Enable SonarQube analysis in nightly test pipeline

[rgsl888prabhu]

Summary

• Add sonarqube-analysis job to nightly test.yaml (source-only scan on ubuntu-latest)
• Add standalone sonarqube.yaml workflow for on-demand manual testing
• Create ci/run_sonarqube.sh to download sonar-scanner and run analysis

Prerequisite

• SONAR_TOKEN secret must be configured in repo settings

Test plan

• Set SONAR_TOKEN secret in repo settings
• Trigger sonarqube.yaml manually from Actions tab to verify end-to-end

🤖 Generated with Claude Code

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

A SonarQube analysis workflow is introduced with three components: a standalone GitHub Actions workflow for manual triggering, a job integrated into the nightly build pipeline, and a shell script orchestrating the SonarQube scanner execution. Additionally, the configured release branch list is updated.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/sonarqube.yaml, .github/workflows/test.yaml	New standalone workflow for manual SonarQube analysis triggering and integration of a conditional SonarQube job into the nightly build pipeline, both using SONAR_TOKEN secret.
CI Script ci/run_sonarqube.sh	New shell script that downloads and invokes SonarQube scanner (v6.2.1.4610) with branch-specific configuration, requiring SONAR_TOKEN environment variable.
Configuration sonarqube/sonar-branches.txt	Updated release branch entry from release/26.04 to release/26.06 in the configured branch list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding SonarQube analysis to the nightly test pipeline, which is the primary objective of this PR.
Description check	✅ Passed	The description is directly related to the changeset, detailing the addition of SonarQube analysis jobs, the standalone workflow, the helper script, prerequisites, and a test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch enable-sonarqube-nightly

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/sonarqube.yaml (1)

14-17: Set explicit minimal GITHUB_TOKEN permissions for this workflow.

Defining least-privilege permissions avoids inheriting broader repo defaults.

🔐 Suggested addition

 jobs:
   sonarqube-analysis:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 30

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube.yaml around lines 14 - 17, Add an explicit
minimal GITHUB_TOKEN permissions block for the workflow so the
sonarqube-analysis job does not inherit broad repo defaults; add a top-level or
job-level permissions section (referencing the job name sonarqube-analysis) that
grants only the required scopes such as permissions: contents: read, checks:
write, and actions: read (and/or pull-requests: write if your Sonar step updates
PRs), placing it above jobs or inside the sonarqube-analysis job as appropriate.

ci/run_sonarqube.sh (1)

10-13: Prefer set -u fail-fast instead of a custom SONAR_TOKEN guard.

This can be simplified while keeping the same behavior.

♻️ Proposed refactor

-if [ -z "${SONAR_TOKEN:-}" ]; then
-  echo "ERROR: SONAR_TOKEN environment variable is not set"
-  exit 1
-fi
+: "${SONAR_TOKEN}"

Based on learnings: In this repository, prefer using 'set -u' in Bash scripts to detect unbound variables and rely on the default unbound-variable error messages rather than implementing explicit guards with custom error messages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ci/run_sonarqube.sh` around lines 10 - 13, Replace the explicit SONAR_TOKEN
guard with Bash fail-fast by enabling unbound-variable checking: add a top-level
shell option (e.g., set -u or set -eu) and remove the explicit if [ -z
"${SONAR_TOKEN:-}" ] ... fi block that checks SONAR_TOKEN; this will cause the
script to fail with the standard unbound-variable error when SONAR_TOKEN is not
set and preserves the intended behavior while simplifying the script (locate
references to SONAR_TOKEN and the if-check block to remove and add the set
-u/-eu at the script start).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sonarqube.yaml:
- Around line 19-25: The workflow checks out the repository but may not use the
same ref that is passed to SonarQube (inputs.branch or github.ref_name); update
the checkout step (actions/checkout@v4) to use the same ref value passed into
ci/run_sonarqube.sh by adding ref: ${{ inputs.branch || github.ref_name }} (keep
fetch-depth: 0) so the checked-out code matches the branch label used by
SonarQube.

In `@ci/run_sonarqube.sh`:
- Around line 21-24: Add integrity verification for the downloaded Sonar
scanner: after downloading the archive into /tmp/sonar-scanner.zip compute its
checksum (e.g., sha256) and compare it against a trusted checksum source before
unzipping; fetch the corresponding checksum file or hardcode a verified checksum
and validate it, and abort with a clear error if the checksums mismatch. Update
the run_sonarqube.sh flow around the existing
SONAR_SCANNER_VERSION/SONAR_SCANNER_DIR/SONAR_SCANNER_BIN logic so the script
only runs unzip and sets SONAR_SCANNER_BIN when the checksum verification
passes.

---

Nitpick comments:
In @.github/workflows/sonarqube.yaml:
- Around line 14-17: Add an explicit minimal GITHUB_TOKEN permissions block for
the workflow so the sonarqube-analysis job does not inherit broad repo defaults;
add a top-level or job-level permissions section (referencing the job name
sonarqube-analysis) that grants only the required scopes such as permissions:
contents: read, checks: write, and actions: read (and/or pull-requests: write if
your Sonar step updates PRs), placing it above jobs or inside the
sonarqube-analysis job as appropriate.

