ci: configure Stylelint and SonarQube report paths for multiple linters

[yacosta738]

This PR configures Stylelint in the clients/web module and adds SonarQube report paths for Stylelint, Android Lint, Hadolint, and Actionlint to the CI workflow.

Key changes:

• Created clients/web/.stylelintrc.json with standard, vue, and recess-order plugins.
• Updated clients/web/package.json with lint:style script.
• Enhanced .github/workflows/sonarqube-analysis.yml to:
  • Setup pnpm and install dependencies.
  • Run Stylelint, Hadolint (via docker), and Actionlint (via binary).
  • Include lintDebug in the Gradle step for Android Lint.
  • Added the relevant sonar.*.reportPaths properties.

---

PR created automatically by Jules for task 10917054857490866092 started by @yacosta738

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds pnpm setup and caching to the SonarQube CI workflow, runs stylelint/hadolint/actionlint (reporting outputs), includes lintDebug in Gradle test step, and adds a Stylelint config, script, and devDependencies to the web client. (29 words)

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/sonarqube-analysis.yml	Adds pnpm/action-setup and Node+pnpm caching, installs root and web deps with pnpm, runs stylelint/hadolint/actionlint steps guarded by SONAR_TOKEN, adds lintDebug to test flow, and extends Sonar scanner args with linter report paths.
Frontend Stylelint clients/web/.stylelintrc.json, clients/web/package.json	Adds Stylelint config (extends standard/SCSS/Vue/recess-order; ignores Tailwind at-rules; relaxes several rules), adds lint:style npm script and stylelint-related devDependencies including postcss-html.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Dev (push)
    participant GH as GitHub Actions Runner
    participant Node as Node / pnpm
    participant Linters as Linters (stylelint, hadolint, actionlint)
    participant Sonar as SonarQube Scanner

    Dev->>GH: push / PR triggers workflow
    GH->>Node: setup Node + pnpm (with cache) (rgba(30,144,255,0.5))
    GH->>Node: pnpm install (root + clients/web) (rgba(30,144,255,0.5))
    GH->>Linters: run stylelint, hadolint, actionlint (produce reports) (rgba(34,139,34,0.5))
    GH->>Sonar: run tests/build (includes lintDebug) (rgba(255,165,0,0.5))
    GH->>Sonar: upload scanner reports (coverage, stylelint, hadolint, actionlint) (rgba(255,165,0,0.5))

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ci(sonar): add SonarQube scan with PR quality gate #100: Earlier update to the same SonarQube workflow that introduced pnpm and linter steps; directly related.
• feat(web): unified visual design, a11y, and perf optimizations across all apps #155: Modifies the SonarQube workflow and frontend lint configuration; overlaps CI and web lint changes.

Suggested labels

area:ci, area:web

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commit style with 'ci:' prefix, clearly describes the main changes (Stylelint configuration and SonarQube report paths), and is 71 characters—within the 72-character limit.
Description check	✅ Passed	Description provides clear summary of changes, key modifications for each file, and explains the motivation. However, tested information, breaking changes section, and checklist are missing or incomplete.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/configure-sonar-linters-reporting-10917054857490866092

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
🔚	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	4f106de
Status:	✅  Deploy successful!
Preview URL:	https://b3f1b9b3.corvus-42x.pages.dev
Branch Preview URL:	https://ci-configure-sonar-linters-r.corvus-42x.pages.dev

View logs

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	88%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3053 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	391	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	90%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	122	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-07 to 2026-03-07}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 106-108: The hadolint Docker run command uses unquoted command
substitution for $(find . -name "Dockerfile*" -not -path "*/node_modules/*"),
which breaks on paths with spaces; change it to use a null-delimited find +
xargs pipeline so filenames with spaces are handled safely (e.g. replace the
substitution with find . -name "Dockerfile*" -not -path "*/node_modules/*"
-print0 | xargs -0 hadolint -f json), and invoke that inside the docker run
(adjust the docker run invocation around the hadolint call) so the hadolint
command (the docker run line that calls hadolint) receives correctly quoted
filenames.
- Around line 110-114: Replace the unpinned download-and-execute step that uses
"bash <(curl
https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)"
with a pinned approach: either reference a specific release of the script or,
preferably, switch the "🤖 Run Actionlint" step to use the maintained GitHub
Action "rhysd/actionlint@v1.7.11" and pass the format input (format: '{{json
.}}') so the run produces the same coverage/actionlint-report.json output
without pulling from main.

