fix: skip Sonar analysis for fork PRs to prevent code execution

[driessamyn]

Summary

• Skip the Sonar analysis job entirely for fork PRs
• Remove repository: from checkout since we now only run for the base repo

Context

SonarCloud security hotspot flagged that the sonar job in analysis.yml checks out fork code (github.event.workflow_run.head_repository.full_name) and then executes ./gradlew sonar — which runs the fork's build.gradle.kts and buildSrc/ with access to SONAR_TOKEN. A malicious fork contributor could exfiltrate the token.

The fix adds a condition to skip the sonar job when the triggering workflow comes from a fork. Fork PRs still get the full build and test suite from the main build-and-test.yml workflow — they just don't get Sonar analysis. The push-to-main Sonar run after merge catches any issues.

The coverage-comment job is unaffected — it doesn't checkout or execute any code.

Test plan

• Verify Sonar still runs on non-fork PRs and push-to-main
• Verify the sonar job is skipped for fork PRs

Summary by CodeRabbit

• Chores
  • Improved security configuration for code analysis workflows to prevent unauthorized analysis runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dec0e869-440c-4743-8196-7374ea35c2dc

📥 Commits

Reviewing files that changed from the base of the PR and between 81b9952 and 2c13029.

📒 Files selected for processing (1)

• .github/workflows/analysis.yml

---

📝 Walkthrough

Walkthrough

The sonar job in the GitHub Actions workflow is updated to gate SonarQube analysis to workflow runs originating from the same repository. The explicit repository checkout override is removed, allowing the default context while preserving the workflow run's commit SHA reference.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/analysis.yml	Updated sonar job's if condition to require github.event.workflow_run.head_repository.full_name matches github.repository, and removed explicit actions/checkout repository override while retaining the ref specification using the workflow run's commit SHA.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• fix: split CI to run Sonar analysis via workflow_run #324: Introduces workflow_run-based Sonar CI split and sonar job checkout logic that these modifications refine with additional repository gating and simplified checkout behavior.

Poem

🐰 A rabbit hops through workflows bright,
Securing gates with all their might,
When sources match, the analysis flows,
Safe from forks—that's how it goes! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: preventing Sonar analysis execution on fork PRs to address a security vulnerability where fork code and secrets could be exposed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sonar-skip-fork-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Unit Tests

 62 files  ±0   62 suites  ±0   3m 2s ⏱️ -6s
562 tests ±0  562 ✅ ±0  0 💤 ±0  0 ❌ ±0 
578 runs  ±0  578 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 2c13029. ± Comparison against base commit 81b9952.

This pull request removes 39 and adds 39 tests. Note that renamed tests count towards both.

net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [10] LONGVARCHAR, "LONGVARCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1122/0x00007ff300585320@35ecb5e9
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [11] NCHAR, "NCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1123/0x00007ff300585540@615c9850
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [12] INSTANT, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$969/0x00007ff30054eb28@50457967
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [12] NCLOB, "NCLOB", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1124/0x00007ff300585760@5222b75
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [13] DATE, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$970/0x00007ff30054ed48@10fa3cc3
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [13] NVARCHAR, "NVARCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1125/0x00007ff300585980@126cf7f2
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [14] LOCALDATE, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$971/0x00007ff30054ef68@7adaae0a
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [14] ROWID, "ROWID", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1126/0x00007ff300585ba0@1a5f27ba
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [15] LOCALDATETIME, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$972/0x00007ff30054f188@821b75d
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [15] SQLXML, "SQLXML", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1127/0x00007ff300585dc0@714147cf
…

net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [10] LONGVARCHAR, "LONGVARCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1108/0x00007ff48456f100@88ebbb
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [11] NCHAR, "NCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1109/0x00007ff48456f320@1950cb3b
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [12] INSTANT, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$953/0x00007ff484533b28@270c0d68
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [12] NCLOB, "NCLOB", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1110/0x00007ff48456f540@5fdc1260
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [13] DATE, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$954/0x00007ff484533d48@2eb95f9e
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [13] NVARCHAR, "NVARCHAR", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1111/0x00007ff48456f760@603b18da
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [14] LOCALDATE, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$955/0x00007ff484532c00@c00d3ea
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [14] ROWID, "ROWID", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1112/0x00007ff48456f980@16a636d0
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [15] LOCALDATETIME, net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$956/0x00007ff484538000@c5c8e55
net.samyn.kapper.internal.automapper.SQLTypesConverterTest ‑ [15] SQLXML, "SQLXML", net.samyn.kapper.internal.automapper.SQLTypesConverterTest$Companion$$Lambda$1113/0x00007ff48456fba0@2d596d29
…