In `@ci/run_sonarqube.sh`:
- Around line 10-13: Replace the explicit SONAR_TOKEN guard with Bash fail-fast
by enabling unbound-variable checking: add a top-level shell option (e.g., set
-u or set -eu) and remove the explicit if [ -z "${SONAR_TOKEN:-}" ] ... fi block
that checks SONAR_TOKEN; this will cause the script to fail with the standard
unbound-variable error when SONAR_TOKEN is not set and preserves the intended
behavior while simplifying the script (locate references to SONAR_TOKEN and the
if-check block to remove and add the set -u/-eu at the script start).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ac0d49f-4356-46e9-895a-f522ca4b7838

📥 Commits

Reviewing files that changed from the base of the PR and between 1f2fb22 and e6c4730.

📒 Files selected for processing (4)

• .github/workflows/sonarqube.yaml
• .github/workflows/test.yaml
• ci/run_sonarqube.sh
• sonarqube/sonar-branches.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Branch label can diverge from checked-out code.

The workflow passes an effective branch name to SonarQube, but checkout always uses the workflow’s current ref. This can publish analysis under the wrong branch name.

🐛 Proposed fix

       - uses: actions/checkout@v4
         with:
+          ref: ${{ inputs.branch || github.ref_name }}
           fetch-depth: 0
       - name: Run SonarQube analysis
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: ci/run_sonarqube.sh "${{ inputs.branch || github.ref_name }}"
+        run: bash ci/run_sonarqube.sh "${{ inputs.branch || github.ref_name }}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Run SonarQube analysis
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	run: ci/run_sonarqube.sh "${{ inputs.branch || github.ref_name }}"
	- uses: actions/checkout@v4
	with:
	ref: ${{ inputs.branch || github.ref_name }}
	fetch-depth: 0
	- name: Run SonarQube analysis
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	run: bash ci/run_sonarqube.sh "${{ inputs.branch || github.ref_name }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarqube.yaml around lines 19 - 25, The workflow checks
out the repository but may not use the same ref that is passed to SonarQube
(inputs.branch or github.ref_name); update the checkout step
(actions/checkout@v4) to use the same ref value passed into ci/run_sonarqube.sh
by adding ref: ${{ inputs.branch || github.ref_name }} (keep fetch-depth: 0) so
the checked-out code matches the branch label used by SonarQube.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Verify scanner archive integrity before executing downloaded binaries.

The script downloads and executes tooling without checksum verification, which is a supply-chain risk.

🔒 Suggested hardening

 SONAR_SCANNER_VERSION="6.2.1.4610"
+SONAR_SCANNER_SHA256="${SONAR_SCANNER_SHA256:?SONAR_SCANNER_SHA256 is required}"

 ...
-curl -sSLo /tmp/sonar-scanner.zip \
+curl --fail --silent --show-error --location --retry 3 --retry-delay 2 \
+  -o /tmp/sonar-scanner.zip \
   "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip"
+echo "${SONAR_SCANNER_SHA256}  /tmp/sonar-scanner.zip" | sha256sum -c -
 unzip -q /tmp/sonar-scanner.zip -d "${SONAR_SCANNER_DIR}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -sSLo /tmp/sonar-scanner.zip \
	"https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip"
	unzip -q /tmp/sonar-scanner.zip -d "${SONAR_SCANNER_DIR}"
	SONAR_SCANNER_BIN="${SONAR_SCANNER_DIR}/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-x64/bin/sonar-scanner"
	SONAR_SCANNER_VERSION="6.2.1.4610"
	SONAR_SCANNER_SHA256="${SONAR_SCANNER_SHA256:?SONAR_SCANNER_SHA256 is required}"
	curl --fail --silent --show-error --location --retry 3 --retry-delay 2 \
	-o /tmp/sonar-scanner.zip \
	"https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip"
	echo "${SONAR_SCANNER_SHA256} /tmp/sonar-scanner.zip" | sha256sum -c -
	unzip -q /tmp/sonar-scanner.zip -d "${SONAR_SCANNER_DIR}"
	SONAR_SCANNER_BIN="${SONAR_SCANNER_DIR}/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-x64/bin/sonar-scanner"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ci/run_sonarqube.sh` around lines 21 - 24, Add integrity verification for the
downloaded Sonar scanner: after downloading the archive into
/tmp/sonar-scanner.zip compute its checksum (e.g., sha256) and compare it
against a trusted checksum source before unzipping; fetch the corresponding
checksum file or hardcode a verified checksum and validate it, and abort with a
clear error if the checksums mismatch. Update the run_sonarqube.sh flow around
the existing SONAR_SCANNER_VERSION/SONAR_SCANNER_DIR/SONAR_SCANNER_BIN logic so
the script only runs unzip and sets SONAR_SCANNER_BIN when the checksum
verification passes.