Skip to content

chore(security): reinstate SonarCloud as required gate#60

Merged
aksOps merged 1 commit into
mainfrom
chore/sonar-required
Apr 28, 2026
Merged

chore(security): reinstate SonarCloud as required gate#60
aksOps merged 1 commit into
mainfrom
chore/sonar-required

Conversation

@aksOps

@aksOps aksOps commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

Summary

Board reversal 2026-04-28: SonarCloud Code Analysis is now a required check on `main`. Documents and branch protection both updated.

Changes

  • Branch protection: `SonarCloud Code Analysis` added to `required_status_checks` on `main` (alongside the existing `build · vet · test` gate). Set via GitHub API; verified via `GET /branches/main/protection`.
  • `CLAUDE.md`: removed SonarCloud from the "do not re-introduce" list, documented that it runs as the SonarCloud GitHub App (no in-repo workflow), and reframed the OSS-CLI security stack as supplemented by SonarCloud.
  • `.github/workflows/security.yml`: updated the header comment so the historical "Replaces Sonar + ..." line no longer contradicts the current required-gate state.

Notes

  • This PR is the first to test SonarCloud-as-required-check. If SonarCloud fails here, that's a real signal — either configuration drift (e.g. missing token / project key) or a flagged finding worth addressing. PR fix(robustness): atomic batch writes + DLQ fsync (P0) #59 saw SonarCloud fail before the gate was added; if the failure mode is configuration, this PR will need the same fix before it can merge.
  • No application code changes. No test changes.

Test plan

  • CLAUDE.md and security.yml render correctly (no broken markdown, no contradictory statements left behind)
  • `gh api .../branches/main/protection/required_status_checks/contexts` shows both required contexts
  • commit signed (ED25519)

🤖 Generated with Claude Code

@aksOps @claude
chore(security): reinstate SonarCloud as required gate
897dd14 
Board reversal 2026-04-28: make SonarCloud Code Analysis a required
check on `main`, alongside the existing `build · vet · test` gate.

- Branch protection: SonarCloud Code Analysis added to
  required_status_checks via GitHub API.
- CLAUDE.md: removed SonarCloud from "do not re-introduce" list,
  documented the reinstatement and that it runs as the SonarCloud
  GitHub App (not a workflow in this repo).
- security.yml: updated stack-replacement comment to reflect Sonar
  is back externally even though it's not a job in this workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Apr 28, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aksOps aksOps merged commit 955618a into main Apr 28, 2026
17 checks passed
@aksOps aksOps deleted the chore/sonar-required branch April 28, 2026 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aksOps