Skip to content

ci: set up SonarCloud analysis and Rust coverage upload#57

Merged
amondnet merged 7 commits into
mainfrom
amondnet/sonarqube-badge
Jun 24, 2026
Merged

ci: set up SonarCloud analysis and Rust coverage upload#57
amondnet merged 7 commits into
mainfrom
amondnet/sonarqube-badge

Conversation

@amondnet

@amondnet amondnet commented Jun 23, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Set up SonarCloud (sonarcloud.io) code-quality analysis in CI, upload Rust coverage to both Codecov and SonarCloud, and add a SonarCloud Quality Gate badge to the READMEs.

Note: Coverage is Rust-only. This branch was rebased on top of #56, which removed the deprecated TypeScript implementation under src/; the Rust workspace in crates/ is now the sole implementation, so all TypeScript coverage wiring was dropped.

Changes

Badge (README.md / README.ko.md)

  • Add the SonarCloud Quality Gate badge to the top of both the English and Korean READMEs, kept in sync.

SonarCloud project config (sonar-project.properties, new)

  • sonar.projectKey=pleaseai_code-search, sonar.organization=pleaseai
  • sonar.sources=crates (the implementation is the Rust workspace)
  • sonar.exclusions=npm/**,dist/**,target/**,node_modules/** (mirrors .codacy.yaml)
  • sonar.rust.lcov.reportPaths=coverage/rust-lcov.info — the language-specific Rust LCOV property officially supported by SonarQube Cloud

CI workflow (.github/workflows/sonar.yml, new)

  • Triggers: push (main) + pull_request; PR concurrency cancellation.
  • Permissions: contents: read + pull-requests: read (PR analysis/decoration).
  • Generate Rust coverage with cargo llvm-cov --workspace --locked --all-features --lcov (network-gated #[ignore] tests stay excluded; adds the llvm-tools-preview component for the minimal toolchain).
  • Upload Rust coverage to Codecov with flags: rust.
  • Run SonarSource/sonarqube-scan-action@v8.2.0 (pinned by SHA).
  • Fork-PR safety: the scan step is gated by if: ${{ env.SONAR_TOKEN != '' }} (with SONAR_TOKEN hoisted to job-level env, since the secrets context isn't available in step if:), so PRs from forks without secrets are skipped instead of failing.

Codecov config (codecov.yml)

  • Add a rust flag (paths: crates/, carryforward: true).
  • Add a Rust component (crates/**) and surface components in PR comments.

Test plan

  • CI Sonar workflow runs: Rust coverage → Codecov upload → SonarCloud scan.
  • Coverage and analysis appear on the SonarCloud dashboard.
  • Quality Gate badge renders in both READMEs.

⚠️ Pre-merge prerequisites (cannot be done in code — configure in the SonarCloud console)

The CI scan will fail until all three are done:

  1. Register the SONAR_TOKEN secret — GitHub repo (or org) Settings → Secrets and variables → Actions; use a token issued from SonarCloud.
  2. Ensure the SonarCloud project exists — org pleaseai, project key pleaseai_code-search (import via "Analyze new project" if missing).
  3. Disable Automatic Analysis — SonarCloud project → Administration → Analysis Method → turn Off. If left on, the CI scan fails with "You are running CI analysis while Automatic Analysis is enabled".

Summary by cubic

Set up SonarCloud analysis for the Rust workspace and upload Rust coverage to Codecov. Adds a SonarCloud Quality Gate badge to both READMEs, and skips scans only on fork PRs without secrets (push to main fails fast if the token is missing).

  • New Features

    • SonarCloud: sonar.sources=crates, exclusions (npm/**,dist/**,target/**,node_modules/**), and sonar.rust.lcov.reportPaths=coverage/rust-lcov.info.
    • CI (.github/workflows/sonar.yml): generate Rust LCOV via cargo llvm-cov, install llvm-tools-preview, upload to Codecov with flags: rust, run SonarSource/sonarqube-scan-action@v8.2.0; add pull-requests: read, PR concurrency cancel; skip scan only on fork PRs without SONAR_TOKEN (push to main runs and fails if missing).
    • Codecov (codecov.yml): add flags.rust with carryforward and a Rust component; include components in PR comments.
    • Docs: add SonarCloud Quality Gate badge to README.md and README.ko.md.

  • Migration

    • Add SONAR_TOKEN in GitHub Actions secrets.
    • Ensure the SonarCloud project exists: org pleaseai, key pleaseai_code-search.
    • Disable Automatic Analysis in the SonarCloud project.

Written for commit 20bb022. Summary will update on new commits.

Summary by CodeRabbit

  • New Features

    • Added SonarCloud “Quality Gate Status” badges to the project README(s) for clearer quality visibility.

  • Chores

    • Updated CI to run Rust-focused coverage generation and publish results to Codecov.
    • Added SonarQube/SonarCloud configuration to analyze Rust sources and ingest Rust coverage output.
    • Improved Codecov PR comment layout and Rust coverage flag/component grouping.

amondnet added 2 commits June 23, 2026 21:06
@amondnet
ci: SonarCloud 분석 및 TS·Rust 커버리지 업로드 추가
cd2e1b9 
- sonar-project.properties: projectKey/organization, 소스 경로, lcov 리포트 경로 설정
- .github/workflows/sonar.yml: bun lcov + cargo-llvm-cov 생성 후 SonarCloud 스캔
- Rust는 minimal 툴체인이라 llvm-tools-preview 컴포넌트 추가 스텝 포함
@amondnet
docs: README에 SonarCloud Quality Gate 배지 추가
97ace7a 
영문/한국어 README 동기화
@coderabbitai

coderabbitai Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d0b6b41-762c-4765-bf1a-8cce4289479f

📥 Commits

Reviewing files that changed from the base of the PR and between 0e9b9f1 and 20bb022.

📒 Files selected for processing (1)
  • .github/workflows/sonar.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/sonar.yml
📝 Walkthrough

Walkthrough

Adds a new sonar.yml GitHub Actions workflow that generates Rust LCOV coverage via cargo-llvm-cov, uploads it to Codecov, and runs a SonarQube Cloud scan with fork PRs skipped when the token is unavailable. It also adds sonar-project.properties, updates codecov.yml, and adds SonarCloud badges to both READMEs.

Changes

Code Quality and Coverage Integration

Layer / File(s) Summary
SonarCloud project properties and Codecov Rust configuration
sonar-project.properties, codecov.yml		 sonar-project.properties defines the SonarCloud project key, organization, Rust source root (crates), exclusion globs, and LCOV report path. codecov.yml adds a rust upload-time flag scoped to crates/ with carryforward: true, a component_management block grouping coverage under a Rust component, updated PR comment layout including flags and components, and a revised coverage-generation comment referencing cargo llvm-cov.
SonarQube Cloud CI workflow
.github/workflows/sonar.yml		 New workflow triggered on push to main and pull requests with minimal permissions and concurrency cancellation. The sonar job checks out full history, installs llvm-tools-preview and cargo-llvm-cov, runs cargo llvm-cov to produce coverage/rust-lcov.info, uploads it to Codecov, and executes the SonarQube Cloud scan action only when SONAR_TOKEN is available.
SonarCloud badges
README.md, README.ko.md		 Adds a SonarCloud quality gate status badge to the header of both the English and Korean READMEs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hop through pipelines bright and clean,
With Rusty coverage in between.
Sonar hums, Codecov sings,
README badges shine with springtime wings.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main CI change: SonarCloud analysis plus Rust coverage upload.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch amondnet/sonarqube-badge

Comment @coderabbitai help to get the list of available commands.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 23, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request integrates SonarCloud by adding Quality Gate badges to the README files and creating a sonar-project.properties configuration file. The review feedback correctly points out that SonarCloud does not support sonar.rust.lcov.reportPaths for Rust coverage, and suggests using sonar.coverageReportPaths with a generic XML format instead.

Comment thread sonar-project.properties
@codacy-production

codacy-production Bot commented Jun 23, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 1 critical

Alerts:
⚠ 1 issue (≤ 0 issues of at least minor severity)

Results:
1 new issue

Category Results
Security 1 critical

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@amondnet
ci: Rust 커버리지를 Codecov에도 업로드
1c06c8f 
- sonar.yml: cargo llvm-cov 결과(rust-lcov.info)를 flag=rust 로 Codecov 업로드
- ci.yml: 기존 TS 업로드에 flag=typescript 추가하여 언어별 분리
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 23, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found and verified against the latest diff

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sonar.yml">

<violation number="1" location=".github/workflows/sonar.yml:6">
P3: Restore the missing `amondnet/**` push branch pattern.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/sonar.yml
Comment thread .github/workflows/sonar.yml
@amondnet
ci: Codecov flag·component로 언어별 커버리지 분리
8b3d4e1 
- flags: typescript(src/)·rust(crates/) 정의 + carryforward 활성화
- component_management: TypeScript·Rust 컴포넌트로 UI/코멘트 분리 집계
- comment 레이아웃에 components 추가
coderabbitai[bot]
coderabbitai Bot reviewed Jun 24, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/sonar.yml (1)

20-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable checkout credential persistence for downstream steps.

At Line 21, actions/checkout keeps credentials in local git config by default. Set persist-credentials: false to reduce token exposure surface.

Suggested hardening 
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # Full history so SonarQube Cloud can attribute new code / blame.
           fetch-depth: 0
+          persist-credentials: false
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonar.yml around lines 20 - 24, The Checkout code step in
the sonar workflow is leaving git credentials persisted by default, so update
the actions/checkout usage to disable credential persistence for downstream
steps. In the Checkout code step, add the persist-credentials setting set to
false alongside fetch-depth, keeping the existing checkout action reference
intact.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sonar.yml:
- Around line 66-69: Skip the SonarQube Cloud scan step when SONAR_TOKEN is not
available, since the SonarQube Cloud scan in sonar.yml will fail on forked
pull_request runs without repository secrets. Update the SonarQube Cloud scan
job/step so it is gated by a condition that checks for SONAR_TOKEN or otherwise
runs only in a trusted context, using the existing SonarQube Cloud scan step as
the target for the fix. If needed, move the analysis to a workflow_run-based
flow so external PRs do not block on missing secrets.

---

Nitpick comments:
In @.github/workflows/sonar.yml:
- Around line 20-24: The Checkout code step in the sonar workflow is leaving git
credentials persisted by default, so update the actions/checkout usage to
disable credential persistence for downstream steps. In the Checkout code step,
add the persist-credentials setting set to false alongside fetch-depth, keeping
the existing checkout action reference intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: dc7a07e3-c9ed-4b93-b4a2-021348051c6b

📥 Commits

Reviewing files that changed from the base of the PR and between efff12b and 8b3d4e1.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .github/workflows/sonar.yml
  • README.ko.md
  • README.md
  • codecov.yml
  • sonar-project.properties

Comment thread .github/workflows/sonar.yml Outdated
amondnet added 2 commits June 24, 2026 16:46
@amondnet
Merge remote-tracking branch 'origin/main' into amondnet/sonarqube-badge
c7dea64 
# Conflicts:
#	.github/workflows/ci.yml
@amondnet
chore: apply AI code review suggestions
0e9b9f1 
- sonar.yml: pull-requests: read 권한 추가 (cubic)
- sonar.yml: fork PR에서 SONAR_TOKEN 미존재 시 스캔 스킵 (coderabbit)
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 24, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread .github/workflows/sonar.yml Outdated
coderabbitai[bot]
coderabbitai Bot reviewed Jun 24, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/sonar.yml (1)

20-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope SONAR_TOKEN to the Sonar step only.

Current job-level env exposes the secret to all steps. Keep only a non-secret gate at job scope and pass SONAR_TOKEN only to the scan step.

Suggested change 
   sonar:
     runs-on: ubuntu-latest
     env:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      HAS_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN != '' }}
@@
       - name: SonarQube Cloud scan
-        if: ${{ env.SONAR_TOKEN != '' }}
+        if: ${{ env.HAS_SONAR_TOKEN == 'true' }}
         uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Also applies to: 60-63

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sonar.yml around lines 20 - 21, The job-level env
currently exposes SONAR_TOKEN to every step in the Sonar workflow; move the
secret out of the global environment and apply it only to the Sonar scan step.
Keep any non-secret gating at job scope, and update the relevant step in
sonar.yml so the secret is referenced only where the scan runs.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/sonar.yml:
- Around line 20-21: The job-level env currently exposes SONAR_TOKEN to every
step in the Sonar workflow; move the secret out of the global environment and
apply it only to the Sonar scan step. Keep any non-secret gating at job scope,
and update the relevant step in sonar.yml so the secret is referenced only where
the scan runs.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 44f6c44c-e192-4993-bde0-34d69e32f186

📥 Commits

Reviewing files that changed from the base of the PR and between 8b3d4e1 and 0e9b9f1.

📒 Files selected for processing (5)
  • .github/workflows/sonar.yml
  • README.ko.md
  • README.md
  • codecov.yml
  • sonar-project.properties
✅ Files skipped from review due to trivial changes (2)
  • sonar-project.properties
  • README.md

@amondnet amondnet changed the title ci: SonarCloud 코드 품질 분석 및 커버리지 설정 ci: set up SonarCloud analysis and Rust coverage upload Jun 24, 2026
@amondnet
chore: apply AI code review suggestions
20bb022 
- sonar.yml: fork PR에서만 스캔 스킵, push(main)은 토큰 누락 시 실패 (cubic)
@sonarqubecloud

sonarqubecloud Bot commented Jun 24, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@amondnet amondnet merged commit 7c54631 into main Jun 24, 2026
8 of 9 checks passed
@amondnet amondnet deleted the amondnet/sonarqube-badge branch June 24, 2026 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments
@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments
+1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amondnet