From a371dd12f481a427f89016531ca980a4259062d4 Mon Sep 17 00:00:00 2001
From: guwirth <guenter.wirth@etas.com>
Date: Mon, 10 Feb 2025 16:39:18 +0100
Subject: [PATCH] Secrets are still not passed to the runner when a workflow is
 triggered from a forked repository!

---
 .github/workflows/cxx-ci.yml     | 88 ++------------------------------
 .github/workflows/sonarcloud.yml | 15 +++++-
 2 files changed, 16 insertions(+), 87 deletions(-)

diff --git a/.github/workflows/cxx-ci.yml b/.github/workflows/cxx-ci.yml
index c1c0d33ff..c4f8c4471 100644
--- a/.github/workflows/cxx-ci.yml
+++ b/.github/workflows/cxx-ci.yml
@@ -6,9 +6,10 @@ name: cxx plugin CI
 
 on:
   push:
-    branches: [ master ]
+    branches:
+      - master
   pull_request:
-    branches: [ master ]
+    types: [opened, synchronize, reopened]
 
 defaults:
   run:
@@ -215,89 +216,6 @@ jobs:
       run: mvn -B -e -V verify --file pom.xml
 
 
-  # -----------------------------------------------------------------------------------------------------------
-  # Update SonarCloud results
-  # - Java 11 is no longer supported as scanner runtime environment
-  # -----------------------------------------------------------------------------------------------------------
-  sonar-cloud:
-
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-        java: [ '17' ]
-        distribution: [ 'temurin' ]
-
-    if: github.event_name == 'push'
-    runs-on: ${{ matrix.os }}
-
-    steps:
-
-    # context information
-    #
-    - name: Dump GitHub Context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Dump Matrix Context
-      env:
-        MATRIX_CONTEXT: ${{ toJSON(matrix) }}
-      run: echo "$MATRIX_CONTEXT"
-
-    # checkout code
-    # - to provide complete SCM information to the sonar scanner,
-    #   all historical data for all branches and tags must be retrieved (fetch-depth: 0)
-    #
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    # setup Java
-    #
-    - name: Set up JDK Java ${{ matrix.java }} | ${{ matrix.distribution }} | ${{ matrix.os }}
-      uses: actions/setup-java@v4
-      with:
-        java-version: ${{ matrix.java }}
-        distribution: ${{ matrix.distribution }}
-        cache: maven
-
-    # read version number from POM
-    #
-    - name: get-pom-version
-      id: pom-version
-      uses: andreacomo/maven-gav-extractor@v2
-
-    # remove -SNAPSHOT from POM version (major.minor.patch-SNAPSHOT)
-    #
-    - run: echo "CXX_POM_VERSION=${{ steps.pom-version.outputs.version }}" >> $GITHUB_ENV
-    - run: echo "CXX_VERSION=${CXX_POM_VERSION%-*}" >> $GITHUB_ENV
-
-    # set version number of plugin JAR
-    # - 'major.minor.patch' and 'build' number from actions run number
-    #
-    - name: Sets the current project's version
-      run: mvn versions:set -DartifactId='cxx' -DnewVersion='${{ env.CXX_VERSION }}.${{ github.run_number }}'
-
-    - name: Dump environment variables
-      run: env
-
-    # Build and test with with Maven
-    # - use phase 'verify' to aggregate coverage results (part of integration-tests)
-    # - use phase 'install' to resolve dependencies (necessary for sonar-scanner)
-    #
-    - name: Build and test with Maven
-      run: mvn -B -e -V install --file pom.xml
-
-    # Update SonarCloud results
-    # - Secrets are not passed to the runner when a workflow is triggered from a forked repository!
-    #
-    - name: Update SonarCloud results
-      run: mvn sonar:sonar -B -e -V -Dsonar.organization=sonaropencommunity -Dsonar.host.url=https://sonarcloud.io -Dsonar.token=$SONAR_TOKEN -Dsonar.python.version=3.8
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-
   # -----------------------------------------------------------------------------------------------------------
   # test cxx plugin with SonarQube (Linux)
   # -----------------------------------------------------------------------------------------------------------
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 1ece6dbae..e378f2d66 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -1,10 +1,12 @@
+#
+# Update SonarCloud results
+#
 name: SonarCloud
+
 on:
   push:
     branches:
       - master
-  pull_request:
-    types: [opened, synchronize, reopened]
 
 jobs:
 
@@ -15,10 +17,16 @@ jobs:
 
     steps:
 
+      # checkout code
+      # - to provide complete SCM information to the sonar scanner,
+      #   all historical data for all branches and tags must be retrieved (fetch-depth: 0)
+      #
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # shallow clones should be disabled for a better relevancy of analysis
 
+      # setup Java
+      #
       - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
@@ -39,6 +47,9 @@ jobs:
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
+      # Update SonarCloud results
+      # - Secrets are not passed to the runner when a workflow is triggered from a forked repository!
+      #
       - name: Build and analyze
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}