ci: SonarCloud advisory (non-blocking main CI)

[KooshaPari]

User description

SonarCloud advisory: sonar-project.properties disables autoscan App check; sonarcloud.yml uses continue-on-error.

---

Note

Low Risk
Additive CI-only changes with no application code or runtime behavior; scan job is explicitly non-blocking.

Overview
Adds SonarCloud static analysis to CI on pushes and PRs targeting main, master, and develop.

The new workflow runs a full-history checkout and the official Sonar scan action with GITHUB_TOKEN and SONAR_TOKEN, uses workflow concurrency with cancel-in-progress, and sets continue-on-error: true so scan failures do not block merges. sonar-project.properties wires the repo to organization kooshapari and project key KooshaPari_helios-cli.

^{Reviewed by Cursor Bugbot for commit 364bc67. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Add a non-blocking SonarCloud check to main branch CI

What Changed

• Runs SonarCloud analysis on pushes and pull requests to main, master, and develop
• Keeps the scan advisory only, so a failed analysis does not block merges
• Links the repository to the SonarCloud project for automated code quality checks

Impact

✅ Earlier code quality feedback
✅ Fewer blocked merges from scan failures
✅ Continuous analysis on key branches

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[kilo-code-bot]

Code Review Summary

Status: 1 Warning Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
sonar-project.properties	2	Missing sonar.host.url — the scan action defaults to SonarCloud, but explicit configuration is safer in multi-org/multi-Sonar environments.
.github/workflows/sonarcloud.yml	19	fetch-depth: 0 pulls full history for every PR/push — for a monorepo this is expensive. Consider fetch-depth: 1 for PRs and 0 only for pushes that need blame/history.

Other Observations (not in diff)

• sonar-project.properties does not set sonar.language, sonar.sources, or any source exclusions. In this monorepo the scan will attempt to analyze every directory and may pick up unrelated languages. If results are noisy, scope the analysis explicitly.
• The continue-on-error: true at the job level means Sonar failures are entirely silent. Consider adding a warning annotation or step summary so failures are at least visible in the UI without blocking.

Files Reviewed (2 files)

• .github/workflows/sonarcloud.yml — CI-only workflow; no runtime application impact
• sonar-project.properties — SonarCloud configuration

---

_{Reviewed by step-3.7-flash-20260528 · 485,186 tokens}