From 3a4d8e8c555efd63741790e216bdd7dddb03c217 Mon Sep 17 00:00:00 2001 From: Wouter Schoonveld Date: Thu, 19 Feb 2026 16:03:52 +0100 Subject: [PATCH 1/5] sonarqube: validate release_type --- .github/workflows/version_upgrade.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/version_upgrade.yml b/.github/workflows/version_upgrade.yml index 4778e3a2..c4dd19ee 100644 --- a/.github/workflows/version_upgrade.yml +++ b/.github/workflows/version_upgrade.yml @@ -9,6 +9,7 @@ on: inputs: release_type: required: true + description: Choose type of release type: string outputs: project_version: @@ -18,6 +19,8 @@ on: jobs: upgrade-version: runs-on: ubuntu-latest + env: + RELEASE_TYPE: ${{ inputs.release_type == 'major' && 'major' || 'minor' }} outputs: job_output_version: ${{ steps.get-version.outputs.PROJECT_VERSION}} steps: @@ -39,7 +42,7 @@ jobs: run: | git config user.name github-actions git config user.email github-actions@github.com - poetry version ${{ inputs.release_type }} + poetry version "$RELEASE_TYPE" PROJECT_VERSION=$(poetry version --short) echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_OUTPUT sed -i "1 s/.*/version: $PROJECT_VERSION/" template_input.yaml @@ -48,5 +51,5 @@ jobs: PROJECT_VERSION=$(poetry version --short) git add template_input.yaml git add pyproject.toml - git commit -m "bump ${{ inputs.release_type }} version: ${{ steps.get-version.outputs.PROJECT_VERSION }}" + git commit -m "bump "$RELEASE_TYPE" version: ${{ steps.get-version.outputs.PROJECT_VERSION }}" git push \ No newline at end of file From e042523274335074cb1f72046baf7a209dbc7a5e Mon Sep 17 00:00:00 2001 From: Wouter Schoonveld Date: Thu, 19 Feb 2026 16:46:59 +0100 Subject: [PATCH 2/5] sonarcloud: validate release_type on major/minor/patch --- .github/workflows/version_upgrade.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/version_upgrade.yml b/.github/workflows/version_upgrade.yml index c4dd19ee..e33a0983 100644 --- a/.github/workflows/version_upgrade.yml +++ b/.github/workflows/version_upgrade.yml @@ -20,7 +20,8 @@ jobs: upgrade-version: runs-on: ubuntu-latest env: - RELEASE_TYPE: ${{ inputs.release_type == 'major' && 'major' || 'minor' }} + # check if the input is valid, if not set it to empty string, if valid it will be used in the poetry version command + RELEASE_TYPE: ${{ (inputs.release_type == 'major' || inputs.release_type == 'minor' || inputs.release_type == 'patch') && inputs.release_type || '' }} outputs: job_output_version: ${{ steps.get-version.outputs.PROJECT_VERSION}} steps: From 872bbe13693828beb1d1bb290d045530feca2123 Mon Sep 17 00:00:00 2001 From: Wouter Schoonveld Date: Thu, 19 Feb 2026 17:11:00 +0100 Subject: [PATCH 3/5] sonarcloud: validate project_version --- .github/workflows/mkdocs_documentation.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mkdocs_documentation.yml b/.github/workflows/mkdocs_documentation.yml index 40e7adb8..5bd76628 100644 --- a/.github/workflows/mkdocs_documentation.yml +++ b/.github/workflows/mkdocs_documentation.yml @@ -27,8 +27,15 @@ jobs: - name: Install Dependencies run: poetry install - name: Create new version of mkdocs and publish + shell: bash run: | git config user.name github-actions git config user.email github-actions@github.com - poetry run mike deploy --push --update-aliases ${{ inputs.project_version }} latest - poetry run mike set-default --push latest \ No newline at end of file + VERSION="${{ inputs.project_version }}" + if [[ $VERSION =~ ^[0-9]+(\.[0-9]+)*$ ]]; then + poetry run mike deploy --push --update-aliases "$VERSION" latest + poetry run mike set-default --push latest + else + echo "Invalid version format: $VERSION" + exit 1 + fi From bc3faa2838d85efb22791826b3c9153c6871510e Mon Sep 17 00:00:00 2001 From: Wouter Schoonveld Date: Thu, 19 Feb 2026 17:31:42 +0100 Subject: [PATCH 4/5] sonarcloud: validate input outside run but avoid regex --- .github/workflows/mkdocs_documentation.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/mkdocs_documentation.yml b/.github/workflows/mkdocs_documentation.yml index 5bd76628..e2cd690c 100644 --- a/.github/workflows/mkdocs_documentation.yml +++ b/.github/workflows/mkdocs_documentation.yml @@ -10,6 +10,11 @@ on: jobs: create-docs: runs-on: ubuntu-latest + env: + if: ${{ lower(inputs.project_version) == upper(inputs.project_version) }} + env: + VERSION: ${{ inputs.project_version }} + steps: - name: checkout code uses: actions/checkout@v4 @@ -27,15 +32,8 @@ jobs: - name: Install Dependencies run: poetry install - name: Create new version of mkdocs and publish - shell: bash run: | git config user.name github-actions git config user.email github-actions@github.com - VERSION="${{ inputs.project_version }}" - if [[ $VERSION =~ ^[0-9]+(\.[0-9]+)*$ ]]; then poetry run mike deploy --push --update-aliases "$VERSION" latest poetry run mike set-default --push latest - else - echo "Invalid version format: $VERSION" - exit 1 - fi From ac268d1d2b9006cfd06443eff4077297371f6a12 Mon Sep 17 00:00:00 2001 From: Wouter Schoonveld Date: Thu, 19 Feb 2026 17:48:23 +0100 Subject: [PATCH 5/5] sonarcloud: fix hotspots by explicitly mentioning secrets --- .github/workflows/bump_version.yml | 3 ++- .github/workflows/release.yml | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml index 57b752ef..2ad7c04d 100644 --- a/.github/workflows/bump_version.yml +++ b/.github/workflows/bump_version.yml @@ -12,7 +12,8 @@ on: jobs: bump-up-version: if: github.event.pull_request.merged == true - secrets: inherit + secrets: + SECRET: ${{secrets.VERSION_DECOIMPACT}} uses: ./.github/workflows/version_upgrade.yml with: release_type: patch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d9d6e58c..3dbebe7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,8 @@ on: jobs: bump-up-version: - secrets: inherit + secrets: + SECRET: ${{secrets.VERSION_DECOIMPACT}} uses: ./.github/workflows/version_upgrade.yml with: release_type: ${{ github.event.inputs.release_type }} @@ -37,7 +38,8 @@ jobs: create-documentation: needs: bump-up-version - secrets: inherit + secrets: + SECRET: ${{secrets.VERSION_DECOIMPACT}} uses: ./.github/workflows/mkdocs_documentation.yml with: project_version: ${{ needs.bump-up-version.outputs.project_version }} @@ -45,5 +47,7 @@ jobs: docker-build: needs: bump-up-version uses: ./.github/workflows/docker_image.yml + secrets: + SECRET: ${{ secrets.GITHUB_TOKEN }} with: project_version: ${{ needs.bump-up-version.outputs.project_version }}