From fbab5f186fbfc790793ab0d3481d4248b0eb69a3 Mon Sep 17 00:00:00 2001
From: koplo199 <85577251+koplo199@users.noreply.github.com>
Date: Fri, 18 Aug 2023 21:19:03 +0200
Subject: [PATCH] workflow: Use more secure pull_request trigger and fix
 SonarQube (#3034)

* Use more secure pull_request trigger

* Fix sonarqube
---
 .github/workflows/mypy.yml  | 17 +----------------
 .github/workflows/sonar.yml | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/sonar.yml

diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index c6055a8eaa1..46a9b2f5ff9 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -1,5 +1,5 @@
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
 
 name: Mypy
@@ -10,8 +10,6 @@ jobs:
     steps:
     - uses: actions/checkout@v3
       with:
-        ref: ${{ github.event.pull_request.head.ref }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
         fetch-depth: 0
     - name: Set up Python 3.10
       uses: actions/setup-python@v4
@@ -31,16 +29,3 @@ jobs:
       run: |
         mypy --version
         mypy bottles
-  sonar:
-    name: Sonar
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: sonarsource/sonarqube-scan-action@master
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
new file mode 100644
index 00000000000..dfdf9b4007b
--- /dev/null
+++ b/.github/workflows/sonar.yml
@@ -0,0 +1,24 @@
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+name: Sonar
+jobs:
+  sonar:
+    name: Checker
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - uses: sonarsource/sonarqube-scan-action@master
+        with:
+          args: >
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+            -Dsonar.pullrequest.branch=${{ github.head_ref }}
+            -Dsonar.pullrequest.base=${{ github.base_ref }}
+            -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}