fix(ci): integrate SonarCloud scan into CI pipeline and fix coverage reporting#109
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughThis PR integrates SonarCloud scanning into the CI pipeline to report code coverage on new PRs. The scan consumes pre-generated LCOV coverage reports via updated ChangesSonarCloud Coverage Integration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 63-67: The SonarCloud Scan step should be skipped for forked pull
requests to avoid missing SECRET errors; add a conditional to the step (the step
named "SonarCloud Scan" that sets env SONAR_TOKEN and uses
SonarSource/sonarqube-scan-action) like: if: ${{ github.event_name !=
'pull_request' || github.repository ==
github.event.pull_request.head.repo.full_name }} so the scan runs on non-PR
events or only when the PR comes from the same repo (where secrets are
available).
In `@docs/superpowers/specs/2026-05-28-fix-sonarcloud-coverage-design.md`:
- Around line 38-43: The fenced code block containing the sonar.* properties
(lines starting with "sonar.javascript.lcov.reportPaths=..." through
"sonar.test.inclusions=...") needs a language identifier to satisfy MD040;
change the opening fence from ``` to ```properties so the block is labeled as
properties in the markdown.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: fd107795-c113-473b-85de-f1f3e1188bfe
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (4)
.github/workflows/ci.ymldocs/superpowers/specs/2026-05-28-fix-sonarcloud-coverage-design.mdpackage.jsonsonar-project.properties
| - name: SonarCloud Scan | ||
| uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions: Are repository secrets available to workflows triggered by pull_request events from forks?
💡 Result:
No. For a workflow triggered by the pull_request event from a fork, GitHub does not pass repository secrets to the runner (with the exception of GITHUB_TOKEN, which is read-only). [1][2] What this means: - Your workflow can run, but expressions like ${{ secrets.MY_SECRET }} will not have the repository secret value available when the pull request comes from a fork. [1][2] - GITHUB_TOKEN is still provided to the workflow, but it has read-only permissions in pull_request runs from forked repositories. [1] Related security note: - GitHub’s documentation describes that pull_request workflows run with restricted access to secrets specifically to prevent secret exfiltration from untrusted fork code. [3][1] If you need secrets for fork-origin pull requests, the usual pattern is to use pull_request_target (with careful controls) rather than pull_request, because pull_request_target runs in the base repository context and is designed to allow access to secrets. [3][1]
Citations:
- 1: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
- 2: https://docs.github.com/actions/security-guides/using-secrets-in-github-actions
- 3: https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant portion of the workflow (triggers + jobs around the Sonar step)
sed -n '1,120p' .github/workflows/ci.yml | cat -nRepository: EmiyaKiritsugu3/PWeb_Project
Length of output: 3874
Guard SonarCloud scan to avoid failing fork PRs.
The SonarCloud Scan step uses SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}. In pull_request workflows from forks, GitHub does not provide repository secrets (other than read-only GITHUB_TOKEN), so the scan can fail due to the missing SONAR_TOKEN.
Suggested fix
- name: SonarCloud Scan
+ if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: SonarCloud Scan | |
| uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| - name: SonarCloud Scan | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} | |
| uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 63 - 67, The SonarCloud Scan step
should be skipped for forked pull requests to avoid missing SECRET errors; add a
conditional to the step (the step named "SonarCloud Scan" that sets env
SONAR_TOKEN and uses SonarSource/sonarqube-scan-action) like: if: ${{
github.event_name != 'pull_request' || github.repository ==
github.event.pull_request.head.repo.full_name }} so the scan runs on non-PR
events or only when the PR comes from the same repo (where secrets are
available).
| ``` | ||
| sonar.javascript.lcov.reportPaths=coverage/lcov.info | ||
| sonar.exclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx,src/test/**,coverage/**,node_modules/** | ||
| sonar.tests=src | ||
| sonar.test.inclusions=src/**/*.test.ts,src/**/*.test.tsx,src/**/*.spec.ts,src/**/*.spec.tsx | ||
| ``` |
There was a problem hiding this comment.
Add a language identifier to the fenced code block.
Use ```properties for this block to satisfy markdown linting (MD040).
