feat(ci): add SonarCloud analysis for shell scripts and workflow templates#90
Merged
Conversation
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughThis PR adds SonarCloud code quality scanning infrastructure to the repository. It introduces a GitHub Actions workflow that triggers scans on pushes to main and pull requests, plus a configuration file that specifies which files to scan and which paths to exclude from analysis. ChangesSonarCloud Code Quality Scanning Setup
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR introduces SonarCloud scanning for the .github control-plane repository by adding a repository-level SonarCloud configuration and a dedicated GitHub Actions workflow to run analysis on pushes to main and on pull requests.
Changes:
- Add
sonar-project.propertiesto configure SonarCloud project/org and define sources/exclusions. - Add
.github/workflows/sonarcloud.ymlto run SonarCloud analysis (with pinned actions) onmainpushes and PRs. - Update
CHANGELOG.md(currently includes an entry unrelated to the changes in this PR).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
sonar-project.properties |
Adds SonarCloud project configuration, scan scope, and exclusions. |
CHANGELOG.md |
Adds a new changelog bullet (does not match the PR’s actual changes). |
.github/workflows/sonarcloud.yml |
Adds a workflow to execute SonarCloud scanning for this repo. |
| - `python-scorecard.yml`: hard-code `publish_results: false` in the `ossf/scorecard-action` step and remove `id-token: write` from the workflow permissions; the OIDC token `repository` claim resolves to the `.github` org repo when the workflow runs as a reusable callee, causing scorecard-action to publish to the wrong repository and error; the `publish-results` input is retained for backwards compatibility but is now deprecated and always treated as false; SARIF upload to the Security tab is unaffected | ||
| - `scorecard.yml`: remove `publish-results: true` and `id-token: write` from the `.github` org repo's own scorecard caller to align with the reusable workflow fix | ||
| - `workflow-templates/python-scorecard.yml`: remove `id-token: write` from top-level and job-level permissions and remove `publish-results: true` from the `with:` block; aligns the starter template with the reusable workflow fix so new repos generated from this template get the correct permission set | ||
| - `python-compatibility.yml`: move `# shellcheck disable=SC1033,...` directives from YAML-level comments into the `run: |` block body for the Ubuntu and macOS system-deps steps; shellcheck only processes content inside the run block, so YAML-level disable comments were silently ignored, causing the self-test CI to fail on shellcheck SC1073/SC1033/SC1050/SC1072/SC1140 |
Comment on lines
+42
to
+48
| - name: SonarCloud Scan | ||
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | ||
| uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0 # nosemgrep: detected-sonarqube-docs-api-key | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| SONAR_HOST_URL: https://sonarcloud.io |
…on-compatibility.yml YAML-level comments are invisible to shellcheck; the disable directives must be the first lines inside the run: | block to take effect. Fixes the pre-existing self-test CI failure introduced when the actionlint workflow was added in #77. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Shellcheck cannot parse bracket-class regex inline in [[ =~ ]] and reports SC1073/SC1033/SC1050/SC1072/SC1140. Extracting the pattern into a variable causes shellcheck to treat it as an opaque string and skip regex parsing. Disable directives are no longer needed and are removed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lates Adds sonar-project.properties and .github/workflows/sonarcloud.yml to bring ByronWilliamsCPA/.github into alignment with ByronWilliamsCPA/.claude, both of which should have SonarCloud coverage per org standards. SonarCloud will auto-detect shell and YAML sources; no Python configuration required. sonar.sources=. scans scripts/, workflow templates, and config. SETUP REQUIRED before merging: 1. Register ByronWilliamsCPA/.github at https://sonarcloud.io 2. Generate a token at https://sonarcloud.io/account/security 3. Add SONAR_TOKEN to repository secrets (Settings > Secrets > Actions) The workflow will fail until SONAR_TOKEN is configured. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Project ByronWilliamsCPA_.github is already registered at sonarcloud.io and SONAR_TOKEN is available as an org-level secret. No manual setup needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
williaby
force-pushed
the
feat/sonarcloud-setup
branch
from
fc8cb8c to
78599c4
Compare
|
williaby
added a commit
that referenced
this pull request
May 14, 2026
Updates the reusable workflow reference from b29a870 to 2174a6b (feat(ci): add SonarCloud analysis for shell scripts and workflow templates #90). Dependabot did not auto-update because the branch was marked as edited; this commit restores parity with main. All caller inputs verified compatible at new SHA. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sonar-project.propertieswith project keyByronWilliamsCPA_.github.github/workflows/sonarcloud.ymlthat runs on push to main and pull requestssonarqube-scan-action@v8.0.0(consistent with other callers in this repo)sonar.sources=.scans shell scripts, YAML workflow templates, and configuration files; SonarCloud auto-detects languagesWhy
Both
ByronWilliamsCPA/.claudeandByronWilliamsCPA/.githubare org-level control-plane repos that should have SonarCloud coverage. The project is already registered at sonarcloud.io andSONAR_TOKENis available as an org-level secret.Test plan
pre-commit runpasses on both new filesByronWilliamsCPA_.githubregistered at sonarcloud.ioSONAR_TOKENavailable as org-level secretGenerated with Claude Code
Summary by CodeRabbit