GROW-213 Provision SonarQube project in sonar import command#560
GROW-213 Provision SonarQube project in sonar import command#560kevinmlsilva wants to merge 1 commit into
Conversation
✅ Deploy Preview for sonarqube-cli canceled.
|
d7316be to
8e830a7
Compare
nquinquenel
left a comment
There was a problem hiding this comment.
Looks ok, one comment about org and private project is important to tackle I think
| } | ||
|
|
||
| if (opts.org) return opts.org; | ||
| if (opts.org) return { key: opts.org }; |
There was a problem hiding this comment.
When org is passed, it only returns key. Later we do:
const onlyPrivateProjects: OnlyPrivateProjects = {
enabled: onlyPrivateProjectsEnabled ?? false,
available: await client.hasPrivateProjectsEntitlement(orgKey),
};
So it means when org is passed it never loads the org's private projects. Is it expected?
There was a problem hiding this comment.
Good catch, that wasn't expected. Fixed: added SonarQubeClient.fetchOrganizationByKey(), a targeted /api/organizations/search?organizations=<key> lookup (same pattern as checkOrganization), and resolveOrg's --org branch now uses it to populate both almKey and onlyPrivateProjectsEnabled instead of leaving them undefined. This also means onlyPrivateProjects.enabled is now correctly enforced when using --org directly, not just in the interactive flow. Added a regression test for it.
8e830a7 to
aa7012b
Compare
| if (opts.org) { | ||
| const org = await client.fetchOrganizationByKey(opts.org); | ||
| return { | ||
| key: opts.org, | ||
| almKey: org?.alm?.key, | ||
| onlyPrivateProjectsEnabled: org?.onlyPrivateProjects?.enabled, | ||
| }; | ||
| } |
There was a problem hiding this comment.
💡 Edge Case: --org visibility rule silently disabled on lookup failure
In the --org fast path, resolveOrg derives onlyPrivateProjectsEnabled from client.fetchOrganizationByKey(opts.org). fetchOrganizationByKey swallows any error (transient network/API failure) and returns undefined, which callers default to false (no restriction). The result is that a transient failure fetching the org record silently disables the organization's private-only project visibility enforcement — the very policy this PR is meant to enforce. A public repo could then be provisioned into an org that requires private-only projects.
This degradation is documented as intentional in the ResolvedOrg doc comment, and the server may re-enforce during provisioning, so impact is limited. But consider distinguishing 'org not found' / 'lookup failed' from 'onlyPrivateProjects genuinely disabled' — e.g. fail fast (or surface a warning) when the org lookup errors under --org, rather than silently falling back to the permissive default. Note the interactive path (lines 137-144) gets these values reliably from the already-fetched org list, so only the --org path is affected.
Was this helpful? React with 👍 / 👎
Wires up the final step of sonar import: after org/repo selection, create the bound SonarQube project via provision_projects, resolving the org's DevOps platform to format the installation key and enforcing the org's public/private project visibility rules. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
aa7012b to
f5e4482
Compare
Code Review 👍 Approved with suggestions 2 resolved / 3 findingsWires up SonarQube project provisioning and visibility enforcement in the import command, resolving previous picker and API lookup issues. Address the minor bug where visibility rules are silently disabled during 💡 Edge Case: --org visibility rule silently disabled on lookup failure📄 src/cli/commands/import/_common/resolve-options.ts:95-102 📄 src/sonarqube/client.ts:808-819 In the This degradation is documented as intentional in the ✅ 2 resolved✅ Bug: Interactive repo picker ignores visibility rules (disabled flag no-op)
✅ Quality: resolveOrg's almKey is fetched but never used; refetched via API
🤖 Prompt for agentsOptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
|



Summary
sonar import: after org/repo selection, creates the bound SonarQube project via theprovision_projectsAPI and prints its project key.installationKeysparam correctly (<slug>|<id>for GitHub, plainidotherwise).onlyPrivateProjects+ billing entitlement) before provisioning, rejecting mismatched repos.Continuation of GROW-212.
Test plan
bun run typecheckbun run lintbun test tests/integration/specs/import/import.test.ts(29 pass, including new provisioning/visibility test cases)JIRA: GROW-213