From 2bb40a1960636ce4e3f60916878036e8a93267e0 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 10:36:27 +0100
Subject: [PATCH] ci(sonar): SonarCloud scan workflow + project config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the SonarCloud setup-wizard workflow (SHA-pinned actions, build.yml) and
sonar-project.properties (org hyperpolymath, key hyperpolymath_boj-server)
with exclusions so only the analysable surface (the JS bridge + scripts) is
scanned — Idris2/Zig/Elixir have no SonarCloud analyser, and vendored,
generated, build, proof, and dependency trees are excluded.

Requires the SONAR_TOKEN repo secret and the project imported on SonarCloud
with CI-based analysis (Automatic Analysis disabled).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml | 28 ++++++++++++++++++++++++++++
 sonar-project.properties    | 11 +++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 .github/workflows/build.yml
 create mode 100644 sonar-project.properties

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 00000000..24f3d890
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: MPL-2.0
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# SonarQube Cloud (SonarCloud) static analysis. Generated from the SonarCloud
+# setup wizard; analysis scope + exclusions live in sonar-project.properties.
+# Requires the SONAR_TOKEN repository secret (Settings -> Secrets and variables
+# -> Actions). Project: https://sonarcloud.io/project/overview?id=hyperpolymath_boj-server
+name: Build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+permissions:
+  contents: read
+jobs:
+  sonarqube:
+    name: SonarQube
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 00000000..f8448e40
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: MPL-2.0
+# SonarQube Cloud (SonarCloud) configuration.
+# Project: https://sonarcloud.io/project/overview?id=hyperpolymath_boj-server
+sonar.organization=hyperpolymath
+sonar.projectKey=hyperpolymath_boj-server
+
+# Analysable surface = the JS MCP bridge + shell scripts. Idris2 / Zig / Elixir
+# / AffineScript have no SonarCloud analyser; vendored, generated, build, proof,
+# and dependency trees are excluded to keep findings signal-rich.
+sonar.exclusions=cartridges/**,ffi/**,generated/**,build/**,**/node_modules/**,elixir/_build/**,elixir/deps/**,external_corpora/**,.lake/**,proofs/**,verification/**,**/*.idr,**/*.zig
+sonar.coverage.exclusions=mcp-bridge/tests/**,**/*test*