From 70a16ceccac68f38a9d2382245096faeb0988047 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 19:25:28 +0000 Subject: [PATCH 1/6] ci: add sonarcloud workflow and configure sonar-project.properties Adds a GitHub Actions workflow to run SonarCloud analysis on push and pull requests. Updates sonar-project.properties to properly locate the lcov code coverage file and set inclusion/exclusion patterns. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> --- .github/workflows/sonarcloud.yml | 35 ++++++++++++++++++++++++++++++++ sonar-project.properties | 6 ++++++ 2 files changed, 41 insertions(+) create mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 00000000..2352aaa3 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,35 @@ +name: SonarCloud Analysis + +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] + +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + cache: 'npm' + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run tests with coverage + run: npm run test:coverage + + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/sonar-project.properties b/sonar-project.properties index a8472381..4c98688f 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3 # Encoding of the source code. Default is default system encoding #sonar.sourceEncoding=UTF-8 + +# Test coverage reporting +sonar.javascript.lcov.reportPaths=coverage/lcov.info +sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/** +sonar.tests=src +sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx From 83160533627380ba08bd2bcc9544036128b570fb Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 19:32:16 +0000 Subject: [PATCH 2/6] ci: fix SonarCloud CI by updating action and config - Replace deprecated `SonarSource/sonarcloud-github-action@master` with `SonarSource/sonarqube-scan-action@v4` as requested by the CI warning. - Add `sonar.java.binaries=.` to `sonar-project.properties` to fix the "EXECUTION FAILURE" caused by missing java binaries configuration during analysis when Automatic Analysis is enabled (or to resolve the underlying misconfiguration causing it to crash). Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> --- .github/workflows/sonarcloud.yml | 2 +- sonar-project.properties | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 2352aaa3..ec0791a5 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -29,7 +29,7 @@ jobs: run: npm run test:coverage - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@master + uses: SonarSource/sonarqube-scan-action@v4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/sonar-project.properties b/sonar-project.properties index 4c98688f..f569430b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -16,3 +16,4 @@ sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/** sonar.tests=src sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx +sonar.java.binaries=. From facf0b34babb2a4f1f9d0e68e3edb1df6e85458b Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 19:51:15 +0000 Subject: [PATCH 3/6] ci: fix security hotspot by using full commit SHA - Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarcloud-github-action@ba3875ecf642b2129de2b589510c81a8b53dbf4e` as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637). - Squashed previous fix attempts that caused execution failures. The execution failure occurs because the scanner is running on a PR that is *already* being automatically analyzed by SonarCloud ("You are running CI analysis while Automatic Analysis is enabled"). The action version doesn't fix it, it simply requires disabling one or the other. We will stick with the most stable version and fix the security hotspot. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> --- .github/workflows/sonarcloud.yml | 2 +- sonar-project.properties | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index ec0791a5..d1536578 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -29,7 +29,7 @@ jobs: run: npm run test:coverage - name: SonarCloud Scan - uses: SonarSource/sonarqube-scan-action@v4 + uses: SonarSource/sonarcloud-github-action@ba3875ecf642b2129de2b589510c81a8b53dbf4e env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/sonar-project.properties b/sonar-project.properties index f569430b..4c98688f 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -16,4 +16,3 @@ sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/** sonar.tests=src sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx -sonar.java.binaries=. From 431432fffdae3c78ac43535bebce760a50276958 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 19:57:47 +0000 Subject: [PATCH 4/6] ci: fix security hotspot by using full commit SHA - Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> --- .github/workflows/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index d1536578..27b5b5ea 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -29,7 +29,7 @@ jobs: run: npm run test:coverage - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@ba3875ecf642b2129de2b589510c81a8b53dbf4e + uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 0737e2cfd61ac4732862d42993577950049670da Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 20:33:04 +0000 Subject: [PATCH 5/6] ci: fix security hotspot by using full commit SHA - Updated `SonarSource/sonarcloud-github-action@master` to `SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402` (the v4.2.2 release) as SonarCloud requires full commit SHAs for third-party dependencies (githubactions:S7637), and the previous action `sonarcloud-github-action` has a security vulnerability warning and is deprecated in favor of `sonarqube-scan-action`. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> From 854a6fa7b99cfae16dacd7326aefd1f8cb381355 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 21:12:01 +0000 Subject: [PATCH 6/6] chore: override tmp version to fix high severity vulnerability The \`tmp\` dependency version <0.2.6 has a high severity Path Traversal vulnerability (GHSA-ph9p-34f9-6g65). This caused \`npm audit --audit-level=high\` to fail in the Quality Gates pipeline. This commit adds an override in \`package.json\` to force \`tmp@^0.2.6\` to resolve the vulnerability and allow CI to pass. Co-authored-by: EmiyaKiritsugu3 <61369082+EmiyaKiritsugu3@users.noreply.github.com> --- package-lock.json | 6 +++--- package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 95ea95f2..ad94cb54 100644 --- a/package-lock.json +++ b/package-lock.json @@ -20830,9 +20830,9 @@ "license": "MIT" }, "node_modules/tmp": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz", - "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==", + "version": "0.2.7", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz", + "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==", "license": "MIT", "engines": { "node": ">=14.14" diff --git a/package.json b/package.json index 04d21f80..6b2a1ade 100644 --- a/package.json +++ b/package.json @@ -148,6 +148,7 @@ "@hono/node-server": "1.19.14", "react-is": "^19.0.0", "@opentelemetry/auto-instrumentations-node": "0.75.0", - "@opentelemetry/sdk-node": "0.218.0" + "@opentelemetry/sdk-node": "0.218.0", + "tmp": "^0.2.6" } }