ci: add sonarcloud workflow and configure sonar-project.properties#108
ci: add sonarcloud workflow and configure sonar-project.properties#108EmiyaKiritsugu3 wants to merge 6 commits into
Conversation
Adds a GitHub Actions workflow to run SonarCloud analysis on push and pull requests. Updates sonar-project.properties to properly locate the lcov code coverage file and set inclusion/exclusion patterns. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughThis pull request introduces SonarCloud code quality analysis to the CI/CD pipeline. A new GitHub Actions workflow triggers on pushes to ChangesSonarCloud CI and Analysis Configuration
🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Replace deprecated `SonarSource/sonarcloud-github-action@master` with `SonarSource/sonarqube-scan-action@v4` as requested by the CI warning. - Add `sonar.java.binaries=.` to `sonar-project.properties` to fix the "EXECUTION FAILURE" caused by missing java binaries configuration during analysis when Automatic Analysis is enabled (or to resolve the underlying misconfiguration causing it to crash). Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/sonarcloud.yml (1)
3-13: ⚡ Quick winSet explicit least-privilege workflow permissions.
This workflow relies on default token permissions. Add explicit
permissionsto reduce blast radius and prevent repo-level default drift.Suggested patch
on: push: branches: - main pull_request: types: [opened, synchronize, reopened] +permissions: + contents: read + pull-requests: read + jobs: sonarcloud:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sonarcloud.yml around lines 3 - 13, The workflow relies on default GITHUB_TOKEN permissions—add an explicit top-level permissions block to enforce least privilege; update the YAML around the existing on: and jobs: sonarcloud: sections to include a permissions: mapping (for example at minimum set contents: read and only the specific permissions the SonarCloud steps require such as pull-requests: write or id-token: write if using OIDC), ensuring you place it at the workflow root so the sonarcould job (named sonarcloud, runs-on: ubuntu-latest) uses only those explicit permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/sonarcloud.yml:
- Around line 31-32: Replace the mutable tag for the SonarCloud GitHub Action
with a pinned commit SHA: locate the workflow step using the SonarSource action
(e.g., the uses string "SonarSource/sonarqube-scan-action@v4" or similar in the
SonarCloud Scan step) and update it to reference the specific commit SHA for the
desired v4.x release so the action is immutable and prevents CI supply-chain
drift.
- Around line 15-23: Update the workflow to pin both actions to their immutable
commit SHAs and disable checkout credential persistence: change the uses for
actions/checkout@v4 to the full commit SHA and add persist-credentials: false
under its with block (referencing the actions/checkout step and the
persist-credentials setting), and change actions/setup-node@v4 to its full
commit SHA (referencing the actions/setup-node step) while keeping the existing
with keys like node-version and cache unchanged.
---
Nitpick comments:
In @.github/workflows/sonarcloud.yml:
- Around line 3-13: The workflow relies on default GITHUB_TOKEN permissions—add
an explicit top-level permissions block to enforce least privilege; update the
YAML around the existing on: and jobs: sonarcloud: sections to include a
permissions: mapping (for example at minimum set contents: read and only the
specific permissions the SonarCloud steps require such as pull-requests: write
or id-token: write if using OIDC), ensuring you place it at the workflow root so
the sonarcould job (named sonarcloud, runs-on: ubuntu-latest) uses only those
explicit permissions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 958358a7-18b1-4319-8a73-3d19f2ed037a
📒 Files selected for processing (2)
.github/workflows/sonarcloud.ymlsonar-project.properties
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '22' | ||
| cache: 'npm' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/sonarcloud.yml"
# Ensure file exists and print the relevant sections with line numbers
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "=== File: $FILE (lines 1-220) ==="
nl -ba "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:|uses:" "$FILE" || true
echo
echo "=== Grep for persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep for SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || trueRepository: EmiyaKiritsugu3/PWeb_Project
Length of output: 195
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/sonarcloud.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "=== File: $FILE (lines 1-220) ==="
cat -n "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:" "$FILE" || true
echo
echo "=== Grep persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || trueRepository: EmiyaKiritsugu3/PWeb_Project
Length of output: 1412
🌐 Web query:
actions/checkout v4 persist-credentials default value
💡 Result:
For actions/checkout@v4, the input persist-credentials has default value true.[1][2] This means that unless you explicitly set persist-credentials: false, the action configures (persists) the provided auth token/SSH key in the local git config during checkout.[3][1]
Citations:
- 1: https://github.com/actions/checkout/blob/v4/action.yml
- 2: https://github.com/actions/checkout/blob/v4.1.1/action.yml
- 3: https://github.com/actions/checkout/tree/v4
🌐 Web query:
SonarSource sonarqube-scan-action v4 deprecated archived
💡 Result:
The SonarSource sonarqube-scan-action (official-sonarqube-scan) is an active, ongoing project and is not deprecated or archived [1]. As of May 28, 2026, the latest release is v7.0.0 [1]. Version 4.0.0, released in November 2024, was a significant milestone that replaced the Docker-based action with a composite action [2][3], but this was an evolution of the project rather than a deprecation [2]. It appears there may be confusion with other SonarSource actions: - The sonarcloud-github-action has been deprecated in favor of the sonarqube-scan-action [4]. - There have been specific deprecations for older, language-specific scan actions (e.g., legacy C/C++/Objective-C actions) [5]. If you are currently using v4.x, it is recommended to upgrade to the latest version to benefit from ongoing improvements and support [1]. You can find the latest version and documentation on the official GitHub repository [1].
Citations:
- 1: https://github.com/sonarsource/sonarqube-scan-action
- 2: https://newreleases.io/project/github/SonarSource/sonarqube-scan-action/release/v4.0.0
- 3: SonarSource/sonarqube-scan-action@v3.1.0...v4.0.0
- 4: https://github.com/sonarsource/sonarcloud-github-action
- 5: https://community.sonarsource.com/t/release-and-deprecation-of-github-action-for-c-c-and-objective-c-with-sonarqube-cloud/133185
Pin actions/checkout@v4 / actions/setup-node@v4 to immutable commit SHAs and disable checkout credential persistence.
actions/checkout@v4defaultspersist-credentials: true; setpersist-credentials: falseand pin both actions to full commit SHAs instead ofv4tags.
Suggested patch
jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@<checkout-commit-sha>
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ persist-credentials: false
- name: Setup Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@<setup-node-commit-sha>
with:
node-version: '22'
cache: 'npm'🧰 Tools
🪛 zizmor (1.25.2)
[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/sonarcloud.yml around lines 15 - 23, Update the workflow
to pin both actions to their immutable commit SHAs and disable checkout
credential persistence: change the uses for actions/checkout@v4 to the full
commit SHA and add persist-credentials: false under its with block (referencing
the actions/checkout step and the persist-credentials setting), and change
actions/setup-node@v4 to its full commit SHA (referencing the actions/setup-node
step) while keeping the existing with keys like node-version and cache
unchanged.
There was a problem hiding this comment.
3 issues found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/sonarcloud.yml">
<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>
<violation number="2" location=".github/workflows/sonarcloud.yml:32">
P1: This workflow uses a deprecated Sonar action on a mutable `@master` ref. Migrate to `sonarqube-scan-action` and pin to a stable version (or SHA).</violation>
</file>
<file name="sonar-project.properties">
<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| sonar.tests=src | ||
| sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx |
There was a problem hiding this comment.
P2: sonar.tests is limited to src, so tests under the root tests/ directory are not classified as test code and may be analyzed as source files.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At sonar-project.properties, line 17:
<comment>`sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</comment>
<file context>
@@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3
+# Test coverage reporting
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
+sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/**
+sonar.tests=src
+sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
</file context>
| sonar.tests=src | |
| sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx | |
| sonar.tests=src,tests | |
| sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,tests/**/*.ts,tests/**/*.tsx |
| name: SonarCloud | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
P2: actions/checkout@v4 defaults persist-credentials to true, which persists the auth token in .git/config and exposes it to all subsequent steps. Add persist-credentials: false to the with: block. Additionally, consider pinning both actions/checkout and actions/setup-node to full commit SHAs instead of mutable v4 tags to mitigate supply-chain risk.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/sonarcloud.yml, line 15:
<comment>`actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</comment>
<file context>
@@ -0,0 +1,35 @@
+ name: SonarCloud
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
</file context>
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="sonar-project.properties">
<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>
<file name=".github/workflows/sonarcloud.yml">
<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarcloud-github-action@ba3875ecf642b2129de2b589510c81a8b53dbf4e` as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637).
- Squashed previous fix attempts that caused execution failures. The execution failure occurs because the scanner is running on a PR that is *already* being automatically analyzed by SonarCloud ("You are running CI analysis while Automatic Analysis is enabled"). The action version doesn't fix it, it simply requires disabling one or the other. We will stick with the most stable version and fix the security hotspot.
Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="sonar-project.properties">
<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>
<file name=".github/workflows/sonarcloud.yml">
<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (2)
.github/workflows/sonarcloud.yml (2)
15-17:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutto commit SHA and disable credential persistence.This security issue was previously flagged but remains unaddressed. The
@v4tag is mutable andpersist-credentialsdefaults totrue, creating supply-chain and credential-exposure risks.Run the following to find the latest v4 commit SHA:
#!/bin/bash # Fetch the commit SHA for actions/checkout v4 latest gh api repos/actions/checkout/git/ref/tags/v4.2.2 --jq '.object.sha'🔒 Recommended fix
- - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sonarcloud.yml around lines 15 - 17, Replace the mutable tag on actions/checkout (the uses: actions/checkout@v4 entry) with the specific v4 commit SHA and explicitly disable credential persistence by adding persist-credentials: false under the with block (keep fetch-depth: 0 as-is); in other words, change the uses reference to the exact commit SHA for the v4 release and add persist-credentials: false alongside fetch-depth to prevent exposing GH credentials during the workflow.
20-23:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/setup-nodeto commit SHA.This security issue was previously flagged but remains unaddressed. The
@v4tag is mutable, creating supply-chain risk.Run the following to find the latest v4 commit SHA:
#!/bin/bash # Fetch the commit SHA for actions/setup-node v4 latest gh api repos/actions/setup-node/git/ref/tags/v4.1.0 --jq '.object.sha'🔒 Recommended fix
- name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: '22' cache: 'npm'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sonarcloud.yml around lines 20 - 23, Replace the mutable tag "actions/setup-node@v4" with the specific commit SHA for the v4 release to eliminate supply-chain risk: locate the latest v4 commit SHA for the actions/setup-node repo and update the uses entry (the line containing uses: actions/setup-node@v4) to uses: actions/setup-node@<COMMIT_SHA>; commit and push the workflow change so the workflow pins to the immutable SHA instead of the `@v4` tag.
🧹 Nitpick comments (1)
.github/workflows/sonarcloud.yml (1)
10-13: ⚡ Quick winConsider explicit job-level permissions for security hardening.
While the workflow functions correctly, defining explicit permissions follows the principle of least privilege. For SonarCloud analysis, you typically need:
contents: read(checkout code)pull-requests: write(comment on PRs with analysis results, if using that feature)This prevents potential token abuse if the workflow is compromised.
Example permissions block
jobs: sonarcloud: name: SonarCloud runs-on: ubuntu-latest permissions: contents: read pull-requests: write steps: # ...🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sonarcloud.yml around lines 10 - 13, Add an explicit job-level permissions block to the sonarcloud job to follow least-privilege practices: inside the sonarcloud job (name: SonarCloud) add a permissions section and set contents: read and pull-requests: write so the job only has the privileges required for checkout and PR comments.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/sonarcloud.yml:
- Around line 15-17: Replace the mutable tag on actions/checkout (the uses:
actions/checkout@v4 entry) with the specific v4 commit SHA and explicitly
disable credential persistence by adding persist-credentials: false under the
with block (keep fetch-depth: 0 as-is); in other words, change the uses
reference to the exact commit SHA for the v4 release and add
persist-credentials: false alongside fetch-depth to prevent exposing GH
credentials during the workflow.
- Around line 20-23: Replace the mutable tag "actions/setup-node@v4" with the
specific commit SHA for the v4 release to eliminate supply-chain risk: locate
the latest v4 commit SHA for the actions/setup-node repo and update the uses
entry (the line containing uses: actions/setup-node@v4) to uses:
actions/setup-node@<COMMIT_SHA>; commit and push the workflow change so the
workflow pins to the immutable SHA instead of the `@v4` tag.
---
Nitpick comments:
In @.github/workflows/sonarcloud.yml:
- Around line 10-13: Add an explicit job-level permissions block to the
sonarcloud job to follow least-privilege practices: inside the sonarcloud job
(name: SonarCloud) add a permissions section and set contents: read and
pull-requests: write so the job only has the privileges required for checkout
and PR comments.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f15bcb4e-3072-4f7b-a87a-efc153697fdd
📒 Files selected for processing (1)
.github/workflows/sonarcloud.yml
The \`tmp\` dependency version <0.2.6 has a high severity Path Traversal vulnerability (GHSA-ph9p-34f9-6g65). This caused \`npm audit --audit-level=high\` to fail in the Quality Gates pipeline. This commit adds an override in \`package.json\` to force \`tmp@^0.2.6\` to resolve the vulnerability and allow CI to pass. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
|
Code reviewFound 1 issue:
PWeb_Project/sonar-project.properties Lines 13 to 18 in 854a6fa 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |



Adds a GitHub Actions workflow to run SonarCloud analysis on push and pull requests.
Updates sonar-project.properties to properly locate the lcov code coverage file and set inclusion/exclusion patterns.
PR created automatically by Jules for task 9557857554513136301 started by @EmiyaKiritsugu3
Summary by cubic
Add a SonarCloud CI workflow for pushes to
mainand PRs. It runs tests with coverage, uploads analysis viaSonarSource/sonarqube-scan-actionpinned to a commit SHA, and fixes a high‑severitytmpvulnerability to keep CI green.New Features
mainandpull_request.npm ci --legacy-peer-deps;npm run test:coverage;actions/checkout@v4with full history.SonarSource/sonarqube-scan-actionwithGITHUB_TOKEN/SONAR_TOKEN;sonar-project.propertiessetscoverage/lcov.info, test includes, and exclusions.Bug Fixes
githubactions:S7637.tmpto^0.2.6(resolved to 0.2.7) to fix a high‑severity path traversal and passnpm audit --audit-level=high.Written for commit 854a6fa. Summary will update on new commits.
Review in cubic
Summary by CodeRabbit