Skip to content

Add SonarQube code quality analysis workflow#226

Merged
bernardladenthin merged 3 commits into
mainfrom
claude/loving-curie-uj5dvn
Jun 13, 2026
Merged

Add SonarQube code quality analysis workflow#226
bernardladenthin merged 3 commits into
mainfrom
claude/loving-curie-uj5dvn

Conversation

@bernardladenthin

Copy link
Copy Markdown
Owner

Summary

  • Add GitHub Actions workflow for SonarQube code quality analysis on push to main and pull requests
  • Configure SonarQube organization in pom.xml to enable integration with SonarQube Cloud
  • Workflow includes caching for SonarQube and Maven packages to improve CI performance

Test plan

  • CI is green on this branch

Related issues / PRs

Checklist

  • I have read CONTRIBUTING.md and CODE_OF_CONDUCT.md
  • My commits follow Conventional Commits
  • No security-sensitive changes (if there are, I have notified the maintainer privately per SECURITY.md)

https://claude.ai/code/session_012WHHfb7tuYQkFz1YQ1BRmd

Comment on lines +1 to +7
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing SPDX headers. Other workflows in this repo include SPDX copyright and license headers (e.g., codeql.yml, reuse.yml). Add:

Suggested change
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
# SPDX-FileCopyrightText: 2026 Bernard Ladenthin <bernard.ladenthin@gmail.com>
# SPDX-FileCopyrightText: 2023-2025 Konstantin Herud
#
# SPDX-License-Identifier: MIT
name: SonarQube
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]

Comment on lines +13 to +20
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 21
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
with:
java-version: 21
distribution: 'zulu'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent action version pinning: This workflow uses full commit SHAs for some actions while other workflows in the repo use semantic versioning (@v6, @v5, etc.). For consistency and maintainability, consider using the same pattern as established workflows in this repo. Either:

  1. Update to use @v4 semver tags (simpler, follows other workflows), or
  2. Document why this workflow requires stricter pinning via commit SHA

Examples from other workflows:

  • codeql.yml: uses @v4, @v6, @v5
  • reuse.yml: uses @v6
  • publish.yml: uses @v7, @v8, etc.

Comment on lines +33 to +36
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing error handling: The workflow runs mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar but doesn't check if SONAR_TOKEN is actually set. If the secret is not configured, the Maven command will fail silently or with unclear errors. Consider adding a check or documenting this dependency:

Suggested change
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -z "$SONAR_TOKEN" ]; then
echo "Warning: SONAR_TOKEN not set, skipping SonarQube analysis"
mvn -B verify
else
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_java-llama.cpp
fi

Alternatively, document in the PR body or README that this workflow requires the SONAR_TOKEN secret to be configured for the repository.

@claude

claude Bot commented Jun 13, 2026

Copy link
Copy Markdown

This PR adds SonarQube Cloud integration. Review findings posted as inline comments on the diff. Key issues:

  1. Missing SPDX headers (consistency - other workflows have them)
  2. Inconsistent action pinning (commit SHAs vs semver tags used elsewhere)
  3. No SONAR_TOKEN secret validation

What works well: Cache setup, fetch-depth for analysis, good trigger configuration.

The cancellable-variant Javadoc block accidentally ended up between
completeWithStats() and completeBatch(), causing a NotJavadoc Error Prone
warning (two consecutive /** blocks before a single method). The real Javadoc
for complete(InferenceParameters, CancellationToken) lives at its method at
line 307; the stale copy is removed.
@sonarqubecloud

Copy link
Copy Markdown

@bernardladenthin bernardladenthin merged commit 20e734b into main Jun 13, 2026
10 of 38 checks passed
@bernardladenthin bernardladenthin deleted the claude/loving-curie-uj5dvn branch June 13, 2026 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants