Skip to content

[Feature] Integrate SonarCloud into PR workflow #117

New issue
New issue
Open
Open
[Feature] Integrate SonarCloud into PR workflow#117
Assignees
brenocq
Labels
prio:lowLow prioritystatus:doingWork is currently in progresstype:choreMaintenance tasks (dependencies, configs)
@brenocq

Description

@brenocq
brenocq
opened on Apr 30, 2025

Feature description
To maintain high code quality, security, and maintainability in Atta, and to catch potential issues early in the development cycle, automated checks should be performed on all code contributions before they are merged. SonarCloud provides static analysis to detect bugs, vulnerabilities, code smells, and measure code coverage.

This feature proposes integrating SonarCloud analysis directly into the GitHub Pull Request (PR) workflow for the atta repository. The goal is to ensure that any code submitted via a PR targeting the dev branch (or other protected branches) automatically undergoes SonarCloud analysis.

Key aspects of this integration should include:

  • Automatic Analysis: SonarCloud analysis should run automatically via GitHub Actions whenever a PR is opened or updated against the dev branch.
  • PR Decoration: SonarCloud should post its findings (new issues introduced by the PR, code coverage changes, Quality Gate status) directly as comments or checks within the GitHub PR interface.
  • Quality Gate Enforcement: Define a SonarCloud Quality Gate (a set of conditions like "no new blocker issues", "code coverage on new code >= X%") for the project.
  • Merge Blocking: Configure GitHub branch protection rules for the dev branch to require the SonarCloud Quality Gate check to pass before a PR can be merged. This prevents the introduction of code that does not meet the defined quality standards.

This integration will provide immediate feedback to contributors and ensure a consistent quality baseline for the codebase.

Tasks

  • Ensure the basic SonarCloud GitHub Actions workflow is correctly set up and analyzing the main branch.
  • Configure the SonarCloud GitHub Actions workflow (.github/workflows/sonarcloud.yml) to trigger on pull_request events targeting the dev branch.
  • Verify that the workflow correctly analyzes the PR code and posts results back to the GitHub PR interface (requires correct SONAR_TOKEN secret).
  • Define and configure the appropriate Quality Gate conditions within the SonarCloud project settings for atta (e.g., conditions on new bugs, vulnerabilities, code smells, coverage).
  • Configure branch protection rules for the dev branch in GitHub repository settings:
    • Enable "Require status checks to pass before merging".
    • Add the SonarCloud Quality Gate check to the list of required checks.
  • Document the PR workflow, including the SonarCloud check requirement, for contributors in CONTRIBUTING.md.
  • Test the full workflow by creating a test PR with and without code quality issues to ensure analysis runs, feedback is provided, and merging is correctly blocked/allowed based on the Quality Gate status.

Metadata

Metadata

Assignees

Labels

prio:lowLow prioritystatus:doingWork is currently in progresstype:choreMaintenance tasks (dependencies, configs)

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions