feat: grant all permissions to Members group across all pipeline vers…#164
Merged
Merged
Conversation
SummaryThis PR simplifies permission migration by granting all permissions to the What changed:
Why: Avoids edge cases where SonarQube groups or users don't have equivalents in SonarCloud, making permission outcomes deterministic and auditable. What reviewers should knowStart here:
Key design decisions:
Watch for:
Testing implications:
|
…ions
Rather than replicating the exact group-permission structure from SonarQube,
the migration now grants all defined permissions to the SonarCloud `Members`
group (all authenticated org members). This sidesteps edge cases where SQ
groups or users have no equivalent in SonarCloud and makes the permission
outcome deterministic and auditable.
Changes:
- Add `src/shared/utils/permission-constants.js` centralising
`TARGET_PERMISSION_GROUP`, `ALL_GLOBAL_PERMISSIONS`, and
`ALL_PROJECT_PERMISSIONS` so every pipeline version shares a single
source of truth
- Refactor `migrate-global-permissions.js` and
`migrate-project-permissions.js` in all four pipeline versions
(sq-9.9, sq-10.0, sq-10.4, sq-2025) to iterate over the constants
and call `addGroupPermission` / `addProjectGroupPermission` for
`Members` only — removing the old per-SQ-group loops
- Skip permission template migration entirely; `verify-templates.js`
now returns `{ status: 'skipped' }` and the org-wide batch files no
longer include the template step
- Simplify `verify-global.js` and `verify-project.js` to check that
`Members` holds all expected permissions rather than diffing SQ vs SC
group structures; removes the `SC_UNSUPPORTED_PERMISSIONS` filter
- Upgrade error logging from `debug` to `warn` in permission grant
loops so failures are visible in standard log output
- Update `docs/architecture.md` and `docs/key-capabilities.md` to
document grant-all mode and the skipped template step
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
joshua-quek-sonarsource
force-pushed
the
feat/grant-all-permissions-148
branch
from
May 25, 2026 03:38
470c8e6 to
6d191fb
Compare
…in sq-10.0 - Wrap scClient.getGlobalPermissions() in try/catch in verify-global.js, matching the pattern already used in verify-project.js; an API failure previously crashed the whole verification step instead of recording fail - Remove extractProjectPermissions() call from sq-10.0 migrate-quality-and-perms.js; the result was passed to migrateProjectPermissions() but never used since the grant-all refactor — the other three pipeline versions already pass [] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… duplication Add src/shared/utils/permission-grants.js with grantGlobalPermissions() and grantProjectPermissions() — the single source of truth for the grant-all loop logic. All eight per-pipeline migrate-global-permissions.js and migrate-project-permissions.js files are now thin delegates that call through, removing ~80 lines of duplicated loop/error-handling code. Dead parameters renamed to _globalPermissions and _projectPermissions in all wrappers to make the intentional ignoring explicit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ions
Rather than replicating the exact group-permission structure from SonarQube, the migration now grants all defined permissions to the SonarCloud
Membersgroup (all authenticated org members). This sidesteps edge cases where SQ groups or users have no equivalent in SonarCloud and makes the permission outcome deterministic and auditable.Changes:
src/shared/utils/permission-constants.jscentralisingTARGET_PERMISSION_GROUP,ALL_GLOBAL_PERMISSIONS, andALL_PROJECT_PERMISSIONSso every pipeline version shares a single source of truthmigrate-global-permissions.jsandmigrate-project-permissions.jsin all four pipeline versions (sq-9.9, sq-10.0, sq-10.4, sq-2025) to iterate over the constants and calladdGroupPermission/addProjectGroupPermissionforMembersonly — removing the old per-SQ-group loopsverify-templates.jsnow returns{ status: 'skipped' }and the org-wide batch files no longer include the template stepverify-global.jsandverify-project.jsto check thatMembersholds all expected permissions rather than diffing SQ vs SC group structures; removes theSC_UNSUPPORTED_PERMISSIONSfilterdebugtowarnin permission grant loops so failures are visible in standard log outputdocs/architecture.mdanddocs/key-capabilities.mdto document grant-all mode and the skipped template step