diff --git a/.github/workflows/pull-request-kotlin.yml b/.github/workflows/pull-request-kotlin.yml index 2157600..7927487 100644 --- a/.github/workflows/pull-request-kotlin.yml +++ b/.github/workflows/pull-request-kotlin.yml @@ -46,6 +46,9 @@ on: default: false description: 'Skip PR title check' secrets: + TAILSCALE_AUTHKEY: + required: false + description: "Tailscale auth key. When set, the runner joins the tailnet so it can reach the self-hosted SonarQube. Leave unset to keep scanning SonarCloud." GHL_USERNAME: required: true description: "Github Username (Gradle plugin)" @@ -54,7 +57,7 @@ on: description: "Github Password (Gradle plugin)" SONAR_TOKEN: required: true - description: "SonarCloud token" + description: "SonarQube token" jobs: setup: name: Setup @@ -77,6 +80,8 @@ jobs: needs: setup runs-on: ${{ needs.setup.outputs.runner-name }} timeout-minutes: ${{ inputs.test-timeout-minutes }} + env: + TAILSCALE_AUTHKEY: ${{ secrets.TAILSCALE_AUTHKEY }} steps: # Checkout - name: Checkout @@ -142,7 +147,17 @@ jobs: /home/runner/.gradle/daemon/**/daemon-*.out.log retention-days: 2 overwrite: true - - name: Upload results to SonarCloud + # The self-hosted SonarQube lives behind the Monta VPN, so the runner + # needs to join the tailnet before the scan step can reach it. Skipped + # automatically for repos still on SonarCloud (no TAILSCALE_AUTHKEY passed). + - name: Tailscale + if: ${{ !inputs.skip-sonar && env.TAILSCALE_AUTHKEY != '' }} + uses: tailscale/github-action@6cae46e2d796f265265cfcf628b72a32b4d7cade # v3.3.0 + with: + authkey: ${{ env.TAILSCALE_AUTHKEY }} + hostname: "github-${{ github.run_id }}" + args: "--login-server https://headscale.monta.com --accept-routes" + - name: Upload results to SonarQube if: ${{ !inputs.skip-sonar }} env: GHL_USERNAME: ${{ secrets.GHL_USERNAME }} diff --git a/.github/workflows/sonar-cloud.yml b/.github/workflows/sonar-cloud.yml index 98498f9..7a76d99 100644 --- a/.github/workflows/sonar-cloud.yml +++ b/.github/workflows/sonar-cloud.yml @@ -1,4 +1,4 @@ -name: Sonar Cloud Analysis +name: SonarQube Analysis on: workflow_call: inputs: @@ -26,6 +26,9 @@ on: default: "--no-daemon --parallel" description: 'Additional Gradle arguments' secrets: + TAILSCALE_AUTHKEY: + required: false + description: "Tailscale auth key. When set, the runner joins the tailnet so it can reach the self-hosted SonarQube. Leave unset to keep scanning SonarCloud." GHL_USERNAME: required: true description: "Github Username (Gradle plugin)" @@ -49,10 +52,12 @@ jobs: runner-size: ${{ inputs.runner-size }} architecture: ${{ inputs.architecture }} sonar-cloud: - name: Sonar Cloud Analysis + name: SonarQube Analysis needs: setup runs-on: ${{ needs.setup.outputs.runner-name }} timeout-minutes: 30 + env: + TAILSCALE_AUTHKEY: ${{ secrets.TAILSCALE_AUTHKEY }} steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: @@ -73,12 +78,22 @@ jobs: key: ${{ runner.os }}-gradle-main-${{ github.sha }} restore-keys: | ${{ runner.os }}-gradle-main- - - name: Cache SonarCloud packages + - name: Cache SonarQube packages uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar + # The self-hosted SonarQube lives behind the Monta VPN, so the runner + # needs to join the tailnet before the scan step can reach it. Skipped + # automatically for repos still on SonarCloud (no TAILSCALE_AUTHKEY passed). + - name: Tailscale + if: ${{ env.TAILSCALE_AUTHKEY != '' }} + uses: tailscale/github-action@6cae46e2d796f265265cfcf628b72a32b4d7cade # v3.3.0 + with: + authkey: ${{ env.TAILSCALE_AUTHKEY }} + hostname: "github-${{ github.run_id }}" + args: "--login-server https://headscale.monta.com --accept-routes" - name: Build and analyze env: GHL_USERNAME: ${{ secrets.GHL_USERNAME }}