Add SonarQube for Apache Cloudberry

[tuhaihe]

Fixes #ISSUE_Number

What does this PR do?

Type of Change

• Bug fix (non-breaking change)
• New feature (non-breaking change)
• Breaking change (fix or feature with breaking changes)
• Documentation update

Breaking Changes

Test Plan

• Unit tests added/updated
• Integration tests added/updated
• Passed make installcheck
• Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

• Followed contribution guide
• Added/updated documentation
• Reviewed code for security implications
• Requested review from cloudberry committers

Additional Context

CI Skip Instructions

---

[tuhaihe]

Now waiting for the ASF infra team to help create a new account at sonarcloud and enable the sonarcloud secrets for this repo.

Related issues:

• https://issues.apache.org/jira/projects/INFRA/issues/INFRA-26685?filter=allopenissues
• https://issues.apache.org/jira/projects/INFRA/issues/INFRA-26686?filter=allopenissues

[tuhaihe]

Now waiting for the ASF infra team to help create a new account at sonarcloud and enable the sonarcloud secrets for this repo.

Related issues:

• https://issues.apache.org/jira/projects/INFRA/issues/INFRA-26685?filter=allopenissues
• https://issues.apache.org/jira/projects/INFRA/issues/INFRA-26686?filter=allopenissues

They have been set up.

I did one test in my own repo, it can run well before the getting token: https://github.com/tuhaihe/cloudberrydb/actions/runs/14056552786/job/39357194543. So, we can merge this PR to see if the workflow is running on the main branch.

[tuhaihe]

Hi @chipitsine, could you help take a look at this PR? Thanks!

The following is the base configuration suggested from the sonarqube:

name: SonarQube
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  build:
    name: Build and analyze
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Install Build Wrapper
        uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v5
      - name: Run Build Wrapper
        run: |
          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} <insert_your_clean_build_command>
      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"

I customized the code for Cloudberry. FYI.

[chipitsine]

I'll try native docker image (as it was done in coverity scan)

[tuhaihe]

Hi @chipitsine Just bumping this to check the test progress. If any questions, feel free to let me know.

[chipitsine]

well, I only had idea to test using the same docker build image.
hope to find time this week

[chipitsine]

I did build by myself, I created pipeline from scratch and apparently I ended with very similar pipeline.
let's use it as starting point.

Sonar also suggests scanning on PRs, but current scan takes ~1.5 hours, I'm not sure we want that now._

[tuhaihe]

I did build by myself, I created pipeline from scratch and apparently I ended with very similar pipeline.

let's use it as starting point.

Sonar also suggests scanning on PRs, but current scan takes ~1.5 hours, I'm not sure we want that now._

Thanks @chipitsine for your test. Yes, we can enable the testing only on the main branch weekly for now, otherwise it takes too much time.

[tuhaihe]

I did a few research again on how other ASF projects use the asf's sonarcloud token:

• https://github.com/apache/ozone/blob/189fbdbe4c6f170e1064166e63d9b048ad33f752/.github/workflows/ci.yml#L345C11-L345C22
• https://github.com/apache/kvrocks/blob/a83090adc7e74aaec7de7ceb14a22c5dbab89ad1/.github/workflows/sonar.yaml#L72C11-L72C22

So change the Secret name to the default SONAR_TOKEN.

[tuhaihe]

Add PAX support in the latest commit fbf10cb, same to the PR #1050.

[tuhaihe]

If we use git submodule update --init in the build steps, it will cause the following error:

fatal: detected dubious ownership in repository at '/__w/cloudberry/cloudberry'
To add an exception for this directory, call:

	git config --global --add safe.directory /__w/cloudberry/cloudberry
Error: Process completed with exit code 128.

So change the way of loading the submodules with submodules: true.

[tuhaihe]

Tested SonarQube on my own repo, the workflow works:https://github.com/tuhaihe/cloudberrydb/actions/runs/14506822618/job/40697674135.

You can see the results here: https://sonarcloud.io/summary/overall?id=apache_cloudberry&branch=main.

[jiaqizho]

LGTM