Chore: Implement Sonatype and Sonarcloud scans in GitHub

Change-Id: I4980a3cee246c3a23f626449b6cbfb0b94562bf3
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>

diff --git a/.github/workflows/security-scans.yaml b/.github/workflows/security-scans.yaml
new file mode 100644 (file)
index 0000000..68825b2
--- /dev/null
+++ b/.github/workflows/security-scans.yaml
@@ -0,0 +1,50 @@
+---
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: "Security Scans"
+on:
+  workflow_dispatch:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: "31 3 * * 0"
+  push:
+    branches: ["main", "master"]
+    paths:
+      - "**"
+      - "!.github/**"
+
+# Declare default permissions as none.
+permissions: {}
+
+jobs:
+  sonatype-lifecycle:
+    name: "Sonatype Lifecycle"
+    # yamllint disable-line rule:line-length
+    uses: lfit/releng-reusable-workflows/.github/workflows/reuse-sonatype-lifecycle.yaml@8c3cf221da0e47955647647c9a254c1f807081ce # v0.2.18
+    secrets:
+      NEXUS_IQ_PASSWORD: ${{ secrets.NEXUS_IQ_PASSWORD }}
+
+  # Scan results are found at: https://sonarcloud.io/login
+  sonarqube-cloud:
+    name: "SonarQube Cloud"
+    # yamllint disable-line rule:line-length
+    uses: lfit/releng-reusable-workflows/.github/workflows/reuse-sonarqube-cloud.yaml@8c3cf221da0e47955647647c9a254c1f807081ce # v0.2.18
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644 (file)
index 0000000..9fd66e1
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+# The below are appropriate for Python projects
+# Define separate root directories for sources and tests
+sonar.organization=o-ran-sc
+sonar.projectKey=nonrtric-plt-rappmanager
+# sonar.sources = src/
+# sonar.tests = tests/