chore(sonar): exclude e2e + suppress go:S4036 PATH hotspots #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SonarCloud quality gate + coverage upload. | |
| # | |
| # Triggers: push to main (full-history scan) and PRs (incremental scan | |
| # against the base branch). Concurrency-gated per-ref so reruns cancel | |
| # in-flight scans. | |
| # | |
| # Coverage is collected fresh in this workflow rather than reused from | |
| # CI — Sonar needs both go-coverprofile and lcov in the same workspace | |
| # pass, and the existing CI job runs `go test` without -coverprofile. | |
| # Adding coverage there would slow every PR build; keeping it here | |
| # isolates the cost to the Sonar job. | |
| name: SonarCloud | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| concurrency: | |
| group: sonar-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # Sonar uses git blame for new-code detection — shallow | |
| # checkouts (default fetch-depth=1) attribute every line to | |
| # the latest commit, breaking the quality-gate "new code" | |
| # signal. fetch-depth: 0 grabs the full history. | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Set up pnpm | |
| # Pinned to commit SHA (v4) per supply-chain hygiene — third-party | |
| # actions can be rewritten under a moving tag. Bump by re-running | |
| # `gh api repos/pnpm/action-setup/git/refs/tags/v4`. | |
| uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 | |
| with: | |
| version: 10.33.0 | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: pnpm | |
| cache-dependency-path: ui/pnpm-lock.yaml | |
| - name: Build UI bundle | |
| # Required before any Go test run: //go:embed all:dist in | |
| # internal/serve/assets.go errors out if internal/serve/dist/ | |
| # is empty. Same as ci.yml. | |
| run: make ui | |
| - name: Go test with coverage | |
| run: | | |
| go test -tags sqlite_fts5 \ | |
| -coverprofile=coverage.out \ | |
| -covermode=atomic \ | |
| ./... | |
| - name: UI install | |
| # --ignore-scripts: refuse to execute lifecycle scripts from | |
| # transitive deps (Sonar S6505). vitest + the React stack don't | |
| # require any postinstall; esbuild ships per-platform binaries | |
| # via optional deps. If a future dep needs a build step, add it | |
| # to `pnpm.onlyBuiltDependencies` in ui/package.json instead. | |
| run: pnpm -C ui install --frozen-lockfile --ignore-scripts | |
| - name: UI test with coverage | |
| run: pnpm -C ui exec vitest run --coverage | |
| - name: Detect SONAR_TOKEN | |
| id: token | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| if [ -n "$SONAR_TOKEN" ]; then | |
| echo "present=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "present=false" >> "$GITHUB_OUTPUT" | |
| echo "::warning::SONAR_TOKEN secret is not set; skipping SonarCloud scan. Add the token in repo Settings → Secrets and variables → Actions." | |
| fi | |
| - name: SonarCloud Scan | |
| if: steps.token.outputs.present == 'true' | |
| # v6 — v5 emits a deprecation/security warning on every run. | |
| # Pinned to commit SHA per supply-chain hygiene. Bump by | |
| # re-running `gh api repos/SonarSource/sonarqube-scan-action/git/refs/tags/v6`. | |
| uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |