chore: sonarcube for CI#2251
Conversation
Reviewer's GuideAdds SonarCloud static analysis to the CI pipeline via a new GitHub Actions workflow and configures the Sonar organization in the Maven project. Flow diagram for SonarCloud GitHub Actions workflowflowchart TD
A["Push_or_PR_to_develop_branch"] --> B["Trigger_SonarCloud_Analysis_workflow"]
B --> C["Start_job_build_and_analyze_on_ubuntu_latest_runner"]
C --> D["Checkout_code_actions_checkout_v4_with_fetch_depth_0"]
D --> E["Set_up_JDK_21_with_distribution_zulu"]
E --> F["Restore_or_save_SonarCloud_cache_at_~/.sonar/cache"]
F --> G["Restore_or_save_Maven_cache_at_~/.m2"]
G --> H["Run_mvn_B_verify_with_sonar_maven_plugin"]
H --> I["Read_pom_xml_properties_including_sonar_organization_openo_beta"]
I --> J["Send_analysis_to_SonarCloud_using_sonar_projectKey_openo_beta_Open_O"]
J --> K["Update_code_quality_and_PR_status_in_GitHub"]
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. OpenSSF Scorecard
Scanned Files
|
📝 WalkthroughWalkthroughAdds a SonarCloud GitHub Actions workflow, a Maven Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GH Actions
participant GHCR as GHCR (ghcr.io)
participant Runner as CI Runner
participant Container as Dev Container
participant Maven as Maven (in Container)
participant Sonar as SonarCloud
GH->>GHCR: pull `openo-tomcat-dev`
alt image found
GHCR-->>GH: image pulled
GH->>Runner: start Container from image
else not found
GHCR-->>GH: not-found
GH->>Runner: build Container locally (use Docker layer cache)
end
GH->>Runner: restore caches (Maven, Sonar, Docker)
Runner->>Container: mount workspace & caches, set git safe.directory
Container->>Maven: run Maven goals including `sonar:sonar` (env: GITHUB_TOKEN, SONAR_TOKEN)
Maven->>Sonar: upload analysis (projectKey, organization)
Sonar-->>GH: report/status
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The workflow description mentions running on pull requests to protected branches, but the trigger is limited to PRs targeting
develop; if you want SonarCloud analysis on all protected branches you may want to adjust thepull_requestbranches filter or update the comment to match the actual behavior.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The workflow description mentions running on pull requests to protected branches, but the trigger is limited to PRs targeting `develop`; if you want SonarCloud analysis on all protected branches you may want to adjust the `pull_request` branches filter or update the comment to match the actual behavior.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Pull request overview
Adds SonarCloud configuration for CI so the repository can run static analysis on pushes/PRs.
Changes:
- Added
sonar.organizationproperty to Mavenpom.xml. - Added a new GitHub Actions workflow to run SonarCloud analysis on
developpushes and PRs targetingdevelop.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
pom.xml |
Adds SonarCloud organization property used by the scanner. |
.github/workflows/sonarcloud.yml |
Introduces CI workflow to run Maven build + SonarCloud analysis. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
The ca.uhn.hapi:hapi:pom:1.0.1 parent POM was accidentally removed in a previous cleanup commit. This POM is required by hapi-base:1.0.1 which is still used in the project. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
2 issues found across 2 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name=".github/workflows/sonarcloud.yml">
<violation number="1" location=".github/workflows/sonarcloud.yml:102">
P2: The Docker build cache key is now constant, so the cache will never refresh after the first run. This makes layer caching stale and wastes build time when the devcontainer changes.</violation>
<violation number="2" location=".github/workflows/sonarcloud.yml:110">
P2: The Maven cache key is constant, so the cache won’t update when dependencies change. This causes repeated downloads and stale cache contents.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/sonarcloud.yml:
- Around line 154-172: The workflow currently runs the "Build and analyze" step
using the SONAR_TOKEN env but does not validate it; add a pre-check that ensures
the SONAR_TOKEN (env/secret referenced as SONAR_TOKEN) is set and fails fast
with a clear message before executing docker/mvn; implement this by inserting a
validation job/step (e.g., "Validate SONAR_TOKEN" prior to the Build and analyze
step or an inline check at the top of that step) that checks if SONAR_TOKEN is
empty, prints a clear "::error::SONAR_TOKEN secret is not configured. Please add
it to repository secrets." and exits non‑zero so the build does not proceed to
docker exec or mvn when the token is missing.
