Create sonar.yml

.github/workflows/sonar.yml

@@ -0,0 +1,49 @@
+name: Sonar
+'on':
+  push:
+    branches:
+      - "**"
+  pull_request_target:
+    branches:
+      - "**"
+    types: [opened, synchronize, reopened, labeled]
+  schedule:
+    - cron: 0 16 * * *
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Set up JDK
+        uses: actions/setup-java@v1
+        with:
+          java-version: 17
+          java-package: jdk
+
+      - uses: actions/checkout@v1
+        with:
+          fetch-depth: 0
+
+      - name: Check for external PR
+        if: ${{ !(contains(github.event.pull_request.labels.*.name, 'safe') ||
+          github.event.pull_request.head.repo.full_name == github.repository ||
+          github.event_name != 'pull_request_target') }}
+        run: echo "Unsecure PR, must be labelled with the 'safe' label, then run the workflow again" && exit 1
+
+      - name: Build with Maven
+
+          mvn clean install
+
+      - name: Sonar Scan
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
+        run: >-
+          mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          -Dsonar.projectName=client-encryption-java
+          -Dsonar.projectKey=Mastercard_client-encryption-java
+          -Dsonar.organization=mastercard -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.login=$SONAR_TOKEN -Dsonar.cpd.exclusions=**/OkHttp*.java
+          -Dsonar.exclusions=**/*.xml -Dgpg.signature.skip=true
+