feat: add SonarCloud analysis to frontend workflows and reusable workflow (#167)

Author: kb-typeform

.github/workflows/frontend-deploy-workflow.yml

@@ -85,6 +85,16 @@ on:
         type: string
         default: 'production'
 
+      # SonarCloud configuration
+      run-sonarcloud:
+        description: 'Run SonarCloud analysis'
+        type: boolean
+        default: true
+      sonarcloud-timeout:
+        description: 'SonarCloud job timeout (minutes)'
+        type: number
+        default: 10
+      
       # Timeout configuration
       build-timeout:
         description: 'Build job timeout (minutes)'
@@ -104,6 +114,8 @@ on:
     secrets:
       GH_TOKEN:
         required: true
+      SONAR_CLOUD_TOKEN:
+        required: false
       DATADOG_API_KEY:
         required: false
       LINEARB_API_KEY:
@@ -177,7 +189,26 @@ jobs:
           path: ${{ inputs.build-output-dir }}
           retention-days: 1
 
-  # Job 2: Deploy to Production
+  # Job 2: SonarCloud Analysis (parallel with deploy)
+  sonarcloud:
+    name: 🔍 SonarCloud
+    if: inputs.run-sonarcloud
+    needs: build
+    permissions:
+      contents: read
+    uses: Typeform/.github/reusable-workflows/sonarcloud-scan/workflow.yml@v1
+    with:
+      app-name: ${{ inputs.app-name }}
+      node-version: ${{ inputs.node-version }}
+      use-asdf: ${{ inputs.use-asdf }}
+      runner: ${{ inputs.runner }}
+      coverage-artifact-name: ''  # No coverage for main branch deployments
+      timeout: ${{ inputs.sonarcloud-timeout }}
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      SONAR_CLOUD_TOKEN: ${{ secrets.SONAR_CLOUD_TOKEN }}
+  
+  # Job 3: Deploy to Production
   deploy:
     name: 🚀 Deploy to Production
     needs: build

.github/workflows/frontend-pr-workflow.yml

@@ -79,6 +79,22 @@ on:
         type: string
         default: 'none'
 
+      # SonarCloud configuration
+      run-sonarcloud:
+        description: 'Run SonarCloud analysis'
+        type: boolean
+        default: true
+      sonarcloud-timeout:
+        description: 'SonarCloud job timeout (minutes)'
+        type: number
+        default: 10
+      
+      # GraphQL configuration
+      run-graphql-persisted-operations:
+        description: 'Generate GraphQL persisted operations for BFF allow list'
+        type: boolean
+        default: false
+      
       # E2E configuration
       run-deep-purple:
         description: 'Run Deep Purple E2E tests'
@@ -150,6 +166,8 @@ on:
     secrets:
       GH_TOKEN:
         required: true
+      SONAR_CLOUD_TOKEN:
+        required: false
       DATADOG_API_KEY:
         required: false
       JENKINS_OKTA_USERNAME:
@@ -378,7 +396,37 @@ jobs:
       - name: Print GitHub SHA
         run: echo "The commit SHA is ${{ github.sha }}"
 
-  # Job 5: Deep Purple E2E Tests
+  # Job 5: SonarCloud Analysis (parallel with tests)
+  sonarcloud:
+    name: 🔍 SonarCloud
+    if: inputs.run-sonarcloud
+    needs: build
+    permissions:
+      contents: read
+    uses: Typeform/.github/reusable-workflows/sonarcloud-scan/workflow.yml@v1
+    with:
+      app-name: ${{ inputs.app-name }}
+      node-version: ${{ inputs.node-version }}
+      use-asdf: ${{ inputs.use-asdf }}
+      runner: ${{ inputs.runner }}
+      coverage-artifact-name: ${{ inputs.run-unit-tests && format('coverage-{0}', github.run_id) || '' }}
+      timeout: ${{ inputs.sonarcloud-timeout }}
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      SONAR_CLOUD_TOKEN: ${{ secrets.SONAR_CLOUD_TOKEN }}
+  
+  # Job 6: GraphQL Persisted Operations (parallel with tests)
+  graphql-persisted-operations:
+    name: 🔐 GraphQL Persisted Operations
+    if: inputs.run-graphql-persisted-operations
+    needs: build
+    permissions:
+      contents: read
+    uses: Typeform/.github/.github/workflows/graphql-generate-persisted-operations.yml@v1
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+  
+  # Job 7: Deep Purple E2E Tests
   deep-purple:
     name: 🔮 Deep Purple E2E
     if: inputs.run-deep-purple

reusable-workflows/sonarcloud-scan/workflow.yml

@@ -0,0 +1,84 @@
+name: SonarCloud Scan
+
+on:
+  workflow_call:
+    inputs:
+      # Project identification
+      app-name:
+        description: 'Application name (must match sonar.projectKey in sonar-project.properties)'
+        type: string
+        required: true
+      
+      # Node configuration
+      node-version:
+        description: 'Node.js version (ignored if use-asdf is true)'
+        type: string
+        default: '20'
+      use-asdf:
+        description: 'Use asdf-vm for version management (reads from .tool-versions)'
+        type: boolean
+        default: false
+      
+      # Runner configuration
+      runner:
+        description: 'Runner for SonarCloud scan'
+        type: string
+        default: '[self-hosted, ci-universal]'
+      
+      # Coverage configuration
+      coverage-artifact-name:
+        description: 'Name of coverage artifact to download (optional, e.g., coverage-12345)'
+        type: string
+        default: ''
+      
+      # Timeout configuration
+      timeout:
+        description: 'Job timeout (minutes)'
+        type: number
+        default: 10
+    
+    secrets:
+      GH_TOKEN:
+        required: true
+      SONAR_CLOUD_TOKEN:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  sonarcloud:
+    name: 🔍 SonarCloud Analysis
+    runs-on: ${{ fromJSON(inputs.runner) }}
+    timeout-minutes: ${{ inputs.timeout }}
+    
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for SonarCloud to analyze git history
+      
+      - name: Setup Node with Cache
+        uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
+        with:
+          node-version: ${{ inputs.node-version }}
+          use-asdf: ${{ inputs.use-asdf }}
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      
+      - name: Download coverage artifacts
+        if: inputs.coverage-artifact-name != ''
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.coverage-artifact-name }}
+          path: coverage/
+        continue-on-error: true
+      
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarqube-scan-action@v6
+        with:
+          args: >
+            -Dsonar.projectVersion=${{ github.run_id }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_CLOUD_TOKEN }}
+          LC_ALL: "C.UTF-8"