- Around line 154-157: The "Build and analyze" step currently always expects
SONAR_TOKEN (env: SONAR_TOKEN) which is missing for forked PRs; update the
workflow so analysis only runs when the token is available by adding a
conditional to the "Build and analyze" step (e.g., if: ${{ secrets.SONAR_TOKEN
!= '' }}), or alternatively move Sonar analysis to a separate workflow triggered
by workflow_run in the base repo (so secrets are available), and consider adding
a fallback path (skip or use SonarCloud Automatic Analysis) when SONAR_TOKEN is
empty; reference the step name "Build and analyze" and the environment variable
"SONAR_TOKEN" when applying the change.
🧹 Nitpick comments (3)
.github/workflows/sonarcloud.yml (3)
114-119: Consider adding a hash to the SonarCloud cache key for better invalidation.The current SonarCloud cache key
${{ runner.os }}-sonaris static and won't invalidate when SonarCloud plugin versions change. This is generally acceptable since the cache is self-healing, but you could optionally add a date-based suffix for periodic refresh.
47-50: Consider adding a job timeout to prevent runaway builds.Long-running or stuck builds could consume excessive runner minutes. Adding a timeout ensures the job fails gracefully if it exceeds expected duration.
⏱️ Proposed fix to add timeout
jobs: build: name: Build and analyze runs-on: ubuntu-latest + timeout-minutes: 30 steps:
52-53: Consider pinning GitHub Actions to commit SHAs for supply chain security.Using major version tags (e.g.,
@v4) is convenient but allows action maintainers to push breaking or malicious changes. For improved supply chain security, consider pinning to specific commit SHAs.Example for
actions/checkout:uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| - name: Build and analyze | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
SonarCloud GitHub Actions forked PR pull request secrets GITHUB_TOKEN SONAR_TOKEN
💡 Result:
In GitHub Actions, PRs opened from forks (using the pull_request event) do not receive repository secrets, so secrets.SONAR_TOKEN will be empty/undefined. GitHub only provides GITHUB_TOKEN in that context, and it’s read-only with no access to secrets. [1] [2]
That means SonarCloud “manual” analysis that needs SONAR_TOKEN can’t run directly in the forked-PR workflow (by design, to prevent exfiltration of secrets). [1]
Practical options
1) Use SonarCloud Automatic Analysis for forked PRs
SonarSource notes Automatic Analysis can analyze PRs from forks (tradeoff: you typically won’t get coverage produced in CI). [3]
2) Recommended for full CI + coverage: two-workflow “build then scan” (workflow_run)
Common workaround:
- Workflow A (
pull_request): build/test on fork PR without secrets, upload artifacts (e.g., coverage report). - Workflow B (
workflow_run): triggered after Workflow A completes, runs in base repo context and can usesecrets.SONAR_TOKEN, downloads artifacts, then runs Sonar analysis. [3] [4]
3) pull_request_target (works, but high risk if you run PR code)
pull_request_target can access secrets even for fork PRs, but GitHub strongly warns against checking out / building / running untrusted PR code in that privileged context (“pwn request” risk). Use only for “metadata-only” tasks (label/comment), not for running the contributor’s code. [5]
Sources
[1] GitHub Docs (Actions security: forked PRs have no secrets) (docs.github.com)
[2] GitHub Docs: GITHUB_TOKEN concept (docs.github.com)
[3] SonarSource Community: fork PRs, Automatic Analysis + secured workflow approach (community.sonarsource.com)
[4] SonarSource Community: workflow_run workaround for fork PR analysis (community.sonarsource.com)
[5] GitHub Well-Architected: avoid/mind pull_request_target risks (wellarchitected.github.com)
Citations:
- 1: https://docs.github.com/en/enterprise-server%403.17/actions/concepts/security/compromised-runners?utm_source=openai
