ci: add SonarCloud continuous inspection#31
ci: add SonarCloud continuous inspection#31don-petry wants to merge 3 commits intooneirosoft:mainfrom
Conversation
Add SonarCloud configuration and GitHub Actions workflow for automated code quality analysis on pushes to main and pull requests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds SonarCloud continuous inspection to the repository by introducing a standard SonarCloud project configuration file and a dedicated GitHub Actions workflow to run scans on main and on pull requests.
Changes:
- Add
sonar-project.propertiesto define SonarCloud project/org and analysis scope. - Add
.github/workflows/sonarcloud.ymlto run SonarCloud analysis in CI on pushes tomainand PR updates.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
sonar-project.properties |
Defines SonarCloud project settings and what paths to analyze/exclude. |
.github/workflows/sonarcloud.yml |
Introduces a CI workflow job to execute the SonarCloud scan action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| sonar.sources=src | ||
| sonar.tests=tests | ||
| sonar.sourceEncoding=UTF-8 | ||
| sonar.exclusions=**/test_support.rs |
There was a problem hiding this comment.
sonar.tests=tests won’t classify the repo’s unit test files under src/core/**/tests.rs as tests, so SonarCloud will analyze them as production sources and skew metrics (bugs/smells/coverage on “new code”). Consider either adding those paths via sonar.tests + sonar.test.inclusions (e.g., matching src/**/tests.rs) or excluding src/**/tests.rs from sonar.sources using sonar.exclusions.
| sonar.exclusions=**/test_support.rs | |
| sonar.exclusions=**/test_support.rs | |
| sonar.test.inclusions=src/**/tests.rs |
There was a problem hiding this comment.
Addressed — removed sonar.tests since Rust unit tests live alongside source code in #[cfg(test)] modules, not in a separate directory.
| - name: SonarCloud Scan | ||
| uses: SonarSource/sonarqube-scan-action@v5 | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
There was a problem hiding this comment.
This workflow will fail on pull requests from forks because secrets.SONAR_TOKEN is not provided for forked PRs, causing the scan step to error and the PR check to go red. To avoid blocking external contributors, add a job/step if: guard to only run when the PR originates from the same repo (or when secrets.SONAR_TOKEN is set), or make the scan non-blocking for forked PRs.
There was a problem hiding this comment.
The if: ${{ env.SONAR_TOKEN \!= '' }} guard on the scan step already handles this — when the secret is unavailable on fork PRs, the step is skipped and the job succeeds. This matches the pattern used across all petry-projects repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — APPROVED
Risk: MEDIUM
Reviewed commit: 4e2a983886aff4ef1632d7bb11487f7a341e7d13
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
This PR adds SonarCloud continuous inspection via a GitHub Actions workflow and a sonar-project.properties config file. Security posture is solid: actions are SHA-pinned, permissions follow least-privilege, pull_request trigger (not pull_request_target) is used safely, and the SONAR_TOKEN is properly guarded so fork PRs are handled gracefully. One minor concern is a misleading version comment on the actions/checkout pin (labels it v6 but v4 is the latest stable release), which reduces auditability without introducing actual supply-chain risk since the SHA is the binding mechanism.
Findings
Minor
- [minor]
.github/workflows/sonarcloud.yml:21—actions/checkoutis pinned to SHAde0fac2e4500dabe0009e67214ff5f5447ce83ddwith the comment# v6, but actions/checkout only goes up to v4 as of April 2026. The comment is misleading and should be corrected to the actual release tag the SHA corresponds to. SHA pinning still provides supply-chain protection, but inaccurate comments impede future audits. - [minor]
.github/workflows/sonarcloud.yml:25—SonarSource/sonarqube-scan-actionis pinned to SHAfd88b7d7ccbaefd23d8f36f73b59db7a3d246602with# v6. Recommend verifying this SHA matches the intended release tag for auditability.
Info
- [info]
sonar-project.properties:6—sonar.exclusionsincludes a single specific file (test_support.rs) rather than a pattern. If additional test-support files are added in the future, each would need to be manually appended. Consider using a pattern like**/*test_support*or a dedicated test directory excluded viasonar.test.inclusions. - [info] CI status — No CI status checks were observed in statusCheckRollup — either no CI runs have completed for this PR, or checks are not yet wired up. Merge is currently blocked (mergeStateStatus=BLOCKED). Once the SONAR_TOKEN secret is configured per the PR's maintainer setup instructions, the workflow should begin reporting.
- [info]
.github/workflows/sonarcloud.yml:3— Workflow correctly usespermissions: {}at the top level and grants onlycontents:readandpull-requests:readat the job level. This is a best-practice least-privilege posture for a read-only analysis workflow. - [info]
.github/workflows/sonarcloud.yml:24— The workflow usespull_request(notpull_request_target), so fork PRs run in the fork's context without access to repo secrets. The conditionalif: env.SONAR_TOKEN != ""gracefully skips the scan for fork PRs where the secret is unavailable. This is the correct pattern.
CI status
No CI checks have reported yet for this PR (mergeStateStatus=BLOCKED). The SonarCloud workflow will begin reporting once the SONAR_TOKEN secret is configured in the repository settings.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Why?
SonarCloud provides continuous code quality inspection — tracking bugs, code smells, security vulnerabilities, and test coverage over time. Unlike one-shot linters, it maintains a historical baseline so quality trends are visible and regressions are caught as they happen.
Summary
sonar-project.propertieswith project configuration for SonarCloud.github/workflows/sonarcloud.ymlGitHub Actions workflow that runs SonarCloud analysis on pushes tomainand on pull requestsSONAR_TOKENis unavailableRelates to #11 (item 9 — SonarCloud / SonarQube integration).
Maintainer setup required
oneirosoft/daggerrepositorySONAR_TOKENsecret to the GitHub repository settings (Settings → Secrets and variables → Actions → New repository secret)Test plan
mainand on PRs🤖 Generated with Claude Code