fix: SonarCloud for forks (#27700)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/27700?quickstart=1)

This PR fixes SonarCloud for forks.

## **Related issues**

Fixes: #27135

## **Manual testing steps**

1. SonarCloud analysis is successfully reported from a fork

## **Screenshots/Recordings**

Not applicable

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

---------

Co-authored-by: Erik Marks <[email protected]>
Co-authored-by: legobeat <[email protected]>
Co-authored-by: Mark Stacey <[email protected]>

.github/workflows/main.yml

@@ -32,21 +32,12 @@ jobs:
     name: Run tests
     uses: ./.github/workflows/run-tests.yml
 
-  sonarcloud:
-    name: SonarCloud
-    uses: ./.github/workflows/sonarcloud.yml
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-    needs:
-      - run-tests
-
   all-jobs-completed:
     name: All jobs completed
     runs-on: ubuntu-latest
     needs:
       - check-workflows
       - run-tests
-      - sonarcloud
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}
     steps:

.github/workflows/sonarcloud.yml

@@ -1,26 +1,54 @@
+# This GitHub action will checkout and scan third party code.
+# Please ensure that any changes to this action do not perform
+# actions that may result in code from that branch being executed
+# such as installing dependencies or running build scripts.
+
 name: SonarCloud
 
 on:
-  workflow_call:
-    secrets:
-      SONAR_TOKEN:
-        required: true
+  workflow_run:
+    workflows:
+      - Run tests
+    types:
+      - completed
+
+permissions:
+  actions: read
 
 jobs:
   sonarcloud:
+    # Only scan code from non-forked repositories that have passed the tests
+    # This will skip scanning the code for forks, but will run for the main repository on PRs from forks
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.repository.fork == false }}
     name: SonarCloud
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }} # Use the repository that triggered the workflow
+          ref: ${{ github.event.workflow_run.head_branch }} # Use the branch that triggered the workflow
           fetch-depth: 0  # Shallow clones should be disabled for better relevancy of analysis
 
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
           name: lcov.info
           path: coverage
+          github-token: ${{ github.token }} # This is required when downloading artifacts from a different repository or from a different workflow run.
+          run-id: ${{ github.event.workflow_run.id }} # Use the workflow id that triggered the workflow
+
+      - name: Download sonar-project.properties
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: MetaMask/metamask-extension
+        run: |
+          sonar_project_properties=$(gh api -H "Accept: application/vnd.github.raw" "repos/$REPOSITORY/contents/sonar-project.properties")
+          if [ -z "$sonar_project_properties" ]; then
+            echo "::error::sonar-project.properties not found in $REPOSITORY. Please make sure this file exists on the default branch."
+            exit 1
+          fi
+          echo "$sonar_project_properties" > sonar-project.properties
 
       - name: SonarCloud Scan
         # This is SonarSource/[email protected]

sonar-project.properties

@@ -1,3 +1,7 @@
+# Note: Updating this file on feature branches or forks will not reflect changes in the SonarCloud scan results.
+# The SonarCloud scan workflow always uses the latest version from the default branch.
+# This means any changes made to this file in a feature branch will not be considered until they are merged.
+
 sonar.projectKey=metamask-extension
 sonar.organization=consensys