diff --git a/.github/workflows/ci_full.yml b/.github/workflows/ci_full.yml
index b882fc423b..e92bb29dae 100644
--- a/.github/workflows/ci_full.yml
+++ b/.github/workflows/ci_full.yml
@@ -1,6 +1,10 @@
 ---
 name: galaxy_ng/ci
-on: {pull_request: {branches: ['**']}, push: {branches: ['**']}}
+on:
+  pull_request:
+    branches: ['**']
+  push:
+    branches: ['**']
 
 jobs:
 
@@ -73,18 +77,29 @@ jobs:
       - name: run the unit test playbook
         run: cd dev/playbooks; ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook -i 'localhost,' --forks=1 -v run_unit_tests.yaml
 
+      - name: copy coverage report
+        run: |
+          docker cp pulp:/tmp/galaxy_ng-test-results.xml coverage.xml
+
+      - name: upload coverage as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.xml
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        if: github.event_name == 'push' && github.repository == 'ansible/galaxy_ng' && github.ref_name == 'master'
+        env:
+          SONAR_TOKEN: ${{ secrets.CICD_ORG_SONAR_TOKEN_CICD_BOT }}
+
       - name: upload jUnit XML test results
         if: github.event_name == 'push' && github.repository == 'ansible/galaxy_ng' && github.ref_name == 'master'
         continue-on-error: true
-        run: >-
-          docker exec pulp /bin/bash -c 'curl -v --user "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_USER }}:${{ secrets.PDE_ORG_RESULTS_UPLOAD_PASSWORD }}"
-          --form "xunit_xml=@/tmp/galaxy_ng-test-results.xml"
-          --form "component_name=hub"
-          --form "git_commit_sha=${{ github.sha }}"
-          --form "git_repository_url=https://github.com/${{ github.repository }}"
-          "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_URL }}/api/results/upload/"'
-
-
-      # FIXME: do we really care about these anymore ... ?
-      #- name: run the functional test playbook
-      #  run: cd dev/playbooks; ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook -i 'localhost,' --forks=1 -v run_functional_tests.yaml
+        run: |
+          curl -v --user "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_USER }}:${{ secrets.PDE_ORG_RESULTS_UPLOAD_PASSWORD }}" \
+            --form "xunit_xml=@coverage.xml" \
+            --form "component_name=hub" \
+            --form "git_commit_sha=${{ github.sha }}" \
+            --form "git_repository_url=https://github.com/${{ github.repository }}" \
+            "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_URL }}/api/results/upload/"
diff --git a/.github/workflows/sonar-pr.yaml b/.github/workflows/sonar-pr.yaml
new file mode 100644
index 0000000000..67e51985d4
--- /dev/null
+++ b/.github/workflows/sonar-pr.yaml
@@ -0,0 +1,61 @@
+# With much help from:
+# https://community.sonarsource.com/t/how-to-use-sonarcloud-with-a-forked-repository-on-github/7363/30
+# https://community.sonarsource.com/t/how-to-use-sonarcloud-with-a-forked-repository-on-github/7363/32
+name: SonarCloud
+on:
+  workflow_run:
+    workflows:
+      - galaxy_ng/ci
+    types:
+      - completed
+jobs:
+  sonar:
+    name: Upload to SonarCloud
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: coverage
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Extract PR number from coverage.xml
+        run: |
+          echo "PR_NUMBER=$(grep -m 1 '<!-- PR' coverage.xml | awk '{print $3}')" >> $GITHUB_ENV
+
+      - name: Get PR info
+        uses: octokit/request-action@v2.x
+        id: pr_info
+        with:
+          route: GET /repos/{repo}/pulls/{number}
+          repo: ${{ github.event.repository.full_name }}
+          number: ${{ env.PR_NUMBER }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set PR info into env
+        run: |
+          echo "PR_BASE=${{ fromJson(steps.pr_info.outputs.data).base.ref }}" >> $GITHUB_ENV
+          echo "PR_HEAD=${{ fromJson(steps.pr_info.outputs.data).head.ref }}" >> $GITHUB_ENV
+
+      - name: Add base branch
+        run: |
+          gh pr checkout ${{ env.PR_NUMBER }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.CICD_ORG_SONAR_TOKEN_CICD_BOT }}
+        with:
+          args: >
+            -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
+            -Dsonar.pullrequest.key=${{ env.PR_NUMBER }}
+            -Dsonar.pullrequest.branch=${{ env.PR_HEAD }}
+            -Dsonar.pullrequest.base=${{ env.PR_BASE }}
diff --git a/MANIFEST.in b/MANIFEST.in
index e834ee7734..ff3d32f317 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -23,6 +23,6 @@ include galaxy_ng/tests/integration/utils/gpg/collection_sign.sh
 include galaxy_ng/tests/integration/utils/gpg/qe-sign-priv.gpg
 include galaxy-operator/bin/readyz.py
 exclude .coveragerc
-exclude .sonarcloud.properties
+exclude sonar-project.properties
 exclude aap_compose_dev.yaml
 prune .tekton
diff --git a/.sonarcloud.properties b/sonar-project.properties
similarity index 56%
rename from .sonarcloud.properties
rename to sonar-project.properties
index 061c5c6398..db1e248f91 100644
--- a/.sonarcloud.properties
+++ b/sonar-project.properties
@@ -1,3 +1,6 @@
+sonar.projectKey = ansible_galaxy_ng
+sonar.organization = ansible
+
 sonar.sources = galaxy_ng
 sonar.exclusions = \
   galaxy_ng/tests/**, \
@@ -6,3 +9,5 @@ sonar.exclusions = \
 sonar.tests = galaxy_ng/tests
 
 sonar.python.version = 3.11
+
+sonar.python.coverage.reportPaths = coverage.xml