SonarQube ci support

[dragosv]

Description

SonarQube CI support.

Type of Change

• [ X] New feature (non-breaking change which adds functionality)

---

Continue Tasks: ❌ 3 failed — View all

Summary by CodeRabbit

• Chores
  • Integrated SonarQube scanning into the CI pipeline for automated repository-wide code-quality analysis.
  • Added project analysis configuration to enable consistent static analysis and reporting across the codebase.
  • Added IDE/workspace settings to enable connected-mode linting and make local development warnings align with CI analysis.

[aikido-pr-checks]

3rd party Github Actions should be pinned - medium severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change

	uses: SonarSource/sonarqube-scan-actionv7.0.0
	uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0

_{More info}

[Copilot]

Pull request overview

This pull request adds SonarQube scanning capabilities to the CI pipeline to enhance code quality monitoring and analysis. The change integrates the SonarSource GitHub Action into the existing code-quality job.

Changes:

• Added SonarQube scan step to the code-quality job in the GitHub Actions CI workflow

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The SonarQube scan is missing required configuration. At minimum, a 'sonar-project.properties' file should be present in the repository root, or the 'SONAR_HOST_URL' environment variable should be provided to specify the SonarQube server URL. Without these, the scan will fail. Additionally, for proper SonarQube analysis, the checkout action should use 'fetch-depth: 0' to enable blame information and proper issue tracking.

[dragosv]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

The SonarQube scan runs in the 'code-quality' job which is independent from the 'build-and-test' job where coverage data is generated. For SonarQube to analyze code coverage, the scan should either run in the same job as tests, or the 'code-quality' job should depend on 'build-and-test' (using 'needs: build-and-test') and download the coverage artifact. Additionally, the 'with' block should include 'args' parameter pointing to the coverage report location, such as 'sonar.swift.coverage.reportPaths=coverage.lcov'.

[dragosv]

@coderabbitai review

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.36%. Comparing base (16cabe1) to head (f104acc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #16   +/-   ##
=======================================
  Coverage   62.36%   62.36%           
=======================================
  Files          40       40           
  Lines        1201     1201           
=======================================
  Hits          749      749           
  Misses        452      452           

Flag	Coverage Δ
swift	62.36% <ø> (ø)
unittests	62.36% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 16cabe1...f104acc. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Adds SonarQube/SonarCloud integration: a CI workflow Sonar scan step plus SonarLint connected-mode and SonarQube project configuration files for repository analysis.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	Added a SonarQube scanning step using SonarSource/sonarqube-scan-action@v7.0.0, passing SONAR_TOKEN from repository secrets.
Editor / SonarLint Config .sonarlint/connectedMode.json, .vscode/settings.json	Added SonarLint connected-mode settings and VS Code workspace configuration (connectionId, projectKey, organization/region entries).
SonarQube Project Config sonar-project.properties	Added SonarQube project metadata and analysis configuration: project key/name/org, sources/tests layout, exclusions, SCM provider, and placeholders for Swift coverage paths.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions (CI)
    participant Action as sonarqube-scan-action@v7
    participant Sonar as SonarQube / SonarCloud
    GH->>Action: start Sonar scan step (provides SONAR_TOKEN)
    Action->>Sonar: send project metadata and analysis payload
    Sonar-->>Action: return analysis status/results
    Action-->>GH: return step exit status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nudge the code with eager paws,
I hum through files and sniff for flaws,
Sonar lights the hidden clause,
I hop, I cheer—quality applause! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is minimal and lacks detail. While it correctly identifies the change type, it omits most required sections including testing, checklist items, and additional context.	Expand the description with completed checklist items, testing details, and any additional context about the SonarQube setup or configuration choices made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'SonarQube ci support' accurately summarizes the main change: adding SonarQube CI integration to the project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sonar

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

294-294: ⚠️ Potential issue | 🟡 Minor

Reference to non-existent coverage job.

Line 294 checks needs.coverage.result, but there is no job named coverage defined in this workflow. The defined jobs are: build-and-test, code-quality, documentation, security, license-check, and release-check. This condition may cause unexpected behavior.

🔧 Proposed fix - remove the invalid reference

         if [[ "${{ needs.build-and-test.result }}" == "success" && \
               "${{ needs.code-quality.result }}" == "success" && \
               "${{ needs.documentation.result }}" != "failure" && \
               "${{ needs.security.result }}" != "failure" && \
-              "${{ needs.coverage.result }}" != "failure" && \
               "${{ needs.license-check.result }}" != "failure" ]]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 294, The workflow condition references a
non-existent job variable "${{ needs.coverage.result }}"; remove that fragment
from the conditional or replace it with a valid job name (e.g., one of the
existing jobs like build-and-test, code-quality, documentation, security,
license-check, or release-check) so the expression no longer references an
undefined need; update the condition that currently contains "${{
needs.coverage.result }}" accordingly (either delete that clause or change it to
a correct needs.<job>.result) to avoid runtime errors.

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

127-128: Add fetch-depth: 0 for accurate SonarQube SCM analysis.

SonarQube uses git history for blame information and accurate change detection. Without full history, SCM-related features (like detecting new code on branches) may not work correctly.

🔧 Proposed fix

     - name: Checkout code
       uses: actions/checkout@v6
+      with:
+        fetch-depth: 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 127 - 128, Update the GitHub Actions
checkout step that uses actions/checkout@v6 to fetch full git history for
SonarQube SCM analysis by adding the fetch-depth: 0 configuration under the
"Checkout code" step; locate the step titled "Checkout code" (the uses:
actions/checkout@v6 line) and add fetch-depth: 0 so the checkout action pulls
full history for accurate blame/change detection.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/ci.yml:
- Line 294: The workflow condition references a non-existent job variable "${{
needs.coverage.result }}"; remove that fragment from the conditional or replace
it with a valid job name (e.g., one of the existing jobs like build-and-test,
code-quality, documentation, security, license-check, or release-check) so the
expression no longer references an undefined need; update the condition that
currently contains "${{ needs.coverage.result }}" accordingly (either delete
that clause or change it to a correct needs.<job>.result) to avoid runtime
errors.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 127-128: Update the GitHub Actions checkout step that uses
actions/checkout@v6 to fetch full git history for SonarQube SCM analysis by
adding the fetch-depth: 0 configuration under the "Checkout code" step; locate
the step titled "Checkout code" (the uses: actions/checkout@v6 line) and add
fetch-depth: 0 so the checkout action pulls full history for accurate
blame/change detection.

[Copilot]

@dragosv I've opened a new pull request, #22, to work on those changes. Once the pull request is ready, I'll request review from you.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@sonar-project.properties`:
- Line 12: Remove the redundant swift-nio/** pattern from the sonar.exclusions
setting by updating the sonar.exclusions property (the line starting with
sonar.exclusions) to omit swift-nio/** while keeping the existing .build/** and
Examples/** exclusions intact.

[codacy-production]

Codacy's Analysis Summary

1 new issue (≤ 0 issue)
1 new security issue

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.