gitea-sonarqube-bot/README.md

Gitea SonarQube Bot

Gitea SonarQube Bot is a bot that receives messages from both SonarQube and Gitea to help developers being productive. The idea behind this project is the missing ALM integration of Gitea in SonarQube. Unfortunately, this won't be added in near future. Gitea SonarQube Bot aims to fill the gap between working on pull requests and being notified on quality changes. Luckily, both endpoints have a proper REST API to communicate with each others.

• Gitea SonarQube Bot
  • Workflow
  • Requirements
  • Bot configuration
  • Installation
    • Docker
    • Helm Chart
  • Setup
    • SonarQube
    • Gitea
    • CI system
  • Changelog
  • Contributing
  • License
  • Screenshots

Workflow

Insights

• Bot activities
  • Extract data from SonarQube
    • Read payload from hook post to receive project,branch/pr,quality-gate
    • Load "api/measures/component"
  • Comment PR in Gitea (/repos/{owner}/{repo}/issues/{index}/comments)
  • Updates status check (either failing/success)
  • Listen on "/sq-bot review" comments
    • Comment PR in Gitea (/repos/{owner}/{repo}/issues/{index}/comments)
    • Updates status check (either failing/success)

Requirements

This bot is designed to perform SonarQube/SonarCloud API requests specific for pull requests. This feature is available in the Community edition via Sonarqube Community Branch Plugin or natively in SonarQube Developer edition and above.

Bot configuration

See config.example.yaml for a full configuration specification and description.

Installation

Supported environment variables for application runtime configuration:

Environment Variable	Purpose	Since
GITEA_SQ_BOT_PORT	Port the bot will listen on	v0.2.1
GITEA_SQ_BOT_CONFIG_PATH	Full path to configuration file	v0.2.0

For detailed information, use the --help flag.

Docker

Create a directory config and place your config.yaml inside it. Open a terminal inside the newly created directory and execute the following command (replace $TAG first):

docker run --rm -it -p 9000:3000 -v "$(pwd):/home/bot/config/" justusbunsi/gitea-sonarqube-bot:$TAG

By default, the bot expects its configuration file under ./config/config.yaml next to the bot executable. Inside the Docker image the corresponding full path is /home/bot/config/config.yaml. If you prefer using a different location or even a different filename, you can also define the environment variable GITEA_SQ_BOT_CONFIG_PATH that allows for changing that full path.

Imagine having a ./config/sqbot.config.yml on your host that you want to populate inside /mnt/, the correct command to run a Docker container would be:

docker run --rm -it -p 9000:3000 -e "GITEA_SQ_BOT_CONFIG_PATH=/mnt/sqbot.config.yml" -v "$(pwd)/config/:/mnt/" justusbunsi/gitea-sonarqube-bot:$TAG

If there are port mapping issues, you can use any other free port from your host. If you wish to use another port for the bot itself, you can override the default port 3000 by using the environment variable GITEA_SQ_BOT_PORT. Let's say you want to consistently use port 9001 inside and outside the container, a correct command would be:

# your terminals' pwd is the bot config directory
docker run --rm -it -p 9001:9001 -e "GITEA_SQ_BOT_PORT=9001" -v "$(pwd):/home/bot/config/" justusbunsi/gitea-sonarqube-bot:$TAG

Helm Chart

See Helm Chart README for detailed instructions.

Setup

SonarQube

• Create a user and grant permissions to "Browse on project" for the desired project
• Create a token for this user that will be used by the bot
• Create a webhook pointing to https://<bot-url>/hooks/sonarqube
• Consider securing it with a secret

Gitea

• Create a user and grant permissions to "Read project" for the desired projects including access to "Pull Requests"
• Create a token for this user that will be used by the bot
• Create a project/organization/system webhook pointing to https://<bot-url>/hooks/gitea
• Consider securing the webhook with a secret

CI system

Some CI systems may emulate a merge and therefore produce another, not yet existing commit hash that is promoted to SonarQube. This would cause the bot to fail to set the commit status in Gitea because the webhook sent by SonarQube contains that commit hash. To mitigate that situation, the bot will look inside the properties object for the key sonar.analysis.sqbot. If available, this key can contain the actual commit hash to use for updating the status in Gitea.
See SonarQube docs for details.

Changelog

See CHANGELOG.md for a complete list of changes.

Contributing

Expected workflow is: Fork -> Patch -> Push -> Pull Request

NOTES:

• Please read and follow the CONTRIBUTORS GUIDE.

License

This project is licensed under the MIT License. See the LICENSE file for the full license text.

---

Screenshots

Bot name and avatar depend on user configuration.