Add SonarQube code quality analysis workflow#226
Conversation
| name: SonarQube | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] |
There was a problem hiding this comment.
Missing SPDX headers. Other workflows in this repo include SPDX copyright and license headers (e.g., codeql.yml, reuse.yml). Add:
| name: SonarQube | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| # SPDX-FileCopyrightText: 2026 Bernard Ladenthin <bernard.ladenthin@gmail.com> | |
| # SPDX-FileCopyrightText: 2023-2025 Konstantin Herud | |
| # | |
| # SPDX-License-Identifier: MIT | |
| name: SonarQube | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, synchronize, reopened] |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| with: | ||
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | ||
| - name: Set up JDK 21 | ||
| uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 | ||
| with: | ||
| java-version: 21 | ||
| distribution: 'zulu' |
There was a problem hiding this comment.
Inconsistent action version pinning: This workflow uses full commit SHAs for some actions while other workflows in the repo use semantic versioning (@v6, @v5, etc.). For consistency and maintainability, consider using the same pattern as established workflows in this repo. Either:
- Update to use
@v4semver tags (simpler, follows other workflows), or - Document why this workflow requires stricter pinning via commit SHA
Examples from other workflows:
codeql.yml: uses@v4,@v6,@v5reuse.yml: uses@v6publish.yml: uses@v7,@v8, etc.
| - name: Build and analyze | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp |
There was a problem hiding this comment.
Missing error handling: The workflow runs mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar but doesn't check if SONAR_TOKEN is actually set. If the secret is not configured, the Maven command will fail silently or with unclear errors. Consider adding a check or documenting this dependency:
| - name: Build and analyze | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp | |
| - name: Build and analyze | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| if [ -z "$SONAR_TOKEN" ]; then | |
| echo "Warning: SONAR_TOKEN not set, skipping SonarQube analysis" | |
| mvn -B verify | |
| else | |
| mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp | |
| fi |
Alternatively, document in the PR body or README that this workflow requires the SONAR_TOKEN secret to be configured for the repository.
|
This PR adds SonarQube Cloud integration. Review findings posted as inline comments on the diff. Key issues:
What works well: Cache setup, fetch-depth for analysis, good trigger configuration. |
The cancellable-variant Javadoc block accidentally ended up between completeWithStats() and completeBatch(), causing a NotJavadoc Error Prone warning (two consecutive /** blocks before a single method). The real Javadoc for complete(InferenceParameters, CancellationToken) lives at its method at line 307; the stale copy is removed.
|



Summary
pom.xmlto enable integration with SonarQube CloudTest plan
Related issues / PRs
Checklist
CONTRIBUTING.mdandCODE_OF_CONDUCT.mdSECURITY.md)https://claude.ai/code/session_012WHHfb7tuYQkFz1YQ1BRmd