In `@clients/web/.stylelintrc.json`:
- Around line 8-21: Add the Tailwind v3+ `@layer` directive to the at-rule ignore
list: update the "at-rule-no-unknown" rule's "ignoreAtRules" array (the existing
array containing
"tailwind","apply","variants","responsive","screen","import","theme") to include
"@layer" so Stylelint won't flag Tailwind `@layer` directives (e.g., `@layer` base,
`@layer` components, `@layer` utilities).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fb03a0d9-6dd2-428f-a197-b13da74e2e7d

📥 Commits

Reviewing files that changed from the base of the PR and between f6b717d and 0efce76.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/sonarqube-analysis.yml
• clients/web/.stylelintrc.json
• clients/web/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (1)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/package.json

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/sonarqube-analysis.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/sonarqube-analysis.yml

🔇 Additional comments (7)

clients/web/package.json (2)

26-27: LGTM!

The lint:style script is well-configured with appropriate glob patterns and correctly references the root .gitignore via relative path.

---

31-36: LGTM!

Stylelint dependencies are appropriately added with caret versioning. The combination of stylelint-config-standard, stylelint-config-standard-vue, and stylelint-config-recess-order provides solid coverage for Vue/Tailwind projects.

clients/web/.stylelintrc.json (1)

22-30: LGTM - Rule relaxations are appropriate for Tailwind/Vue.

Disabling no-descending-specificity, selector-class-pattern, and notation rules is standard practice for Tailwind projects where utility classes and dynamic styles are common.

.github/workflows/sonarqube-analysis.yml (4)

52-67: LGTM!

Proper pnpm setup with version pinning and Node cache configuration. The pnpm install at repo root will correctly install workspace dependencies.

---

79-81: LGTM!

Adding lintDebug to generate Android Lint output for SonarQube integration is appropriate.

---

176-179: LGTM!

SonarQube report paths are correctly configured for all linters. The glob pattern for Android Lint (**/build/reports/lint-results-*.xml) handles multiple modules.

---

102-104: Path is correct. The coverage/ directory is created at line 95 with mkdir -p coverage, so the relative path ../../coverage/ from clients/web correctly resolves to the repo-root coverage/ directory.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/sonarqube-analysis.yml (1)

65-67: ⚠️ Potential issue | 🔴 Critical

Stylelint step will fail silently; dependencies not installed for clients/web.

The root pnpm install (line 67) doesn't install clients/web dependencies because there's no workspaces configuration and no pnpm-workspace.yaml. When the Stylelint step runs pnpm -C clients/web run lint:style (line 104), it will fail to find the stylelint binary since clients/web/node_modules won't exist. The || true masks this failure, so the workflow appears successful but the stylelint report won't be generated.

Fix: Either add workspaces to root package.json, or install dependencies in the client directory:

      - name: 📦 Install dependencies
        if: env.SONAR_TOKEN != ''
-       run: pnpm install
+       run: |
+         pnpm install
+         pnpm -C clients/web install

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube-analysis.yml around lines 65 - 67, The CI
installs dependencies at the root with the existing "pnpm install" step but
clients/web dependencies aren't installed, so the later "pnpm -C clients/web run
lint:style" (which is masked by "|| true") will silently fail; fix by ensuring
clients/web deps are installed before linting—either add workspace configuration
to the root package.json/pnpm-workspace.yaml so root "pnpm install" installs
workspaces, or add an explicit "pnpm -C clients/web install" step prior to the
Stylelint step and remove the "|| true" so failures surface.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 65-67: The CI installs dependencies at the root with the existing
"pnpm install" step but clients/web dependencies aren't installed, so the later
"pnpm -C clients/web run lint:style" (which is masked by "|| true") will
silently fail; fix by ensuring clients/web deps are installed before
linting—either add workspace configuration to the root
package.json/pnpm-workspace.yaml so root "pnpm install" installs workspaces, or
add an explicit "pnpm -C clients/web install" step prior to the Stylelint step
and remove the "|| true" so failures surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b13b6451-e777-4a77-846e-7c4c699f7493

📥 Commits

Reviewing files that changed from the base of the PR and between 0efce76 and 6af024d.

📒 Files selected for processing (2)

• .github/workflows/sonarqube-analysis.yml
• clients/web/.stylelintrc.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/sonarqube-analysis.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/sonarqube-analysis.yml

🔇 Additional comments (6)

clients/web/.stylelintrc.json (1)

1-33: LGTM!

Config properly extends standard, Vue, and recess-order presets. Tailwind at-rules (including layer) are correctly whitelisted. The disabled rules are appropriate for a Tailwind + Vue project where utility classes and generated specificity patterns are common.

.github/workflows/sonarqube-analysis.yml (5)

79-81: LGTM!

Adding lintDebug generates the Android Lint XML reports consumed by the new sonar.androidLint.reportPaths configuration.

---

102-104: Output path is correct; blocked by missing dependencies.

The relative paths (../../coverage/) resolve correctly from clients/web. However, this step will fail until the dependency installation issue (lines 65-67) is resolved.

---

106-109: LGTM!

Using find -exec {} + safely handles paths with spaces. The || true allows the workflow to continue even if Dockerfiles have lint issues.

---

111-114: LGTM!

Using the pinned Docker image rhysd/actionlint:v1.7.11 addresses the supply-chain risk from the previous unpinned download script approach.

---

176-179: LGTM!

Report paths correctly reference the outputs from Stylelint, Android Lint, Hadolint, and Actionlint steps.

[yacosta738]

@jules Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/sonarqube-analysis.yml:

• Around line 65-67: The CI installs dependencies at the root with the existing
  "pnpm install" step but clients/web dependencies aren't installed, so the later
  "pnpm -C clients/web run lint:style" (which is masked by "|| true") will
  silently fail; fix by ensuring clients/web deps are installed before
  linting—either add workspace configuration to the root
  package.json/pnpm-workspace.yaml so root "pnpm install" installs workspaces, or
  add an explicit "pnpm -C clients/web install" step prior to the Stylelint step
  and remove the "|| true" so failures surface.

[google-labs-jules]

@jules Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/sonarqube-analysis.yml:

• Around line 65-67: The CI installs dependencies at the root with the existing
  "pnpm install" step but clients/web dependencies aren't installed, so the later
  "pnpm -C clients/web run lint:style" (which is masked by "|| true") will
  silently fail; fix by ensuring clients/web deps are installed before
  linting—either add workspace configuration to the root
  package.json/pnpm-workspace.yaml so root "pnpm install" installs workspaces, or
  add an explicit "pnpm -C clients/web install" step prior to the Stylelint step
  and remove the "|| true" so failures surface.

I've addressed the findings from your feedback:

1. Clients/Web Dependencies: Added an explicit pnpm -C clients/web install step before Stylelint to ensure dependencies are available.
2. Surfacing Failures: Removed || true from the Stylelint, Hadolint, and Actionlint steps so that any issues will correctly fail the CI build.
3. Safe Path Handling: Refactored Hadolint and Actionlint to use find ... -exec docker ... {} +, which safely handles filenames with spaces and executes efficiently.
4. Pinned Actionlint: Switched to the pinned Docker image rhysd/actionlint:v1.7.11 to ensure consistency and security.
5. Stylelint Configuration: Added layer to the ignoreAtRules list in .stylelintrc.json to support Tailwind's @layer directive.
6. Sonar Properties: Verified and fixed the SonarQube property keys as originally requested.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sonarqube-analysis.yml:
- Around line 110-113: The CI step "🐳 Run Hadolint" currently redirects output
from the find+docker command to coverage/hadolint-report.json which creates an
empty file if no Dockerfiles are found; change the step's run script so it first
checks if find returns any Dockerfiles and only runs hadolint when there are
matches, otherwise write a safe empty JSON (e.g. "[]") or skip creating the
file. Modify the existing command that uses find ... hadolint ... >
coverage/hadolint-report.json to a small shell conditional that tests the find
result (or captures the hadolint output and writes "[]" when empty) so SonarQube
always gets valid JSON or no file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 498cd823-b63e-4e25-86d5-6fb14d7e9cb0

📥 Commits

Reviewing files that changed from the base of the PR and between 6af024d and 3801e0c.

📒 Files selected for processing (2)

• .github/workflows/sonarqube-analysis.yml
• clients/web/.stylelintrc.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/sonarqube-analysis.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/sonarqube-analysis.yml

🔇 Additional comments (6)

clients/web/.stylelintrc.json (1)

1-48: LGTM! Well-configured Stylelint setup for Tailwind/Vue.

The config appropriately extends standard presets and correctly ignores Tailwind-specific at-rules in both standard and SCSS contexts. The disabled rules are reasonable for utility-first CSS frameworks.

.github/workflows/sonarqube-analysis.yml (5)

52-71: LGTM! Proper pnpm setup with explicit workspace install.

Correctly addresses the flagged issue where clients/web dependencies weren't installed. The pinned action SHA and explicit -C clients/web install step ensure the Stylelint dependencies are available.

---

83-85: LGTM! Added Android lint generation.

The lintDebug task will generate lint reports consumed by SonarQube via the androidLint.reportPaths property.

---

115-118: LGTM! Actionlint properly pinned to v1.7.11.

Addresses the prior security concern about unpinned downloads. The Docker-based execution with explicit version tag is reproducible and secure.

---

180-183: LGTM! Report paths align with lint outputs.

The SonarQube property paths correctly reference the JSON reports generated by the respective lint steps.

---

106-108: Stylelint violations will block the pipeline before SonarQube analysis runs.

The codebase currently has multiple style violations (color formats, property ordering, empty line rules) that will cause this step to fail. Either fix the violations in the source code or append || true to allow the build to continue.