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 38-38: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/superpowers/specs/2026-05-28-fix-sonarcloud-coverage-design.md` around
lines 38 - 43, The fenced code block containing the sonar.* properties (lines
starting with "sonar.javascript.lcov.reportPaths=..." through
"sonar.test.inclusions=...") needs a language identifier to satisfy MD040;
change the opening fence from ``` to ```properties so the block is labeled as
properties in the markdown.
There was a problem hiding this comment.
2 issues found across 6 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="database/20252/tarefas/EmiyaKiritsugu3/scripts/odbc-example.ts">
<violation number="1" location="database/20252/tarefas/EmiyaKiritsugu3/scripts/odbc-example.ts:5">
P1: Hardcoded database password in connection string. Database credentials should be sourced from environment variables (e.g., `process.env.DATABASE_URL`) or a `.env` file, not hardcoded in source — even in example scripts, as these can be accidentally committed or expose infrastructure details.</violation>
</file>
<file name="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js">
<violation number="1" location="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js:14">
P1: Hardcoded MongoDB credentials in connection string fallback — remove the credentials or replace with a placeholder to avoid credential leakage in source control.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| async function runDirectQuery() { | ||
| const client = new Client({ | ||
| connectionString: "postgresql://user_atividades:password123@localhost:5432/AtividadesBD", | ||
| connectionString: 'postgresql://user_atividades:password123@localhost:5432/AtividadesBD', |
There was a problem hiding this comment.
P1: Hardcoded database password in connection string. Database credentials should be sourced from environment variables (e.g., process.env.DATABASE_URL) or a .env file, not hardcoded in source — even in example scripts, as these can be accidentally committed or expose infrastructure details.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At database/20252/tarefas/EmiyaKiritsugu3/scripts/odbc-example.ts, line 5:
<comment>Hardcoded database password in connection string. Database credentials should be sourced from environment variables (e.g., `process.env.DATABASE_URL`) or a `.env` file, not hardcoded in source — even in example scripts, as these can be accidentally committed or expose infrastructure details.</comment>
<file context>
@@ -2,30 +2,31 @@ import { Client } from 'pg';
async function runDirectQuery() {
const client = new Client({
- connectionString: "postgresql://user_atividades:password123@localhost:5432/AtividadesBD",
+ connectionString: 'postgresql://user_atividades:password123@localhost:5432/AtividadesBD',
});
</file context>
| const URI = | ||
| process.env.MONGO_URI || | ||
| "mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj"; | ||
| 'mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj'; |
There was a problem hiding this comment.
P1: Hardcoded MongoDB credentials in connection string fallback — remove the credentials or replace with a placeholder to avoid credential leakage in source control.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js, line 14:
<comment>Hardcoded MongoDB credentials in connection string fallback — remove the credentials or replace with a placeholder to avoid credential leakage in source control.</comment>
<file context>
@@ -7,166 +7,166 @@
const URI =
process.env.MONGO_URI ||
- "mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj";
+ 'mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj';
async function seed() {
</file context>
There was a problem hiding this comment.
2 issues found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="database/20252/tarefas/EmiyaKiritsugu3/scripts/odbc-example.ts">
<violation number="1" location="database/20252/tarefas/EmiyaKiritsugu3/scripts/odbc-example.ts:5">
P1: Hardcoded database password in connection string. Database credentials should be sourced from environment variables (e.g., `process.env.DATABASE_URL`) or a `.env` file, not hardcoded in source — even in example scripts, as these can be accidentally committed or expose infrastructure details.</violation>
</file>
<file name="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js">
<violation number="1" location="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js:14">
P1: Hardcoded MongoDB credentials in connection string fallback — remove the credentials or replace with a placeholder to avoid credential leakage in source control.</violation>
</file>
<file name=".github/workflows/ci.yml">
<violation number="1" location=".github/workflows/ci.yml:63">
P2: Guard this step against fork PRs. In `pull_request` workflows triggered from forks, repository secrets (like `SONAR_TOKEN`) are not provided by GitHub Actions for security reasons. Without a guard, this step will fail on every fork PR. Add a condition to skip it when the PR originates from a fork.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| - name: Run tests with coverage | ||
| run: npm run test:coverage | ||
|
|
||
| - name: SonarCloud Scan |
There was a problem hiding this comment.
