ci: SonarCloud quality gate + coverage#7
Merged
Conversation
Adds a SonarCloud scan that ingests Go + JS/TS coverage on every PR
and on push to main. Coverage is collected fresh in this workflow
rather than reused from CI — the existing ci.yml runs go test without
-coverprofile and adding it there would slow every PR build.
Setup required (manual, one-time):
1. Sign in to sonarcloud.io with GitHub.
2. Import RandomCodeSpace/ctm; project key auto-generated as
RandomCodeSpace_ctm (matches sonar-project.properties).
3. Generate a user token; add as repo secret SONAR_TOKEN.
Until SONAR_TOKEN is set, the workflow runs the test+coverage steps
and emits a workflow warning instead of erroring on the scan step.
Coverage layout:
- Go: go test -coverprofile=coverage.out (atomic mode for race-safe)
- UI: vitest run --coverage with provider:v8 → ui/coverage/lcov.info
- Both: excluded from git via .gitignore
Excluded from analysis: dist/, vendor/, node_modules/, _attic/,
.claude/, .codeiq/, internal/serve/dist/ (generated UI bundle),
ui/playwright-report/, ui/test-results/, docs/.
Quality gate uses SonarCloud's default ('clean as you code', 80%
new-code coverage) — adjustable in the SonarCloud UI later.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Closes the three findings the SonarCloud quality gate raised on PR #7: - pnpm/action-setup pinned to commit SHA (v4 → b906aff). Tag-based refs for third-party actions can be silently rewritten — Sonar S7637. - SonarSource/sonarqube-scan-action bumped v5 → v6 and pinned to SHA fd88b7d. v5 emits a deprecation/security warning on every run. - pnpm install now passes --ignore-scripts (Sonar S6505). Modern vitest + React stack doesn't require lifecycle scripts; verified locally with a clean install + `vitest run --coverage`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mainand on PRs, with Go + UI coverage uploaded in the same workspace pass.sonar-project.properties(project keyRandomCodeSpace_ctm, orgrandomcodespace) covering source/test split, exclusions for generated/vendored/agent paths, and coverage report locations.@vitest/coverage-v8@^3.2.4, lcov + html + text reporters) and emitsui/coverage/lcov.infofor Sonar.SONAR_TOKENis missing — emits a::warning::instead of failing, so the gate doesn't block merges before the secret is configured.Manual setup required
RandomCodeSpace/ctm.SONAR_TOKEN(Settings → Secrets and variables → Actions).sonar.projectKey/sonar.organizationinsonar-project.propertiesmatch what Sonar generated.Until step 3 is done, the workflow runs the test/coverage steps and skips the upload with a warning.
Test plan
go test -tags sqlite_fts5 -coverprofile=coverage.out -covermode=atomic ./...succeeds locally;coverage.outpopulated.pnpm -C ui exec vitest run --coveragesucceeds locally;ui/coverage/lcov.infopopulated.SONAR_TOKENwarning until secret is set).SONAR_TOKENis added, rerun the workflow and confirm Sonar dashboard shows coverage + new-code metrics.🤖 Generated with Claude Code