In the same way we are decorating PR on GitHub, teams on Bitbucket Cloud expect SonarCloud to decorate their PR.
As a developer using Bitbucket Cloud, when I create a pull request, I expect SonarCloud to analyse it and "decorate it" with:
- A summary at the beginning of the PR
- For each issue that was found, a comment with:
Ideally, I would expect to be able to configure Bitbucket Cloud to prevent the merge of the PR if the status provided by SonarCloud is not green.
Today Pipeline only trigger build on branches. The strategy will be to dynamically switch between a branch and a PR analysis. Pipeline users will not pass any sonar.branch.* or sonar.pullrequest.* property to the scanner. At the very beginning of the scanner execution, scanner will read the repo owner/name + branch name from env variables. Then we'll do some REST API calls to Bitbucket Cloud in order to decide if we should do a branch or a PR analysis.
- If there is at least one open PR with source branch = current branch then do a PR analysis.
- Else if current branch is not the main branch then do a branch analysis
To do the REST API calls, we need to use the credentials of the App installed for the team. The scanner can't directly do the calls from the pipeline container, so we'll use a SonarCloud internal WS as a "proxy". Scanner <
> SonarCloud <> Bitbucket Cloud
Available env variable for pipelines: https://confluence.atlassian.com/bitbucket/environment-variables-794502608.html
Since build/analysis is triggered on the code of the branch, and not on the merge commit, there is some difficulty to map issue lines to the Bitbucket PR lines. Also, due to a limitation on Bitbucket side, even if we are using the App credentials to create the comments, they still appear as if they have been created by the owner of the repo.