Skip to content

feat: grant all permissions to Members group across all pipeline vers…#164

Merged
joshua-quek-sonarsource merged 3 commits into
mainfrom
feat/grant-all-permissions-148
May 25, 2026
Merged

feat: grant all permissions to Members group across all pipeline vers…#164
joshua-quek-sonarsource merged 3 commits into
mainfrom
feat/grant-all-permissions-148

Conversation

@joshua-quek-sonarsource

Copy link
Copy Markdown
Contributor

…ions

Rather than replicating the exact group-permission structure from SonarQube, the migration now grants all defined permissions to the SonarCloud Members group (all authenticated org members). This sidesteps edge cases where SQ groups or users have no equivalent in SonarCloud and makes the permission outcome deterministic and auditable.

Changes:

  • Add src/shared/utils/permission-constants.js centralising TARGET_PERMISSION_GROUP, ALL_GLOBAL_PERMISSIONS, and ALL_PROJECT_PERMISSIONS so every pipeline version shares a single source of truth
  • Refactor migrate-global-permissions.js and migrate-project-permissions.js in all four pipeline versions (sq-9.9, sq-10.0, sq-10.4, sq-2025) to iterate over the constants and call addGroupPermission / addProjectGroupPermission for Members only — removing the old per-SQ-group loops
  • Skip permission template migration entirely; verify-templates.js now returns { status: 'skipped' } and the org-wide batch files no longer include the template step
  • Simplify verify-global.js and verify-project.js to check that Members holds all expected permissions rather than diffing SQ vs SC group structures; removes the SC_UNSUPPORTED_PERMISSIONS filter
  • Upgrade error logging from debug to warn in permission grant loops so failures are visible in standard log output
  • Update docs/architecture.md and docs/key-capabilities.md to document grant-all mode and the skipped template step

@sonar-review-alpha

sonar-review-alpha Bot commented May 25, 2026

Copy link
Copy Markdown

Summary

This PR simplifies permission migration by granting all permissions to the Members group (all authenticated org members) instead of trying to replicate SonarQube's complex per-group-per-permission structure.

What changed:

  • Created shared permission utilities (permission-constants.js, permission-grants.js) with centralized permission lists and grant logic used across all 4 pipeline versions
  • Refactored global and project permission migrators in sq-9.9, sq-10.0, sq-10.4, and sq-2025 to call shared grant functions instead of iterating over SQ groups
  • Removed permission template migration entirely (verify-templates.js now returns status: skipped)
  • Simplified permission verification to check that Members holds all expected permissions (no SQ vs SC diffing)
  • Upgraded permission grant error logging from debug to warn for visibility
  • Updated architecture and capabilities docs to explain grant-all mode

Why: Avoids edge cases where SonarQube groups or users don't have equivalents in SonarCloud, making permission outcomes deterministic and auditable.

What reviewers should know

Start here:

  1. Review the new shared utilities (src/shared/utils/permission-constants.js and permission-grants.js) — these are the core logic
  2. Check one permission migrator refactor (e.g., sq-10.0's migrate-global-permissions.js) as a representative pattern applied across all versions
  3. Review the verification simplification (verify-global.js, verify-project.js, verify-templates.js)

Key design decisions:

  • TARGET_PERMISSION_GROUP is hardcoded to 'Members'; all permissions granted to this group only
  • Permission extraction (at SQ level) is removed from callsites but extraction functions remain unused — not cleaned up
  • Error handling upgraded to warn level so permission grant failures are visible in standard logs
  • SQ group data is no longer extracted or passed through the permission flow

Watch for:

  • All 4 pipeline versions follow identical permission logic now — verify the migration pattern is consistent
  • Verification no longer fetches SQ groups; it only checks SC for Members permissions
  • Permission extraction is discarded (empty array passed) — confirm this is intentional and no downstream code relies on detailed permission metadata
  • The verify-templates.js now returns minimal output; verify test expectations match

Testing implications:

  • End-to-end flows should verify that post-migration, Members group holds all permissions
  • Edge case testing (missing groups, users, permission mismatches) is no longer relevant for permission migration itself
  • Post-migration, orgs will have a simplified, uniform permission model; customers must configure custom templates after migration if needed

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

…ions

Rather than replicating the exact group-permission structure from SonarQube,
the migration now grants all defined permissions to the SonarCloud `Members`
group (all authenticated org members). This sidesteps edge cases where SQ
groups or users have no equivalent in SonarCloud and makes the permission
outcome deterministic and auditable.

Changes:
- Add `src/shared/utils/permission-constants.js` centralising
  `TARGET_PERMISSION_GROUP`, `ALL_GLOBAL_PERMISSIONS`, and
  `ALL_PROJECT_PERMISSIONS` so every pipeline version shares a single
  source of truth
- Refactor `migrate-global-permissions.js` and
  `migrate-project-permissions.js` in all four pipeline versions
  (sq-9.9, sq-10.0, sq-10.4, sq-2025) to iterate over the constants
  and call `addGroupPermission` / `addProjectGroupPermission` for
  `Members` only — removing the old per-SQ-group loops
- Skip permission template migration entirely; `verify-templates.js`
  now returns `{ status: 'skipped' }` and the org-wide batch files no
  longer include the template step
- Simplify `verify-global.js` and `verify-project.js` to check that
  `Members` holds all expected permissions rather than diffing SQ vs SC
  group structures; removes the `SC_UNSUPPORTED_PERMISSIONS` filter
- Upgrade error logging from `debug` to `warn` in permission grant
  loops so failures are visible in standard log output
- Update `docs/architecture.md` and `docs/key-capabilities.md` to
  document grant-all mode and the skipped template step

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@joshua-quek-sonarsource
joshua-quek-sonarsource force-pushed the feat/grant-all-permissions-148 branch from 470c8e6 to 6d191fb Compare May 25, 2026 03:38
sonar-review-alpha[bot]

This comment was marked as resolved.

joshuaquek and others added 2 commits May 25, 2026 15:33
…in sq-10.0

- Wrap scClient.getGlobalPermissions() in try/catch in verify-global.js,
  matching the pattern already used in verify-project.js; an API failure
  previously crashed the whole verification step instead of recording fail
- Remove extractProjectPermissions() call from sq-10.0 migrate-quality-and-perms.js;
  the result was passed to migrateProjectPermissions() but never used since
  the grant-all refactor — the other three pipeline versions already pass []

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… duplication

Add src/shared/utils/permission-grants.js with grantGlobalPermissions() and
grantProjectPermissions() — the single source of truth for the grant-all loop
logic. All eight per-pipeline migrate-global-permissions.js and
migrate-project-permissions.js files are now thin delegates that call through,
removing ~80 lines of duplicated loop/error-handling code.

Dead parameters renamed to _globalPermissions and _projectPermissions in all
wrappers to make the intentional ignoring explicit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sonar-review-alpha[bot]

This comment was marked as outdated.

@sonar-review-alpha sonar-review-alpha Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

🗣️ Give feedback

@joshua-quek-sonarsource
joshua-quek-sonarsource merged commit e7378c9 into main May 25, 2026
1 check passed
@joshua-quek-sonarsource
joshua-quek-sonarsource deleted the feat/grant-all-permissions-148 branch May 25, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants