Skip to content

ci: add sonarcloud workflow and configure sonar-project.properties#108

Closed
EmiyaKiritsugu3 wants to merge 6 commits into
mainfrom
jules-9557857554513136301-2c1fbab8
Closed

ci: add sonarcloud workflow and configure sonar-project.properties#108
EmiyaKiritsugu3 wants to merge 6 commits into
mainfrom
jules-9557857554513136301-2c1fbab8

Conversation

@EmiyaKiritsugu3

@EmiyaKiritsugu3 EmiyaKiritsugu3 commented May 28, 2026

Copy link
Copy Markdown
Owner

Adds a GitHub Actions workflow to run SonarCloud analysis on push and pull requests.
Updates sonar-project.properties to properly locate the lcov code coverage file and set inclusion/exclusion patterns.


PR created automatically by Jules for task 9557857554513136301 started by @EmiyaKiritsugu3


Summary by cubic

Add a SonarCloud CI workflow for pushes to main and PRs. It runs tests with coverage, uploads analysis via SonarSource/sonarqube-scan-action pinned to a commit SHA, and fixes a high‑severity tmp vulnerability to keep CI green.

  • New Features

    • Runs on push to main and pull_request.
    • Node 22; npm ci --legacy-peer-deps; npm run test:coverage; actions/checkout@v4 with full history.
    • Sonar scan via SonarSource/sonarqube-scan-action with GITHUB_TOKEN/SONAR_TOKEN; sonar-project.properties sets coverage/lcov.info, test includes, and exclusions.
  • Bug Fixes

    • Replaced deprecated SonarCloud action and pinned to a full commit SHA to satisfy githubactions:S7637.
    • Overrode tmp to ^0.2.6 (resolved to 0.2.7) to fix a high‑severity path traversal and pass npm audit --audit-level=high.

Written for commit 854a6fa. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Added automated code-quality analysis to run on pushes and pull requests to help catch issues earlier.
    • Configured coverage and test discovery for analysis so test results and coverage are included in quality reports.

Review Change Stack

Adds a GitHub Actions workflow to run SonarCloud analysis on push and pull requests.
Updates sonar-project.properties to properly locate the lcov code coverage file and set inclusion/exclusion patterns.

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
smartmanagementsystem Ready Ready Preview, Comment May 28, 2026 9:14pm

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Walkthrough

This pull request introduces SonarCloud code quality analysis to the CI/CD pipeline. A new GitHub Actions workflow triggers on pushes to main and pull requests, executing tests with coverage collection and uploading results to SonarCloud. Configuration rules specify the coverage report location, test file patterns, and directories to exclude from analysis.

Changes

SonarCloud CI and Analysis Configuration

Layer / File(s) Summary
SonarCloud CI workflow
.github/workflows/sonarcloud.yml
GitHub Actions workflow that triggers on main branch pushes and pull request lifecycle events (opened, synchronize, reopened). The sonarcloud job checks out the repository with full history, configures Node.js 22 with npm caching, installs dependencies using npm ci --legacy-peer-deps, runs npm run test:coverage to generate coverage reports, and executes the SonarSource GitHub action with GITHUB_TOKEN and SONAR_TOKEN secrets.
SonarCloud analysis configuration
sonar-project.properties
Configuration file updates define the JavaScript LCOV report location (coverage/lcov.info), exclude test and coverage directories via sonar.exclusions, and identify test files using sonar.tests (directory) and sonar.test.inclusions (glob pattern).

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main changes: adding a SonarCloud CI workflow and configuring the sonar-project.properties file.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed PR description is mostly complete with clear objectives, changes, and context, though it deviates from template structure with auto-generated content.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jules-9557857554513136301-2c1fbab8

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

- Replace deprecated `SonarSource/sonarcloud-github-action@master` with `SonarSource/sonarqube-scan-action@v4` as requested by the CI warning.
- Add `sonar.java.binaries=.` to `sonar-project.properties` to fix the "EXECUTION FAILURE" caused by missing java binaries configuration during analysis when Automatic Analysis is enabled (or to resolve the underlying misconfiguration causing it to crash).

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/sonarcloud.yml (1)

3-13: ⚡ Quick win

Set explicit least-privilege workflow permissions.

This workflow relies on default token permissions. Add explicit permissions to reduce blast radius and prevent repo-level default drift.

Suggested patch
 on:
   push:
     branches:
       - main
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   sonarcloud:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 3 - 13, The workflow relies on
default GITHUB_TOKEN permissions—add an explicit top-level permissions block to
enforce least privilege; update the YAML around the existing on: and jobs:
sonarcloud: sections to include a permissions: mapping (for example at minimum
set contents: read and only the specific permissions the SonarCloud steps
require such as pull-requests: write or id-token: write if using OIDC), ensuring
you place it at the workflow root so the sonarcould job (named sonarcloud,
runs-on: ubuntu-latest) uses only those explicit permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sonarcloud.yml:
- Around line 31-32: Replace the mutable tag for the SonarCloud GitHub Action
with a pinned commit SHA: locate the workflow step using the SonarSource action
(e.g., the uses string "SonarSource/sonarqube-scan-action@v4" or similar in the
SonarCloud Scan step) and update it to reference the specific commit SHA for the
desired v4.x release so the action is immutable and prevents CI supply-chain
drift.
- Around line 15-23: Update the workflow to pin both actions to their immutable
commit SHAs and disable checkout credential persistence: change the uses for
actions/checkout@v4 to the full commit SHA and add persist-credentials: false
under its with block (referencing the actions/checkout step and the
persist-credentials setting), and change actions/setup-node@v4 to its full
commit SHA (referencing the actions/setup-node step) while keeping the existing
with keys like node-version and cache unchanged.

---

Nitpick comments:
In @.github/workflows/sonarcloud.yml:
- Around line 3-13: The workflow relies on default GITHUB_TOKEN permissions—add
an explicit top-level permissions block to enforce least privilege; update the
YAML around the existing on: and jobs: sonarcloud: sections to include a
permissions: mapping (for example at minimum set contents: read and only the
specific permissions the SonarCloud steps require such as pull-requests: write
or id-token: write if using OIDC), ensuring you place it at the workflow root so
the sonarcould job (named sonarcloud, runs-on: ubuntu-latest) uses only those
explicit permissions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 958358a7-18b1-4319-8a73-3d19f2ed037a

📥 Commits

Reviewing files that changed from the base of the PR and between ec66c88 and 70a16ce.

📒 Files selected for processing (2)
  • .github/workflows/sonarcloud.yml
  • sonar-project.properties

Comment on lines +15 to +23
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/sonarcloud.yml"

# Ensure file exists and print the relevant sections with line numbers
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "=== File: $FILE (lines 1-220) ==="
nl -ba "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:|uses:" "$FILE" || true
echo
echo "=== Grep for persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep for SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || true

Repository: EmiyaKiritsugu3/PWeb_Project

Length of output: 195


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/sonarcloud.yml"

if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "=== File: $FILE (lines 1-220) ==="
cat -n "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:" "$FILE" || true
echo
echo "=== Grep persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || true

Repository: EmiyaKiritsugu3/PWeb_Project

Length of output: 1412


🌐 Web query:

actions/checkout v4 persist-credentials default value

💡 Result:

For actions/checkout@v4, the input persist-credentials has default value true.[1][2] This means that unless you explicitly set persist-credentials: false, the action configures (persists) the provided auth token/SSH key in the local git config during checkout.[3][1]

Citations:


🌐 Web query:

SonarSource sonarqube-scan-action v4 deprecated archived

💡 Result:

The SonarSource sonarqube-scan-action (official-sonarqube-scan) is an active, ongoing project and is not deprecated or archived [1]. As of May 28, 2026, the latest release is v7.0.0 [1]. Version 4.0.0, released in November 2024, was a significant milestone that replaced the Docker-based action with a composite action [2][3], but this was an evolution of the project rather than a deprecation [2]. It appears there may be confusion with other SonarSource actions: - The sonarcloud-github-action has been deprecated in favor of the sonarqube-scan-action [4]. - There have been specific deprecations for older, language-specific scan actions (e.g., legacy C/C++/Objective-C actions) [5]. If you are currently using v4.x, it is recommended to upgrade to the latest version to benefit from ongoing improvements and support [1]. You can find the latest version and documentation on the official GitHub repository [1].

Citations:


Pin actions/checkout@v4 / actions/setup-node@v4 to immutable commit SHAs and disable checkout credential persistence.

  • actions/checkout@v4 defaults persist-credentials: true; set persist-credentials: false and pin both actions to full commit SHAs instead of v4 tags.
Suggested patch
 jobs:
   sonarcloud:
     name: SonarCloud
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<checkout-commit-sha>
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@<setup-node-commit-sha>
         with:
           node-version: '22'
           cache: 'npm'
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 15 - 23, Update the workflow
to pin both actions to their immutable commit SHAs and disable checkout
credential persistence: change the uses for actions/checkout@v4 to the full
commit SHA and add persist-credentials: false under its with block (referencing
the actions/checkout step and the persist-credentials setting), and change
actions/setup-node@v4 to its full commit SHA (referencing the actions/setup-node
step) while keeping the existing with keys like node-version and cache
unchanged.

Comment thread .github/workflows/sonarcloud.yml Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sonarcloud.yml">

<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>

<violation number="2" location=".github/workflows/sonarcloud.yml:32">
P1: This workflow uses a deprecated Sonar action on a mutable `@master` ref. Migrate to `sonarqube-scan-action` and pin to a stable version (or SHA).</violation>
</file>

<file name="sonar-project.properties">

<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/sonarcloud.yml Outdated
Comment thread sonar-project.properties
Comment on lines +17 to +18
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: sonar.tests is limited to src, so tests under the root tests/ directory are not classified as test code and may be analyzed as source files.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At sonar-project.properties, line 17:

<comment>`sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</comment>

<file context>
@@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3
+# Test coverage reporting
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
+sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/**
+sonar.tests=src
+sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
</file context>
Suggested change
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
sonar.tests=src,tests
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,tests/**/*.ts,tests/**/*.tsx

name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: actions/checkout@v4 defaults persist-credentials to true, which persists the auth token in .git/config and exposes it to all subsequent steps. Add persist-credentials: false to the with: block. Additionally, consider pinning both actions/checkout and actions/setup-node to full commit SHAs instead of mutable v4 tags to mitigate supply-chain risk.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/sonarcloud.yml, line 15:

<comment>`actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</comment>

<file context>
@@ -0,0 +1,35 @@
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
</file context>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="sonar-project.properties">

<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>

<file name=".github/workflows/sonarcloud.yml">

<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/sonarcloud.yml Outdated
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarcloud-github-action@ba3875ecf642b2129de2b589510c81a8b53dbf4e` as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637).
- Squashed previous fix attempts that caused execution failures. The execution failure occurs because the scanner is running on a PR that is *already* being automatically analyzed by SonarCloud ("You are running CI analysis while Automatic Analysis is enabled"). The action version doesn't fix it, it simply requires disabling one or the other. We will stick with the most stable version and fix the security hotspot.

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="sonar-project.properties">

<violation number="1" location="sonar-project.properties:17">
P2: `sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</violation>
</file>

<file name=".github/workflows/sonarcloud.yml">

<violation number="1" location=".github/workflows/sonarcloud.yml:15">
P2: `actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</violation>
</file>

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread .github/workflows/sonarcloud.yml Outdated
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`.

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
- Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`.

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (2)
.github/workflows/sonarcloud.yml (2)

15-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/checkout to commit SHA and disable credential persistence.

This security issue was previously flagged but remains unaddressed. The @v4 tag is mutable and persist-credentials defaults to true, creating supply-chain and credential-exposure risks.

Run the following to find the latest v4 commit SHA:

#!/bin/bash
# Fetch the commit SHA for actions/checkout v4 latest
gh api repos/actions/checkout/git/ref/tags/v4.2.2 --jq '.object.sha'
🔒 Recommended fix
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 15 - 17, Replace the mutable
tag on actions/checkout (the uses: actions/checkout@v4 entry) with the specific
v4 commit SHA and explicitly disable credential persistence by adding
persist-credentials: false under the with block (keep fetch-depth: 0 as-is); in
other words, change the uses reference to the exact commit SHA for the v4
release and add persist-credentials: false alongside fetch-depth to prevent
exposing GH credentials during the workflow.

20-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/setup-node to commit SHA.

This security issue was previously flagged but remains unaddressed. The @v4 tag is mutable, creating supply-chain risk.

Run the following to find the latest v4 commit SHA:

#!/bin/bash
# Fetch the commit SHA for actions/setup-node v4 latest
gh api repos/actions/setup-node/git/ref/tags/v4.1.0 --jq '.object.sha'
🔒 Recommended fix
      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
        with:
          node-version: '22'
          cache: 'npm'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 20 - 23, Replace the mutable
tag "actions/setup-node@v4" with the specific commit SHA for the v4 release to
eliminate supply-chain risk: locate the latest v4 commit SHA for the
actions/setup-node repo and update the uses entry (the line containing uses:
actions/setup-node@v4) to uses: actions/setup-node@<COMMIT_SHA>; commit and push
the workflow change so the workflow pins to the immutable SHA instead of the `@v4`
tag.
🧹 Nitpick comments (1)
.github/workflows/sonarcloud.yml (1)

10-13: ⚡ Quick win

Consider explicit job-level permissions for security hardening.

While the workflow functions correctly, defining explicit permissions follows the principle of least privilege. For SonarCloud analysis, you typically need:

  • contents: read (checkout code)
  • pull-requests: write (comment on PRs with analysis results, if using that feature)

This prevents potential token abuse if the workflow is compromised.

Example permissions block
jobs:
  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      # ...
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 10 - 13, Add an explicit
job-level permissions block to the sonarcloud job to follow least-privilege
practices: inside the sonarcloud job (name: SonarCloud) add a permissions
section and set contents: read and pull-requests: write so the job only has the
privileges required for checkout and PR comments.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/sonarcloud.yml:
- Around line 15-17: Replace the mutable tag on actions/checkout (the uses:
actions/checkout@v4 entry) with the specific v4 commit SHA and explicitly
disable credential persistence by adding persist-credentials: false under the
with block (keep fetch-depth: 0 as-is); in other words, change the uses
reference to the exact commit SHA for the v4 release and add
persist-credentials: false alongside fetch-depth to prevent exposing GH
credentials during the workflow.
- Around line 20-23: Replace the mutable tag "actions/setup-node@v4" with the
specific commit SHA for the v4 release to eliminate supply-chain risk: locate
the latest v4 commit SHA for the actions/setup-node repo and update the uses
entry (the line containing uses: actions/setup-node@v4) to uses:
actions/setup-node@<COMMIT_SHA>; commit and push the workflow change so the
workflow pins to the immutable SHA instead of the `@v4` tag.

---

Nitpick comments:
In @.github/workflows/sonarcloud.yml:
- Around line 10-13: Add an explicit job-level permissions block to the
sonarcloud job to follow least-privilege practices: inside the sonarcloud job
(name: SonarCloud) add a permissions section and set contents: read and
pull-requests: write so the job only has the privileges required for checkout
and PR comments.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f15bcb4e-3072-4f7b-a87a-efc153697fdd

📥 Commits

Reviewing files that changed from the base of the PR and between 70a16ce and 0737e2c.

📒 Files selected for processing (1)
  • .github/workflows/sonarcloud.yml

The \`tmp\` dependency version <0.2.6 has a high severity Path Traversal
vulnerability (GHSA-ph9p-34f9-6g65). This caused
\`npm audit --audit-level=high\` to fail in the Quality Gates pipeline.

This commit adds an override in \`package.json\` to force \`tmp@^0.2.6\`
to resolve the vulnerability and allow CI to pass.

Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com>
@sonarqubecloud

Copy link
Copy Markdown

@EmiyaKiritsugu3

Copy link
Copy Markdown
Owner Author

Code review

Found 1 issue:

  1. Coverage reporting configuration insufficient — SonarCloud still shows "0.0% Coverage on New Code" despite the added lcov path config. Previous PRs (chore(deps-dev): bump @types/node from 20.19.41 to 25.8.0 #101-chore(deps-dev): bump eslint-config-next from 15.5.18 to 16.2.6 #105) and PR ci: add sonarcloud workflow and configure sonar-project.properties #108 itself all show this same coverage gap, indicating that sonar.javascript.lcov.reportPaths=coverage/lcov.info alone is insufficient. The coverage report file (coverage/lcov.info) may not be generated at the expected path, the test:coverage script may not be producing lcov output, or @vitest/coverage-v8 (or equivalent) may be missing.

# Test coverage reporting
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/**
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant