Add SonarCloud to the project?

[kinow]

Describe exactly what you would like to see in an upcoming release

Cylc Flow uses Codacy. I wanted to have a look at the project TODO's. In Jenkins and SonarCloud, you can customize it so that you can see a list of custom values such as TODO, TBD, FIXME, HACK, etc.

Went to Codacy to set it up on my fork first, then to prepare the .codacy.yml file as in Cylc Flow, and then finally submit the pull request.

However, Codacy appears to have changed its permissions, and besides the normal permissions (see e-mail, repositories, check-out projects, etc) now it also requests access to add SSH keys.

Which means Codacy can install new SSH keys to your projects, which is essentially the same as giving it full access to any of your repositories. Haven't accessed Codacy yet due to this new requirements (have some private repos that were shared with me that are either private or under NDA).

Any objection to using SonarCloud instead of Codacy @cylc/core ?

Additional context

Apache projects and others (e.g. the Finnish Skosmos vocabulary server) use SonarCloud.

Here's what SonarCloud reports for my fork of Cylc UI at the moment: https://sonarcloud.io/dashboard?id=kinow_cylc-ui

It reports similar metrics as Codacy. It is a very old and popular application, that just took a bit longer to have a cloud app integrated with GitHub (it used to be called Sonar, until another company with same name complained about it; then it renamed its brand to SonarQube, but only on-prem was possible; then they created SonarCloud).

ps: I'm not the only concerned about permissions in GitHub

• https://github.com/mxcube/mxcube/issues/345
• https://twitter.com/RainbowDerpyYaY/status/1239310778945228806
• https://twitter.com/jaredhanson/status/1103828366979788800

Pull requests welcome!

[kinow]

It would also be interesting to submit the coverage report to SonarCloud, and compare with Codecov, to see if SonarCloud does a better job at reporting batch coverage for Python/JS, as we had issues with that recently.

[hjoliver]

No objection from me, your reasons seem sound.

[kinow]

Just did used imported cylc-ui into a new Cylc organisation in SonarCloud.io. There should be a request sent to the cylc org, which I suspect will end up with Hilary to approve the integration.

[kinow]

No luck adding SonarCloud. Logged in today, there is still a pending request, but no idea how to complete the set up. We should be fine using what we have for now 👍