- 2: https://docs.github.com/actions/concepts/security/github_token?utm_source=openai
- 3: https://community.sonarsource.com/t/sonarcloud-analysis-fails-because-only-github-token-is-available-in-pull-requests-from-forks/147757?utm_source=openai
- 4: https://community.sonarsource.com/t/avoid-getting-summary-comment-on-main-repo-pr-from-fork-with-matching-pr-number/58009?utm_source=openai
- 5: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai
🏁 Script executed:
# First, let's find and read the sonarcloud.yml workflow file
fd -name "sonarcloud.yml" -type fRepository: openo-beta/Open-O
Length of output: 291
🏁 Script executed:
# Read the sonarcloud.yml workflow file
cat -n .github/workflows/sonarcloud.ymlRepository: openo-beta/Open-O
Length of output: 7148
Forked PR analysis will fail—secrets.SONAR_TOKEN is not available in pull requests from forked repositories.
GitHub Actions enforces a security policy: PRs opened from forks do not receive repository secrets, only GITHUB_TOKEN. The workflow unconditionally attempts to use SONAR_TOKEN in the "Build and analyze" step (line 157), which will be empty for forked PRs and cause mvn sonar:sonar to fail.
Recommended fixes:
- Use the
workflow_runtrigger to run analysis in the base repository context (where secrets are available) - Enable SonarCloud Automatic Analysis as a fallback for forked PRs
- Add conditional logic to skip or adapt analysis when
SONAR_TOKENis unavailable
🤖 Prompt for AI Agents
In @.github/workflows/sonarcloud.yml around lines 154 - 157, The "Build and
analyze" step currently always expects SONAR_TOKEN (env: SONAR_TOKEN) which is
missing for forked PRs; update the workflow so analysis only runs when the token
is available by adding a conditional to the "Build and analyze" step (e.g., if:
${{ secrets.SONAR_TOKEN != '' }}), or alternatively move Sonar analysis to a
separate workflow triggered by workflow_run in the base repo (so secrets are
available), and consider adding a fallback path (skip or use SonarCloud
Automatic Analysis) when SONAR_TOKEN is empty; reference the step name "Build
and analyze" and the environment variable "SONAR_TOKEN" when applying the
change.
|
opening to retrigger workflows |
PR Compliance Guide 🔍Below is a summary of compliance checks for this PR:
Compliance status legend🟢 - Fully Compliant🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label |
|||||||||||||||||||||||
PR Code Suggestions ✨Explore these optional code suggestions:
|
|||||||||||||||
| #NOTE: This is an Aether internal implementation file, its format can be changed without prior notice. | ||
| #Sat Dec 10 12:12:42 EST 2016 | ||
| hapi-1.0.1.pom>hapi-sf= |
There was a problem hiding this comment.
_remote.repositories is Maven/Aether internal metadata (machine-generated, repository-specific) and is not a stable part of an offline/local repository. Keeping it in VCS can cause noisy diffs and stale metadata. Prefer committing only the actual artifact files (.pom, .jar, checksums) and omit these internal resolver files.
| #NOTE: This is an Aether internal implementation file, its format can be changed without prior notice. | |
| #Sat Dec 10 12:12:42 EST 2016 | |
| hapi-1.0.1.pom>hapi-sf= | |
| # Intentionally left empty. | |
| # Internal Maven/Aether `_remote.repositories` metadata is not tracked in VCS. |
| - name: Build and analyze | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| run: | | ||
| docker exec \ | ||
| -e GITHUB_TOKEN="$GITHUB_TOKEN" \ | ||
| -e SONAR_TOKEN="$SONAR_TOKEN" \ | ||
| openo-tomcat-dev bash -c " | ||
| echo '=========================================' | ||
| echo 'Running SonarCloud Analysis' | ||
| echo '=========================================' | ||
| mvn -B verify sonar:sonar \ | ||
| -Dsonar.host.url=https://sonarcloud.io \ | ||
| -Dsonar.projectKey=openo-beta_Open-O \ | ||
| -DskipTests \ | ||
| -DskipModernTests=true \ | ||
| -DskipLegacyTests=true \ | ||
| -T 1C |
There was a problem hiding this comment.
The Sonar analysis runs inside a Docker container, but only GITHUB_TOKEN and SONAR_TOKEN are passed into docker exec. This means standard GitHub Actions context env vars (e.g., GITHUB_EVENT_NAME, GITHUB_REF, GITHUB_SHA, PR number/branch/base) are not available inside the container, so PR analysis/decoration may not be attributed correctly. Pass the required GitHub context into the container or explicitly set the sonar.pullrequest.* / branch properties for pull_request events.
|
@claude review |
|
Claude finished @yingbull's task in 2m 20s —— View job Code Review: SonarCloud CI IntegrationI've completed a thorough review of this PR. While the SonarCloud integration is a valuable addition, there are several critical security and design issues that must be addressed before merging. 🔴 Critical Security Issues1. Secret Exfiltration Risk (.github/workflows/sonarcloud.yml:154-173)Severity: CRITICAL The workflow passes docker exec \
-e SONAR_TOKEN="$SONAR_TOKEN" \
openo-tomcat-dev bash -c "
mvn -B verify sonar:sonar ...Problem: A malicious contributor could:
Recommendation:
Fix this →%20build.yml%20triggered%20on%20pull_request%20that%20builds%20artifacts%20without%20secrets%2C%202)%20sonarcloud.yml%20triggered%20on%20workflow_run%20that%20downloads%20artifacts%20and%20runs%20analysis%20with%20secrets%20in%20base%20repo%20context.&repo=openo-beta/Open-O&branch=chore/sonarcube) 2. Forked PR Analysis Will Fail (.github/workflows/sonarcloud.yml:157)Severity: HIGH GitHub Actions does not provide repository secrets to forked PRs by design. The workflow will fail for any external contributor: env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Empty for forked PRs!Current behavior:
Recommendation:
🟠 High Priority Issues3. Unpinned SonarCloud Maven Plugin (.github/workflows/sonarcloud.yml:166)Severity: HIGH The Maven command uses mvn -B verify sonar:sonar \Problem: Maven will resolve to the latest version of Recommendation: Pin a specific version in mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922:sonar \4. Missing PR Analysis Parameters (.github/workflows/sonarcloud.yml:166-172)Severity: MEDIUM-HIGH The workflow doesn't pass pull request metadata to SonarCloud, so PR decoration (inline comments on changed lines) won't work correctly. Missing parameters: -Dsonar.pullrequest.key=${{ github.event.number }}
-Dsonar.pullrequest.branch=${{ github.head_ref }}
-Dsonar.pullrequest.base=${{ github.base_ref }}Recommendation: Add these conditionally for 5. Excessive Permissions (.github/workflows/sonarcloud.yml:44)Severity: MEDIUM The workflow grants Recommendation: Reduce to 🟡 Design & Maintainability Issues6. Vendoring Dependencies in Version Control (local_repo/ca/uhn/hapi/hapi/1.0.1/*)Severity: MEDIUM The PR commits 400+ lines of Maven artifacts directly into the repository:
Problems:
Recommendation:
7. Typo in Branch Name & PR TitleSeverity: LOW Branch name: (SonarCloud, not SonarCube) 8. Missing Workflow Timeout (.github/workflows/sonarcloud.yml:47-50)Severity: LOW The job has no Recommendation: Add ✅ Positive Aspects
📋 SummaryThis PR introduces valuable SonarCloud integration, but should not be merged until the critical security issues (#1 and #2) are addressed. The current implementation exposes the repository to potential secret exfiltration and will fail for all external contributors. Priority Action Items:
Testing Recommendations:After fixes, test with:
References:
|
|
write is required to do updates. |
|
Claude finished @yingbull's task in 1m 3s —— View job Issue #4: Missing PR Analysis Parameters - Permission LimitationI attempted to fix issue #4 by adding SonarCloud pull request decoration parameters to the workflow, but encountered a permission limitation. Todo List:
What I Tried to ImplementI modified # Build PR-specific parameters for SonarCloud decoration
SONAR_ARGS=""
if [ "${{ github.event_name }}" == "pull_request" ]; then
SONAR_ARGS=" \
-Dsonar.pullrequest.key=${{ github.event.number }} \
-Dsonar.pullrequest.branch=${{ github.head_ref }} \
-Dsonar.pullrequest.base=${{ github.base_ref }}"
fiThen pass The IssueWhen I tried to push the commit, I received this error: Why This HappenedGitHub App permissions intentionally restrict Claude from modifying workflow files ( How to Apply the Fix ManuallyYou can apply this fix yourself by editing
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
# Build PR-specific parameters for SonarCloud decoration
SONAR_ARGS=""
if [ "${{ github.event_name }}" == "pull_request" ]; then
SONAR_ARGS=" \
-Dsonar.pullrequest.key=${{ github.event.number }} \
-Dsonar.pullrequest.branch=${{ github.head_ref }} \
-Dsonar.pullrequest.base=${{ github.base_ref }}"
fi
docker exec \
-e GITHUB_TOKEN="$GITHUB_TOKEN" \
-e SONAR_TOKEN="$SONAR_TOKEN" \
openo-tomcat-dev bash -c "
echo '========================================='
echo 'Running SonarCloud Analysis'
echo '========================================='
mvn -B verify sonar:sonar \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.projectKey=openo-beta_Open-O \
-DskipTests \
-DskipModernTests=true \
-DskipLegacyTests=true \
-T 1C \
$SONAR_ARGS
"This will enable SonarCloud to properly decorate pull requests with inline code quality comments. |
Split build step into push/PR variants. For PRs, pass sonar.pullrequest.* parameters to enable inline comments and quality gate status on PRs. Uses environment variables for safe handling of branch names. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
@claude review |
|
Claude finished @yingbull's task in 2m 40s —— View job Code Review: SonarCloud CI IntegrationI've completed a thorough review of this PR. The SonarCloud integration is a valuable addition to the CI pipeline, and I'm pleased to see that the latest commits have addressed several critical issues identified by other reviewers. Here's my comprehensive analysis: ✅ Improvements Made (Latest Commits)1. PR Decoration Parameters Added (.github/workflows/sonarcloud.yml:176-209)Status: RESOLVED ✓ The workflow now includes proper PR analysis with SonarCloud decoration parameters: -Dsonar.pullrequest.key=$PR_NUMBER
-Dsonar.pullrequest.branch=$PR_BRANCH
-Dsonar.pullrequest.base=$PR_BASEThis enables inline code quality comments on pull requests - excellent addition! 2. Separate Push vs PR Analysis Steps (.github/workflows/sonarcloud.yml:154-209)Status: GOOD DESIGN ✓ The workflow correctly separates:
This is the recommended SonarCloud pattern. 3. Proper Cache Key Configuration (.github/workflows/sonarcloud.yml:103, 111)Status: RESOLVED ✓ Cache keys now properly include hash-based invalidation: key: ${{ runner.os }}-buildx-${{ hashFiles('.devcontainer/development/**') }}
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml', 'dependencies-lock.json') }}This ensures caches refresh when dependencies or devcontainer configs change. 🟡 Minor Issues & Recommendations4. Forked PR Analysis Will Fail (.github/workflows/sonarcloud.yml:180)Severity: MEDIUM (Acknowledged by maintainer as future work) GitHub Actions does not provide repository secrets to forked PRs by design. The workflow will fail for external contributors because Current decision: Maintainer (@yingbull) has noted this will be addressed in a future "fork-friendly refactor" of workflows. This is an acceptable approach for now. Future recommendation: Consider one of these approaches:
5. Maven Plugin Version Not Pinned (.github/workflows/sonarcloud.yml:167, 199)Severity: MEDIUM The workflow uses mvn -B verify sonar:sonar \ # Will use latest version at runtimeProblem: Maven will resolve to the latest Recommendation: Pin a specific version in 6. Typo in Branch and PR TitleSeverity: LOW
The product is SonarCloud (not SonarCube). Minor branding inconsistency. 7. Maven Metadata Files Committed (local_repo/ca/uhn/hapi/hapi/1.0.1/*)Severity: LOW (Acknowledged by maintainer as temporary) The PR commits Maven internal metadata files:
Maintainer response: Acknowledged as temporary until dependencies are refactored to use proper artifact repository. Why this matters:
Recommendation for cleanup (when refactoring): # Remove metadata files, keep only actual artifacts
rm local_repo/ca/uhn/hapi/hapi/1.0.1/*.lastUpdated
rm local_repo/ca/uhn/hapi/hapi/1.0.1/_remote.repositories
# Keep: hapi-1.0.1.pom, hapi-1.0.1.pom.sha18. Missing Workflow Timeout (.github/workflows/sonarcloud.yml:48-50)Severity: LOW The job has no Recommendation: jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest
timeout-minutes: 30 # Add this9. Permission Justification (.github/workflows/sonarcloud.yml:44)Severity: INFO (Maintainer confirmed this is needed) The workflow grants Status: Justified and appropriate for this use case. ✅ Positive Aspects
🔍 Security Analysis✅ No Critical Security Issues FoundAfter reviewing the workflow thoroughly and considering the concerns raised by other reviewers (CodeRabbit, Qodo):
📋 SummaryOverall Assessment: ✅ Ready to merge with minor future improvements tracked The PR successfully implements SonarCloud CI integration with good design patterns. The latest commits have addressed the critical issues around PR decoration and cache invalidation identified by other reviewers. Action Items:Before Merge (Optional):
Future Work (Can be separate PRs):
Testing Recommendations:
Great work on this implementation! The SonarCloud integration will provide valuable code quality insights for the OpenO EMR project. |
|



User description
Summary by Sourcery
Integrate SonarCloud static analysis into the project and CI pipeline
Build:
CI:
Summary by cubic
Adds SonarCloud analysis to CI for pushes and PRs to develop using the existing dev container. Enables PR decorations (inline comments and quality gate), sets sonar.organization in pom.xml, and restores the ca.uhn.hapi:hapi:1.0.1 parent POM so builds pass.
Written for commit 5937fff. Summary will update on new commits.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.
PR Type
Enhancement, Other
Description
Add SonarCloud static code analysis workflow for CI/CD pipeline
Restore missing HAPI parent POM required by hapi-base dependency
Configure SonarCloud organization property in pom.xml
Diagram Walkthrough
File Walkthrough
sonarcloud.yml
SonarCloud CI workflow with Docker caching.github/workflows/sonarcloud.yml
build
with sonar:sonar goal
pom.xml
Add SonarCloud organization configurationpom.xml
hapi-1.0.1.pom
Restore HAPI parent POM artifactlocal_repo/ca/uhn/hapi/hapi/1.0.1/hapi-1.0.1.pom
_remote.repositories
Add HAPI POM repository metadatalocal_repo/ca/uhn/hapi/hapi/1.0.1/_remote.repositories
hapi-1.0.1.pom.sha1
Add HAPI POM checksum filelocal_repo/ca/uhn/hapi/hapi/1.0.1/hapi-1.0.1.pom.sha1
hapi-1.0.1.pom.lastUpdated
Add HAPI POM update metadatalocal_repo/ca/uhn/hapi/hapi/1.0.1/hapi-1.0.1.pom.lastUpdated
repositories