chore(ci)(deps): bump SonarSource/sonarqube-scan-action from 6 to 7#5
Closed
dependabot[bot] wants to merge 1 commit intodevelopfrom
Closed
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/develop/SonarSource/sonarqube-scan-action-7
branch
3 times, most recently
from
557a919 to
1fdad69
Compare
Contributor
|
@dependabot rebase |
Bumps [SonarSource/sonarqube-scan-action](https://github.com/sonarsource/sonarqube-scan-action) from 6 to 7. - [Release notes](https://github.com/sonarsource/sonarqube-scan-action/releases) - [Commits](SonarSource/sonarqube-scan-action@v6...v7) --- updated-dependencies: - dependency-name: SonarSource/sonarqube-scan-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/develop/SonarSource/sonarqube-scan-action-7
branch
from
1fdad69 to
42d7f1f
Compare
1 task
Contributor
|
Closing — v7 changed the token contract and reproducibly returns HTTP 401 against our self-hosted SonarQube 26.4 instance with a token v6 accepts. PR #12 adds an explicit |
h2devx
deleted the
dependabot/github_actions/develop/SonarSource/sonarqube-scan-action-7
branch
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
h2devx
added a commit
that referenced
this pull request
Apr 29, 2026
#12) ## Que cambia - Drop \`update-types: [minor, patch]\` filter on the \`vitest\` group so MAJOR bumps are also batched. \`vitest\` and \`@vitest/coverage-v8\` are peer-dep'd by version; landing one without the other breaks develop. - Add explicit \`ignore\` for \`SonarSource/sonarqube-scan-action\` MAJOR bumps. v7 reproducibly throws HTTP 401 against our self-hosted SonarQube 26.4 with a token that v6 accepts. Re-evaluate once the server is upgraded. ## Por que Closes the 3 problematic Dependabot PRs from the first weekly run: - #5 SonarSource/sonarqube-scan-action 6→7 — auth incompatibility - #9 vitest 3→4 — major bump that needs validation - #10 @vitest/coverage-v8 3→4 — twin of #9, must ship together When Dependabot reopens vitest 4.x it will arrive as a single grouped PR. ## Tipo - [x] chore — deps/CI config ## Checklist No production code touched. The config change applies on next Dependabot run.
h2devx
added a commit
that referenced
this pull request
May 2, 2026
…ated B-MCP-8 fix end-to-end (#36) ## Summary Standard phase-close docs PR (pattern: [#25](#25), [#28](#28), [#32](#32)). Updates HANDOFF.md §0 + §6.20 + footer to reflect Phase-15 fully closed end-to-end. ## What Phase-15 delivered (all already shipped) - [PR #33](#33) — B-MCP-8 fix (always-include-top-hit + continue-not-break + default max_tokens 4000→8000). - [PR #34](#34) — release v0.1.2-beta.5 to main with conflict resolution (--ours). - Tag `v0.1.2-beta.5` → `4a281f0` + GitHub pre-release. - `npm publish --tag beta` (user, WebAuthn passkey). - Smoke against dogfood DB: **2/2 PASS, 0 FAIL** — `mem.recall("GitFlow")` returns `hits=2` (was 0 in beta.4); `mem.recall("embedding worker async")` returns `hits=1` (was 0). - [PR #35](#35) — merge-back develop ← main with conflict resolution (--theirs). ## What this PR adds Only HANDOFF.md changes (33 insertions, 30 deletions): - §0: 10 rows updated to reflect post-publish reality (Fecha, Fase actual, Paquete npm, Estado del release, Memoria propia, Proximo paso, etc.). - §6.20: sub-fases 5-9 marked complete with concrete outcomes (commit SHAs, conflict resolution patterns, smoke results); new lecciones durables (#5 smoke script reusability, #6 wire output shape parsing, #7 conflict resolution symmetry); estado del repo post-Phase-15 with actual SHAs and dist-tags; Siguiente accion concreta refocused. - Footer "Ultima actualizacion" updated to reflect end-to-end closure. ## Caveat tracked for next phase `serverInfo.version` reported by the JSON-RPC handshake reads `0.1.2-beta.3` even though the installed binary is beta.5. Confirmed in smoke. Cosmetic only — needs `grep -rn "0.1.2-beta" code/src` to locate hardcoded value before promoting to `release/0.1.2` stable. ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no `code/src/` changes → typecheck not triggered). - [ ] CI green on this PR (typecheck + lint + lint:tests + validate:modules + build + test:coverage + Sonar all pass over unchanged source). - [ ] Squash-merge to develop. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
h2devx
added a commit
that referenced
this pull request
May 3, 2026
) ## Summary Phase-17 close docs-only PR. Pattern matches PR #25 (Phase-12), #28 (Phase-13), #32 (Phase-14), #36 (Phase-15), #42 (Phase-16) — each cycle/phase ends with a docs-only PR synthesizing the closure. ## What Phase-17 delivered **v0.5 hardening defensivo cycle** — 4 incremental PRs squash-merged to \`develop\`: | # | PR | Warning | Fix | |---|---|---|---| | 1 | [#43](#43) | W-3.5-SEC-M2 | chmod 0o600 on recall.db | | 2 | [#44](#44) | W-3.5-SEC-M1 | atomic write+rename on .gitignore + writeConfig consolidated with CSPRNG suffix | | 3 | [#45](#45) | W-3.5-SEC-L1 (partial) | redact absolute paths from DatabaseError messages → \`details.path\` + 4 new pino redact globs | | 4 | [#46](#46) | W-3.1-SEC-M1 | configurable buffer cap on StdioJsonRpcServer (default 10 MiB) + env var override + transport closure on overflow | Zero security-auditor rejections (4 APPROVED WITH OBSERVATIONS). 1 CI round-trip in PR-2 over S7735 negated condition trivial fix. 36 new VALOR-asserting tests consolidated, 5+1 EXIT=0 green in each PR, SonarQube quality gate PASSED in each PR. ## Key finding tracked: W-3.5-SEC-L2 follow-up PR #45's security-auditor revealed that **W-3.5-SEC-L1 is NOT categorically closed** — only closed for DatabaseError. **9+ Error factories in workspace/secrets/curator modules** still interpolate \`rootPath\`/\`startPath\`/\`hookPath\` into \`message\`, and they flow to the wire JSON-RPC via \`error-mapper.ts\` Tier 3.5. Same leak pattern, also flowing to MCP clients. Affected files (tracked as W-3.5-SEC-L2 for next hardening cycle): - \`workspace/infrastructure/errors/workspace-infrastructure-error.ts\` (9 factories) - \`workspace/application/errors/workspace-application-error.ts\` (NoWorkspaceAtPathError) - \`secrets/infrastructure/errors/foreign-hook-exists-error.ts\` - \`curator/infrastructure/errors/curator-infrastructure-error.ts\` (scanFailed) Recommendation: apply same \`details: { path }\` pattern across all error factories before v0.5 GA. ## What this PR adds Pure HANDOFF.md changes (212 insertions / 8 deletions): - **§0**: 6 rows updated (Fecha, Fase actual, Lineas codigo, Tests, Issues abiertos, Proximo paso). - **§6.21**: roadmap row 4 (hardening defensivo) marked CLOSED in Phase-17. - **§6.22 NEW**: full Phase-17 cycle close section (decisions, sub-phases, detail per PR, consolidated observations table with 12 entries, 8 orchestrator decisions D-1701..D-1708, 5 durable lessons, repo state, next-action with 3 options for release). - **Footer** "Ultima actualizacion" updated to reflect Phase-17 closure. ## State of repo post-merge | Item | Value | |---|---| | HEAD develop | \`f23457e\` (4 commits ahead of main) | | HEAD main | \`29371f8\` (unchanged) | | Tag latest | \`v0.1.2\` (unchanged) | | npm dist-tags | \`{ latest: '0.1.2', beta: '0.1.2-beta.6' }\` (unchanged — Phase-17 publishes nothing) | | Tests | 2588 passing in 212 files (+28 vs Phase-16 baseline) | | Coverage | new 100% / overall 96.4% | | Hardening warnings closed | 4/4 | | Follow-ups tracked | 12 (1 medium W-3.5-SEC-L2 + 11 low/info) | | Issues open | 0 | | PRs open | 0 (after this merge) | ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no \`code/src/\` changes → typecheck not triggered). - [x] CI required status check \`ci\`. - [x] SonarQube quality gate (no source files affected). ## Decision pending after merge **Cut \`release/0.1.3-beta.0\` now or later?** - **Option A** — cut now with 4 hardening fixes alone (Phase-9/12/14 cooling pattern: ship beta, dogfood real, fix what surfaces). - **Option B** — accumulate more changes (item #1 multi-key envelope, item #3 perf hardening, item #5 swap embedder) before next release. - **Option C** — defer release until a real bug surfaces in 0.1.2 stable ("first new bug + feature plus" pattern from §6.21). Recommendation: Option A aligns with project's historical cadence. Final call belongs to the human. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps SonarSource/sonarqube-scan-action from 6 to 7.
Release notes
Sourced from SonarSource/sonarqube-scan-action's releases.
Commits
55e4480SQSCANGHA-140 Add OpenPGP signature verification for scanner downloads (#235)30dbe5cSQSCANGHA-138 Update dist and add ci test (#233)c835722SQSCANGHA-134 Upgrade the libraries to latest version (#227)f00de44SC-45750 Migrate to dateless license headers (#229)f099b44SQSCANGHA-133 Upgrade the Node version used in UTs + contribution guide (#226)d899ed2BUILD-10861 Dependabot 5-day cooldown + internal excludes (#225)299e4b7SQSCANGHA-132 Upgrade Node to 24 (#224)3988e54SQSCANGHA-131 Bump picomatch from 4.0.3 to 4.0.4 (#223)9598b8aSQSCANGHA-130 Bump rollup from 4.50.1 to 4.59.0 (#221)dcc5211SQSCANGHA-128 NO-JIRA Bump actions/cache from 4 to 5 (#219)