P2: Guard this step against fork PRs. In pull_request workflows triggered from forks, repository secrets (like SONAR_TOKEN) are not provided by GitHub Actions for security reasons. Without a guard, this step will fail on every fork PR. Add a condition to skip it when the PR originates from a fork.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/ci.yml, line 63:
<comment>Guard this step against fork PRs. In `pull_request` workflows triggered from forks, repository secrets (like `SONAR_TOKEN`) are not provided by GitHub Actions for security reasons. Without a guard, this step will fail on every fork PR. Add a condition to skip it when the PR originates from a fork.</comment>
<file context>
@@ -60,6 +60,12 @@ jobs:
- name: Run tests with coverage
run: npm run test:coverage
+ - name: SonarCloud Scan
+ uses: SonarSource/sonarqube-scan-action@689fb39b34b9aa95ebc5f8f119343ddd51542402
+ env:
</file context>
| - name: SonarCloud Scan | |
| - name: SonarCloud Scan | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} |
Code reviewFound 1 issue:
PWeb_Project/.github/workflows/ci.yml Lines 48 to 49 in de9b16c Fix: Add - name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0Other findings (below 80 confidence, not reported as blocking):
🤖 Generated with Claude Code |
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js">
<violation number="1" location="database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js:14">
P1: Hardcoded MongoDB credentials in the connection URI expose the database password in source control. Extract the full URI to an environment variable (e.g., `process.env.MONGO_URI`) and remove the hardcoded fallback, or use environment variables for the username and password components individually.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
| const URI = | ||
| process.env.MONGO_URI || | ||
| "mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj"; | ||
| 'mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj'; |
There was a problem hiding this comment.
P1: Hardcoded MongoDB credentials in the connection URI expose the database password in source control. Extract the full URI to an environment variable (e.g., process.env.MONGO_URI) and remove the hardcoded fallback, or use environment variables for the username and password components individually.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At database/20261/tarefas/EmiyaKiritsugu3/scripts/seed.js, line 14:
<comment>Hardcoded MongoDB credentials in the connection URI expose the database password in source control. Extract the full URI to an environment variable (e.g., `process.env.MONGO_URI`) and remove the hardcoded fallback, or use environment variables for the username and password components individually.</comment>
<file context>
@@ -7,166 +7,166 @@
const URI =
process.env.MONGO_URI ||
- "mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj";
+ 'mongodb://app_atividades:app123@localhost:27017/AtividadesProj?authSource=AtividadesProj';
async function seed() {
</file context>
4be90b3 to
340abbf
Compare
|



Problem
SonarCloud quality gate shows "0.0% Coverage on New Code" on all PRs because:
ci.ymlrunsnpm run test:coverage(generatescoverage/lcov.info) but does not upload coverage to SonarCloudsonar-project.propertiesonmainlackssonar.javascript.lcov.reportPathsconfigurationSolution
Integrate SonarCloud scan directly into the existing
ci.ymlpipeline instead of creating a separate workflow.Changes
.github/workflows/ci.ymlnpm run test:coveragein the Tests & Coverage jobsonar-project.propertiessonar.javascript.lcov.reportPaths, exclusions, and test inclusion patternspackage.jsontmp: "^0.2.6"to overrides (security fix for CVE-2024-27980)package-lock.jsonWhy this approach
Verification
After merge, next PRs should show coverage > 0% in SonarCloud quality gate instead of "0.0% Coverage on New Code".
Summary by cubic
Fixes SonarCloud coverage on PRs by integrating the scan into CI and pointing it to
coverage/lcov.info, so coverage uploads instead of showing 0.0% on new code. Also setsfetch-depth: 0, excludesdatabase/from Prettier, and adds a short spec.Bug Fixes
.github/workflows/ci.ymlafternpm run test:coverage.fetch-depth: 0to enable PR analysis and decoration.sonar-project.propertieswithsonar.javascript.lcov.reportPaths, test inclusions, and exclusions.database/from Prettier via.prettierignore.docs/superpowers/specs/.Dependencies
tmp^0.2.6; lockfile updated to0.2.7(security fix).Written for commit 340abbf. Summary will update on new commits.
Review in cubic
Summary by CodeRabbit
Documentation
Chores