Skip to content

fix(ci): bump sonarcloud reusable workflow SHA and pin remaining @main refs#39

Merged
williaby merged 2 commits into
mainfrom
claude/update-sonarcloud-workflow-DwanO
Jun 10, 2026
Merged

fix(ci): bump sonarcloud reusable workflow SHA and pin remaining @main refs#39
williaby merged 2 commits into
mainfrom
claude/update-sonarcloud-workflow-DwanO

Conversation

@williaby

Copy link
Copy Markdown
Contributor

Summary

Closes #22

  • sonarcloud.yml: Bumped the ByronWilliamsCPA/.github python-sonarcloud.yml pin to 6bad2f898be1d387b8424e9deddefa519674cb19 (which upgrades to sonarqube-scan-action v7.2.0 and resolves the /analysis/analyses 404 bug on new projects, per org .github PR 43).
  • sonarcloud.yml: Corrected sonar-organization from byronwilliamscpa to williaby (the actual SonarCloud account name).
  • 12 other workflow files (fips-compatibility, qlty, security-analysis, reuse, mutation-testing, sbom, docs, slsa-provenance, scorecard, codecov, coverage, python-compatibility): Pinned all remaining @main refs to e067cdb7294f6221dbde74ef1f4c3ca735eed570 # main to satisfy supply-chain pinning requirements.

pr-validation.yml was already pinned to a specific SHA, so it was left unchanged. The @main references remaining in .github/workflows/README.md are prose/documentation, not actual uses: invocations.

Test plan

  • CI workflows resolve the new reusable workflow SHAs and run successfully
  • SonarCloud workflow uploads analysis without /analysis/analyses 404
  • SonarCloud dashboard receives the project under the williaby organization

https://claude.ai/code/session_01AhVcx2FwNFMhtwFCNnmh8L


Generated by Claude Code

…refs

Update sonarcloud.yml to org reusable workflow SHA 6bad2f898 (which
upgrades to sonarqube-scan-action v7.2.0 and resolves the
/analysis/analyses 404 bug on new projects), and correct
sonar-organization to williaby (the actual SonarCloud account name).

Pin all remaining @main references to ByronWilliamsCPA/.github reusable
workflows to SHA e067cdb7294f6221dbde74ef1f4c3ca735eed570 to satisfy
supply-chain pinning requirements.

Closes #22

https://claude.ai/code/session_01AhVcx2FwNFMhtwFCNnmh8L
Copilot AI review requested due to automatic review settings May 17, 2026 05:45
@coderabbitai

coderabbitai Bot commented May 17, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3752f994-1b9f-4547-9e92-b0cfe9283d60

📥 Commits

Reviewing files that changed from the base of the PR and between 3948812 and 453ee17.

📒 Files selected for processing (1)
  • .github/workflows/sonarcloud.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/update-sonarcloud-workflow-DwanO

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI workflow supply-chain usage by pinning reusable GitHub Actions workflows to commit SHAs and updates the SonarCloud workflow to use the intended reusable workflow revision and organization.

Changes:

  • Updates SonarCloud reusable workflow SHA and changes sonar-organization to williaby.
  • Pins remaining reusable workflow @main references to fixed commit SHAs.
  • Leaves prose-only @main references in workflow documentation unchanged.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Updates SonarCloud reusable workflow pin and organization input.
.github/workflows/slsa-provenance.yml Pins SLSA reusable workflow to a commit SHA.
.github/workflows/security-analysis.yml Pins security analysis reusable workflow to a commit SHA.
.github/workflows/scorecard.yml Pins Scorecard reusable workflow to a commit SHA.
.github/workflows/sbom.yml Pins SBOM reusable workflow to a commit SHA.
.github/workflows/reuse.yml Pins REUSE reusable workflow to a commit SHA.
.github/workflows/qlty.yml Pins Qlty coverage reusable workflow to a commit SHA.
.github/workflows/python-compatibility.yml Pins Python compatibility reusable workflow to a commit SHA.
.github/workflows/mutation-testing.yml Pins mutation testing reusable workflow to a commit SHA.
.github/workflows/fips-compatibility.yml Pins FIPS compatibility reusable workflow to a commit SHA.
.github/workflows/docs.yml Pins documentation reusable workflow to a commit SHA.
.github/workflows/coverage.yml Pins coverage upload reusable workflow to a commit SHA.
.github/workflows/codecov.yml Pins Codecov reusable workflow to a commit SHA.

uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@6bad2f898be1d387b8424e9deddefa519674cb19 # main
with:
sonar-organization: byronwilliamscpa
sonar-organization: williaby
@williaby williaby added the skip-changelog PR intentionally omits a CHANGELOG entry label Jun 10, 2026
#39's only remaining unique value is the sonarcloud.yml fix (correct
sonar-organization to 'williaby' per issue #22). Its other workflow
SHA-pin changes are superseded by changes already merged to main, so
those conflicts are resolved to main's versions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@williaby williaby enabled auto-merge (squash) June 10, 2026 04:47
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: NLTK has a Zip Slip Vulnerability

CVE: GHSA-7p94-766c-hgjp NLTK has a Zip Slip Vulnerability (CRITICAL)

Affected versions: < 3.9.3

Patched version: 3.9.3

From: uv.lockpypi/nltk@3.9.2

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/nltk@3.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud

Copy link
Copy Markdown

@williaby williaby merged commit f03243d into main Jun 10, 2026
36 of 38 checks passed
@williaby williaby deleted the claude/update-sonarcloud-workflow-DwanO branch June 10, 2026 04:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog PR intentionally omits a CHANGELOG entry

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(ci): bump sonarcloud.yml to org reusable workflow SHA 6bad2f898 and correct sonar-organization

3 participants