ci: set up SonarCloud analysis and Rust coverage upload

.github/workflows/sonar.yml

@@ -0,0 +1,64 @@
+name: Sonar
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: sonar-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  sonar:
+    runs-on: ubuntu-latest
+    env:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          # Full history so SonarQube Cloud can attribute new code / blame.
+          fetch-depth: 0
+
+      # --- Rust coverage (coverage/rust-lcov.info) ---
+      # rust-toolchain.toml uses `profile = "minimal"`, so the llvm-tools-preview
+      # component (required by cargo-llvm-cov) is not present by default.
+      - name: Add llvm-tools-preview component
+        run: rustup component add llvm-tools-preview
+
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2
+        with:
+          tool: cargo-llvm-cov
+
+      - name: Test with coverage (Rust)
+        # #[ignore] (network-gated) tests are excluded by default, keeping this
+        # offline (see ADR-0004). --all-features mirrors the Rust CI gate.
+        run: |
+          mkdir -p coverage
+          cargo llvm-cov --workspace --locked --all-features --lcov --output-path coverage/rust-lcov.info
+
+      - name: Upload Rust coverage to Codecov
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        with:
+          files: ./coverage/rust-lcov.info
+          flags: rust
+          fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+      # --- SonarQube Cloud analysis ---
+      # On pull_request runs from forks the SONAR_TOKEN secret isn't exposed, so
+      # skip the scan there instead of blocking external PRs. On push (main) the
+      # scan always runs — a missing token then fails loudly so a misconfigured
+      # Sonar setup is surfaced rather than silently skipped. (env is checked
+      # because the `secrets` context isn't available in step `if:` conditions.)
+      - name: SonarQube Cloud scan
+        if: ${{ github.event_name != 'pull_request' || env.SONAR_TOKEN != '' }}
+        uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0

README.ko.md

@@ -9,6 +9,7 @@
     <a href="https://www.npmjs.com/package/@pleaseai/csp"><img src="https://img.shields.io/npm/v/@pleaseai/csp?color=%23007ec6&label=npm" alt="npm version"></a>
     <a href="https://crates.io/crates/code-search-please"><img src="https://img.shields.io/crates/v/code-search-please?color=%23dea584&label=crates.io" alt="crates.io version"></a>
     <a href="https://codecov.io/gh/pleaseai/code-search"><img src="https://img.shields.io/codecov/c/github/pleaseai/code-search?label=coverage" alt="Coverage"></a>
+    <a href="https://sonarcloud.io/summary/new_code?id=pleaseai_code-search"><img src="https://sonarcloud.io/api/project_badges/measure?project=pleaseai_code-search&metric=alert_status" alt="Quality Gate Status"></a>
     <a href="https://socket.dev/npm/package/@pleaseai/csp"><img src="https://socket.dev/api/badge/npm/package/@pleaseai/csp" alt="Socket Badge"></a>
     <a href="https://github.com/pleaseai/code-search/blob/main/LICENSE">
       <img src="https://img.shields.io/badge/license-MIT-green" alt="License - MIT">

README.md

@@ -9,6 +9,7 @@
     <a href="https://www.npmjs.com/package/@pleaseai/csp"><img src="https://img.shields.io/npm/v/@pleaseai/csp?color=%23007ec6&label=npm" alt="npm version"></a>
     <a href="https://crates.io/crates/code-search-please"><img src="https://img.shields.io/crates/v/code-search-please?color=%23dea584&label=crates.io" alt="crates.io version"></a>
     <a href="https://codecov.io/gh/pleaseai/code-search"><img src="https://img.shields.io/codecov/c/github/pleaseai/code-search?label=coverage" alt="Coverage"></a>
+    <a href="https://sonarcloud.io/summary/new_code?id=pleaseai_code-search"><img src="https://sonarcloud.io/api/project_badges/measure?project=pleaseai_code-search&metric=alert_status" alt="Quality Gate Status"></a>
     <a href="https://socket.dev/npm/package/@pleaseai/csp"><img src="https://socket.dev/api/badge/npm/package/@pleaseai/csp" alt="Socket Badge"></a>
     <a href="https://github.com/pleaseai/code-search/blob/main/LICENSE">
       <img src="https://img.shields.io/badge/license-MIT-green" alt="License - MIT">

codecov.yml

@@ -16,8 +16,26 @@ coverage:
         informational: true
 
 comment:
-  layout: 'reach, diff, flags, files'
+  layout: 'reach, diff, flags, components, files'
   require_changes: false
 
-# Coverage is generated by `bun test --coverage` (lcov). Test files are already
-# excluded from the lcov report, so only product source is measured.
+# Upload-time flag. sonar.yml uploads Rust coverage with `flags: rust`.
+# carryforward keeps the last known coverage when the workflow doesn't run on a
+# given commit. (The TypeScript implementation under src/ has been removed.)
+flags:
+  rust:
+    paths:
+      - crates/
+    carryforward: true
+
+# Component grouping by path at display time (independent of upload flags),
+# surfacing the Rust crate coverage as a named component in the Codecov UI.
+component_management:
+  individual_components:
+    - component_id: rust
+      name: Rust
+      paths:
+        - crates/**
+
+# Coverage is generated by `cargo llvm-cov` (Rust, lcov). Test code is excluded
+# from the lcov report, so only product source is measured.

sonar-project.properties

@@ -0,0 +1,18 @@
+# SonarQube Cloud (sonarcloud.io) configuration.
+#
+# Analysis runs from CI (.github/workflows/sonar.yml). For this to work the
+# SonarCloud project must have Automatic Analysis DISABLED and a SONAR_TOKEN
+# secret configured in the repository (or org) settings.
+sonar.projectKey=pleaseai_code-search
+sonar.organization=pleaseai
+
+# The implementation is the Rust workspace under crates/ (the deprecated TS port
+# that lived in src/ has been removed).
+sonar.sources=crates
+
+# Keep the npm launcher, build output, and dependency/target dirs out of analysis
+# (npm/** mirrors the .codacy.yaml exclusion).
+sonar.exclusions=npm/**,dist/**,target/**,node_modules/**
+
+# Coverage report (LCOV), generated by `cargo llvm-cov` in CI before the scan step.
+sonar.rust.lcov.reportPaths=coverage/rust-lcov.info