ci: set up SonarCloud analysis and Rust coverage upload

[amondnet]

Summary

Set up SonarCloud (sonarcloud.io) code-quality analysis in CI, upload Rust coverage to both Codecov and SonarCloud, and add a SonarCloud Quality Gate badge to the READMEs.

Note: Coverage is Rust-only. This branch was rebased on top of #56, which removed the deprecated TypeScript implementation under src/; the Rust workspace in crates/ is now the sole implementation, so all TypeScript coverage wiring was dropped.

Changes

Badge (README.md / README.ko.md)

• Add the SonarCloud Quality Gate badge to the top of both the English and Korean READMEs, kept in sync.

SonarCloud project config (sonar-project.properties, new)

• sonar.projectKey=pleaseai_code-search, sonar.organization=pleaseai
• sonar.sources=crates (the implementation is the Rust workspace)
• sonar.exclusions=npm/**,dist/**,target/**,node_modules/** (mirrors .codacy.yaml)
• sonar.rust.lcov.reportPaths=coverage/rust-lcov.info — the language-specific Rust LCOV property officially supported by SonarQube Cloud

CI workflow (.github/workflows/sonar.yml, new)

• Triggers: push (main) + pull_request; PR concurrency cancellation.
• Permissions: contents: read + pull-requests: read (PR analysis/decoration).
• Generate Rust coverage with cargo llvm-cov --workspace --locked --all-features --lcov (network-gated #[ignore] tests stay excluded; adds the llvm-tools-preview component for the minimal toolchain).
• Upload Rust coverage to Codecov with flags: rust.
• Run SonarSource/sonarqube-scan-action@v8.2.0 (pinned by SHA).
• Fork-PR safety: the scan step is gated by if: ${{ env.SONAR_TOKEN != '' }} (with SONAR_TOKEN hoisted to job-level env, since the secrets context isn't available in step if:), so PRs from forks without secrets are skipped instead of failing.

Codecov config (codecov.yml)

• Add a rust flag (paths: crates/, carryforward: true).
• Add a Rust component (crates/**) and surface components in PR comments.

Test plan

• CI Sonar workflow runs: Rust coverage → Codecov upload → SonarCloud scan.
• Coverage and analysis appear on the SonarCloud dashboard.
• Quality Gate badge renders in both READMEs.

⚠️ Pre-merge prerequisites (cannot be done in code — configure in the SonarCloud console)

The CI scan will fail until all three are done:

1. Register the SONAR_TOKEN secret — GitHub repo (or org) Settings → Secrets and variables → Actions; use a token issued from SonarCloud.
2. Ensure the SonarCloud project exists — org pleaseai, project key pleaseai_code-search (import via "Analyze new project" if missing).
3. Disable Automatic Analysis — SonarCloud project → Administration → Analysis Method → turn Off. If left on, the CI scan fails with "You are running CI analysis while Automatic Analysis is enabled".

---

Summary by cubic

Set up SonarCloud analysis for the Rust workspace and upload Rust coverage to Codecov. Adds a SonarCloud Quality Gate badge to both READMEs, and skips scans only on fork PRs without secrets (push to main fails fast if the token is missing).

• New Features

  • SonarCloud: sonar.sources=crates, exclusions (npm/**,dist/**,target/**,node_modules/**), and sonar.rust.lcov.reportPaths=coverage/rust-lcov.info.
  • CI (.github/workflows/sonar.yml): generate Rust LCOV via cargo llvm-cov, install llvm-tools-preview, upload to Codecov with flags: rust, run SonarSource/sonarqube-scan-action@v8.2.0; add pull-requests: read, PR concurrency cancel; skip scan only on fork PRs without SONAR_TOKEN (push to main runs and fails if missing).
  • Codecov (codecov.yml): add flags.rust with carryforward and a Rust component; include components in PR comments.
  • Docs: add SonarCloud Quality Gate badge to README.md and README.ko.md.

• Migration

  • Add SONAR_TOKEN in GitHub Actions secrets.
  • Ensure the SonarCloud project exists: org pleaseai, key pleaseai_code-search.
  • Disable Automatic Analysis in the SonarCloud project.

^{Written for commit 20bb022. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Added SonarCloud “Quality Gate Status” badges to the project README(s) for clearer quality visibility.

• Chores

  • Updated CI to run Rust-focused coverage generation and publish results to Codecov.
  • Added SonarQube/SonarCloud configuration to analyze Rust sources and ingest Rust coverage output.
  • Improved Codecov PR comment layout and Rust coverage flag/component grouping.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d0b6b41-762c-4765-bf1a-8cce4289479f

📥 Commits

Reviewing files that changed from the base of the PR and between 0e9b9f1 and 20bb022.

📒 Files selected for processing (1)

• .github/workflows/sonar.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/sonar.yml

---

📝 Walkthrough

Walkthrough

Adds a new sonar.yml GitHub Actions workflow that generates Rust LCOV coverage via cargo-llvm-cov, uploads it to Codecov, and runs a SonarQube Cloud scan with fork PRs skipped when the token is unavailable. It also adds sonar-project.properties, updates codecov.yml, and adds SonarCloud badges to both READMEs.

Changes

Code Quality and Coverage Integration

Layer / File(s)	Summary
SonarCloud project properties and Codecov Rust configuration sonar-project.properties, codecov.yml	sonar-project.properties defines the SonarCloud project key, organization, Rust source root (crates), exclusion globs, and LCOV report path. codecov.yml adds a rust upload-time flag scoped to crates/ with carryforward: true, a component_management block grouping coverage under a Rust component, updated PR comment layout including flags and components, and a revised coverage-generation comment referencing cargo llvm-cov.
SonarQube Cloud CI workflow .github/workflows/sonar.yml	New workflow triggered on push to main and pull requests with minimal permissions and concurrency cancellation. The sonar job checks out full history, installs llvm-tools-preview and cargo-llvm-cov, runs cargo llvm-cov to produce coverage/rust-lcov.info, uploads it to Codecov, and executes the SonarQube Cloud scan action only when SONAR_TOKEN is available.
SonarCloud badges README.md, README.ko.md	Adds a SonarCloud quality gate status badge to the header of both the English and Korean READMEs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hop through pipelines bright and clean,
With Rusty coverage in between.
Sonar hums, Codecov sings,
README badges shine with springtime wings.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main CI change: SonarCloud analysis plus Rust coverage upload.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch amondnet/sonarqube-badge

---

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request integrates SonarCloud by adding Quality Gate badges to the README files and creating a sonar-project.properties configuration file. The review feedback correctly points out that SonarCloud does not support sonar.rust.lcov.reportPaths for Rust coverage, and suggests using sonar.coverageReportPaths with a generic XML format instead.

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 critical

Alerts:
⚠ 1 issue (≤ 0 issues of at least minor severity)

Results:
1 new issue

Category	Results
Security	1 critical

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cubic-dev-ai]

2 issues found and verified against the latest diff

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sonar.yml">

<violation number="1" location=".github/workflows/sonar.yml:6">
P3: Restore the missing `amondnet/**` push branch pattern.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/sonar.yml (1)

20-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable checkout credential persistence for downstream steps.

At Line 21, actions/checkout keeps credentials in local git config by default. Set persist-credentials: false to reduce token exposure surface.

Suggested hardening

       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # Full history so SonarQube Cloud can attribute new code / blame.
           fetch-depth: 0
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonar.yml around lines 20 - 24, The Checkout code step in
the sonar workflow is leaving git credentials persisted by default, so update
the actions/checkout usage to disable credential persistence for downstream
steps. In the Checkout code step, add the persist-credentials setting set to
false alongside fetch-depth, keeping the existing checkout action reference
intact.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sonar.yml:
- Around line 66-69: Skip the SonarQube Cloud scan step when SONAR_TOKEN is not
available, since the SonarQube Cloud scan in sonar.yml will fail on forked
pull_request runs without repository secrets. Update the SonarQube Cloud scan
job/step so it is gated by a condition that checks for SONAR_TOKEN or otherwise
runs only in a trusted context, using the existing SonarQube Cloud scan step as
the target for the fix. If needed, move the analysis to a workflow_run-based
flow so external PRs do not block on missing secrets.

---

Nitpick comments:
In @.github/workflows/sonar.yml:
- Around line 20-24: The Checkout code step in the sonar workflow is leaving git
credentials persisted by default, so update the actions/checkout usage to
disable credential persistence for downstream steps. In the Checkout code step,
add the persist-credentials setting set to false alongside fetch-depth, keeping
the existing checkout action reference intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: dc7a07e3-c9ed-4b93-b4a2-021348051c6b

📥 Commits

Reviewing files that changed from the base of the PR and between efff12b and 8b3d4e1.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/sonar.yml
• README.ko.md
• README.md
• codecov.yml
• sonar-project.properties

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/sonar.yml (1)

20-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope SONAR_TOKEN to the Sonar step only.

Current job-level env exposes the secret to all steps. Keep only a non-secret gate at job scope and pass SONAR_TOKEN only to the scan step.

Suggested change

   sonar:
     runs-on: ubuntu-latest
     env:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      HAS_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN != '' }}
@@
       - name: SonarQube Cloud scan
-        if: ${{ env.SONAR_TOKEN != '' }}
+        if: ${{ env.HAS_SONAR_TOKEN == 'true' }}
         uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Also applies to: 60-63

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonar.yml around lines 20 - 21, The job-level env
currently exposes SONAR_TOKEN to every step in the Sonar workflow; move the
secret out of the global environment and apply it only to the Sonar scan step.
Keep any non-secret gating at job scope, and update the relevant step in
sonar.yml so the secret is referenced only where the scan runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/sonar.yml:
- Around line 20-21: The job-level env currently exposes SONAR_TOKEN to every
step in the Sonar workflow; move the secret out of the global environment and
apply it only to the Sonar scan step. Keep any non-secret gating at job scope,
and update the relevant step in sonar.yml so the secret is referenced only where
the scan runs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 44f6c44c-e192-4993-bde0-34d69e32f186

📥 Commits

Reviewing files that changed from the base of the PR and between 8b3d4e1 and 0e9b9f1.

📒 Files selected for processing (5)

• .github/workflows/sonar.yml
• README.ko.md
• README.md
• codecov.yml
• sonar-project.properties

✅ Files skipped from review due to trivial changes (2)

• sonar-project.properties
• README.md

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud