Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/sonarcloud.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: SonarCloud Analysis

on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]

jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: actions/checkout@v4 defaults persist-credentials to true, which persists the auth token in .git/config and exposes it to all subsequent steps. Add persist-credentials: false to the with: block. Additionally, consider pinning both actions/checkout and actions/setup-node to full commit SHAs instead of mutable v4 tags to mitigate supply-chain risk.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/sonarcloud.yml, line 15:

<comment>`actions/checkout@v4` defaults `persist-credentials` to `true`, which persists the auth token in `.git/config` and exposes it to all subsequent steps. Add `persist-credentials: false` to the `with:` block. Additionally, consider pinning both `actions/checkout` and `actions/setup-node` to full commit SHAs instead of mutable `v4` tags to mitigate supply-chain risk.</comment>

<file context>
@@ -0,0 +1,35 @@
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
</file context>

with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
Comment on lines +15 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/sonarcloud.yml"

# Ensure file exists and print the relevant sections with line numbers
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "=== File: $FILE (lines 1-220) ==="
nl -ba "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:|uses:" "$FILE" || true
echo
echo "=== Grep for persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep for SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || true

Repository: EmiyaKiritsugu3/PWeb_Project

Length of output: 195


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/sonarcloud.yml"

if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "=== File: $FILE (lines 1-220) ==="
cat -n "$FILE" | sed -n '1,220p'
echo
echo "=== Grep uses: statements ==="
rg -n "^\s*-\s*uses:" "$FILE" || true
echo
echo "=== Grep persist-credentials / permissions ==="
rg -n "persist-credentials|permissions:" "$FILE" || true
echo
echo "=== Grep SonarSource/sonarcloud-github-action ==="
rg -n "SonarSource/sonarcloud-github-action" "$FILE" || true

Repository: EmiyaKiritsugu3/PWeb_Project

Length of output: 1412


🌐 Web query:

actions/checkout v4 persist-credentials default value

💡 Result:

For actions/checkout@v4, the input persist-credentials has default value true.[1][2] This means that unless you explicitly set persist-credentials: false, the action configures (persists) the provided auth token/SSH key in the local git config during checkout.[3][1]

Citations:


🌐 Web query:

SonarSource sonarqube-scan-action v4 deprecated archived

💡 Result:

The SonarSource sonarqube-scan-action (official-sonarqube-scan) is an active, ongoing project and is not deprecated or archived [1]. As of May 28, 2026, the latest release is v7.0.0 [1]. Version 4.0.0, released in November 2024, was a significant milestone that replaced the Docker-based action with a composite action [2][3], but this was an evolution of the project rather than a deprecation [2]. It appears there may be confusion with other SonarSource actions: - The sonarcloud-github-action has been deprecated in favor of the sonarqube-scan-action [4]. - There have been specific deprecations for older, language-specific scan actions (e.g., legacy C/C++/Objective-C actions) [5]. If you are currently using v4.x, it is recommended to upgrade to the latest version to benefit from ongoing improvements and support [1]. You can find the latest version and documentation on the official GitHub repository [1].

Citations:


Pin actions/checkout@v4 / actions/setup-node@v4 to immutable commit SHAs and disable checkout credential persistence.

  • actions/checkout@v4 defaults persist-credentials: true; set persist-credentials: false and pin both actions to full commit SHAs instead of v4 tags.
Suggested patch
 jobs:
   sonarcloud:
     name: SonarCloud
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<checkout-commit-sha>
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@<setup-node-commit-sha>
         with:
           node-version: '22'
           cache: 'npm'
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonarcloud.yml around lines 15 - 23, Update the workflow
to pin both actions to their immutable commit SHAs and disable checkout
credential persistence: change the uses for actions/checkout@v4 to the full
commit SHA and add persist-credentials: false under its with block (referencing
the actions/checkout step and the persist-credentials setting), and change
actions/setup-node@v4 to its full commit SHA (referencing the actions/setup-node
step) while keeping the existing with keys like node-version and cache
unchanged.


- name: Install dependencies
run: npm ci --legacy-peer-deps

- name: Run tests with coverage
run: npm run test:coverage

- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
6 changes: 3 additions & 3 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@
"@hono/node-server": "1.19.14",
"react-is": "^19.0.0",
"@opentelemetry/auto-instrumentations-node": "0.75.0",
"@opentelemetry/sdk-node": "0.218.0"
"@opentelemetry/sdk-node": "0.218.0",
"tmp": "^0.2.6"
}
}
6 changes: 6 additions & 0 deletions sonar-project.properties
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

# Test coverage reporting
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/**
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
Comment on lines +17 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: sonar.tests is limited to src, so tests under the root tests/ directory are not classified as test code and may be analyzed as source files.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At sonar-project.properties, line 17:

<comment>`sonar.tests` is limited to `src`, so tests under the root `tests/` directory are not classified as test code and may be analyzed as source files.</comment>

<file context>
@@ -10,3 +10,9 @@ sonar.organization=emiyakiritsugu3
+# Test coverage reporting
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
+sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/**
+sonar.tests=src
+sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
</file context>
Suggested change
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx
sonar.tests=src,tests
sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,tests/**/*.ts,tests/**/*.tsx

Loading