-java-version: Version of Java to use for the Sonar scan. (default: openjdk11) :sonarcloud-qualitygate-wait: SonarCloud flag that forces the analysis step to wait for the quality gate result. (default: false) diff --git a/docs/jjb/lf-python-jobs.rst b/docs/jjb/lf-python-jobs.rst index 36f2779b..08d8637b 100644 --- a/docs/jjb/lf-python-jobs.rst +++ b/docs/jjb/lf-python-jobs.rst @@ -193,7 +193,9 @@ https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarscanner-cli/ :sonarcloud-project-key: SonarCloud project key. (default: '') :sonarcloud-project-organization: SonarCloud project organization. (default: '') - :sonarcloud-api-token: SonarCloud API Token. (default: '') + :sonarcloud-api-token-cred-id: Jenkins credential ID which has the SonarCloud API Token. + This one SHOULDN'T be overwritten as per we are standarizing the credential ID for all + projects (default: 'sonarcloud-api-token') :sonar-scanner-home: Sonar scanner home directory. (default: $WORKSPACE/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux) :sonar-scanner-opts: Sonar scanner Java options. (default: '-server') @@ -306,7 +308,9 @@ https://docs.sonarqube.org/display/PLUG/Python+Coverage+Results+Import :sonarcloud-project-key: SonarCloud project key. (default: '') :sonarcloud-project-organization: SonarCloud project organization. (default: '') - :sonarcloud-api-token: SonarCloud API Token. (default: '') + :sonarcloud-api-token-cred-id: Jenkins credential ID which has the SonarCloud API Token. + This one SHOULDN'T be overwritten as per we are standarizing the credential ID for all + projects (default: 'sonarcloud-api-token') :sonar-mvn-goal: The Maven goal to run the Sonar plugin. (default: sonar:sonar) :stream: Keyword used to represent a release code-name. Often the same as the branch. (default: master) diff --git a/jjb/lf-c-cpp-jobs.yaml b/jjb/lf-c-cpp-jobs.yaml index d1ba86f0..92057b70 100644 --- a/jjb/lf-c-cpp-jobs.yaml +++ b/jjb/lf-c-cpp-jobs.yaml @@ -490,7 +490,7 @@ make-opts: "" pre-build: "" sonar-scanner-version: 3.3.0.1492 - sonarcloud-api-token: "" + sonarcloud-api-token-cred-id: sonarcloud-api-token sonarcloud-organization: "" sonarcloud-project-key: "" stream: master @@ -508,10 +508,15 @@ SONAR_SCANNER_VERSION={sonar-scanner-version} PROJECT_KEY={sonarcloud-project-key} PROJECT_ORGANIZATION={sonarcloud-organization} - API_TOKEN={sonarcloud-api-token} - shell: !include-raw-escape: ../shell/cmake-sonar.sh - lf-provide-maven-settings-cleanup + wrappers: + - credentials-binding: + - text: + credential-id: '{sonarcloud-api-token-cred-id}' + variable: API_TOKEN + - job-template: name: "{project-name}-cmake-sonar" id: gerrit-cmake-sonar diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index 5dbeef2d..e4a3442b 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -1161,7 +1161,7 @@ sonarcloud: false sonarcloud-project-key: "" sonarcloud-project-organization: "" - sonarcloud-api-token: "" + sonarcloud-api-token-cred-id: sonarcloud-api-token sonarcloud-qualitygate-wait: false # SonarCloud scan using jdk8 will become deprecated by Oct, 2020 # Projects not compatible with jdk11 can set java-version to something else @@ -1208,6 +1208,12 @@ however to use a specific version of the sonar-maven-plugin we can call "org.codehaus.mojo:sonar-maven-plugin:3.3.0.603:sonar". + wrappers: + - credentials-binding: + - text: + credential-id: '{sonarcloud-api-token-cred-id}' + variable: API_TOKEN + triggers: - timed: "{obj:cron}" - gerrit: @@ -1247,7 +1253,6 @@ mvn-version: "{mvn-version}" sonarcloud-project-key: "{sonarcloud-project-key}" sonarcloud-project-organization: "{sonarcloud-project-organization}" - sonarcloud-api-token: "{sonarcloud-api-token}" sonarcloud-java-version: "{sonarcloud-java-version}" sonarcloud-qualitygate-wait: "{sonarcloud-qualitygate-wait}" scan-dev-branch: "{scan-dev-branch}" @@ -1283,7 +1288,6 @@ mvn-version: "{mvn-version}" sonarcloud-project-key: "{sonarcloud-project-key}" sonarcloud-project-organization: "{sonarcloud-project-organization}" - sonarcloud-api-token: "{sonarcloud-api-token}" sonarcloud-java-version: "{sonarcloud-java-version}" sonarcloud-qualitygate-wait: "{sonarcloud-qualitygate-wait}" scan-dev-branch: "{scan-dev-branch}" @@ -1347,7 +1351,6 @@ PROJECT_KEY={sonarcloud-project-key} PROJECT_ORGANIZATION={sonarcloud-project-organization} MAVEN_GOALS={mvn-goals} - API_TOKEN={sonarcloud-api-token} SONARCLOUD_JAVA_VERSION={sonarcloud-java-version} SCAN_DEV_BRANCH={scan-dev-branch} SONARCLOUD_QUALITYGATE_WAIT={sonarcloud-qualitygate-wait} diff --git a/jjb/lf-python-jobs.yaml b/jjb/lf-python-jobs.yaml index d9fcdb82..04bb01c5 100644 --- a/jjb/lf-python-jobs.yaml +++ b/jjb/lf-python-jobs.yaml @@ -420,7 +420,7 @@ sonarcloud: false sonarcloud-project-key: "" sonarcloud-project-organization: "" - sonarcloud-api-token: "" + sonarcloud-api-token-cred-id: sonarcloud-api-token sonarcloud-qualitygate-wait: false # SonarCloud scan using jdk8 will become deprecated by Oct, 2020 # Projects not compatible with jdk11 can set java-version to something else @@ -478,6 +478,12 @@ however to use a specific version of the sonar-maven-plugin we can call "org.codehaus.mojo:sonar-maven-plugin:3.3.0.603:sonar". + wrappers: + - credentials-binding: + - text: + credential-id: '{sonarcloud-api-token-cred-id}' + variable: API_TOKEN + builders: - lf-infra-pre-build - lf-infra-tox-install: @@ -502,7 +508,6 @@ sonarcloud-project-key: "{sonarcloud-project-key}" # yamllint disable-line rule:line-length sonarcloud-project-organization: "{sonarcloud-project-organization}" - sonarcloud-api-token: "{sonarcloud-api-token}" sonarcloud-java-version: "{sonarcloud-java-version}" sonarcloud-qualitygate-wait: "{sonarcloud-qualitygate-wait}" scan-dev-branch: "{scan-dev-branch}" diff --git a/releasenotes/notes/use-cred-for-sonarcloud-api-token-04ae5b3345896c1d.yaml b/releasenotes/notes/use-cred-for-sonarcloud-api-token-04ae5b3345896c1d.yaml new file mode 100644 index 00000000..4938493e --- /dev/null +++ b/releasenotes/notes/use-cred-for-sonarcloud-api-token-04ae5b3345896c1d.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Replace the usage of plaintext sonarcloud api token with a Jenkins credential. + The default value for the credential ID is 'sonarcloud-api-token' and we are + standarizing it for all projects so this parameter does not require an override