[NRL-1922] Get Sonarcloud reporting working as required

.github/workflows/pr-checks.yml

@@ -0,0 +1,70 @@
+name: Run PR checks
+run-name: "Running checks for PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})"
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup environment
+        run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+          poetry install --no-root
+
+      - name: Build
+        run: make build
+
+      - name: Test
+        run: make test
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+  sonar:
+    name: SonarQube analysis and quality gate check
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pull-request
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Get build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+      - name: SonarQube Scan
+        uses: sonarsource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 #v7.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: SonarQube Quality Gate check
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0
+        with:
+          pollingTimeoutSec: 600
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Makefile

@@ -6,7 +6,7 @@ MAKEFLAGS := --no-print-directory
 SHELL := /bin/bash
 
 DIST_PATH ?= ./dist
-TEST_ARGS ?= --cov --cov-report=term-missing
+TEST_ARGS ?= --cov --cov-report=term-missing --cov-report=xml:$(DIST_PATH)/test-coverage.xml
 SMOKE_TEST_ARGS ?=
 FEATURE_TEST_ARGS ?= ./tests/features --format progress2
 TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show)

sonar-project.properties

@@ -1,13 +1,11 @@
 sonar.projectKey=NHSDigital_NRLF
 sonar.organization=nhsdigital
 sonar.projectName=NRLF
-sonar.python.version=3.9.5
-sonar.terraform.provider.aws.version=4.63.0
-# TODO: Some paths here are outdated and perhaps we don't want to exclude everything
-sonar.cpd.exclusions=api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/**
-sonar.exclusions=scripts/**, **/scripts/**, api/tests/**, tests/**, api/**/tests/**, feature_tests/**, cron/seed_sandbox/tests/**, data_contracts/**/tests/**, firehose/**/tests/**, firehose/**/scripts/**, helpers/tests/**, mi/**/tests/**
 
-# Exclude snomed urls as being unsafe
-sonar.issue.ignore.multicriteria=exclude_snomed_urls
-sonar.issue.ignore.multicriteria.exclude_snomed_urls.ruleKey=python:S5332
-sonar.issue.ignore.multicriteria.exclude_snomed_urls.pattern=**http://snomed\.info(/sct)?**
+sonar.python.version=3.12
+
+sonar.exclusions=scripts/**
+sonar.coverage.exclusions=scripts/**, test/**, **/tests/**
+sonar.cpd.exclusions=tests/**, **/tests/**
+
+sonar.python.coverage.reportPaths=dist/test-coverage.xml