Create sonarcloud.yml

[guibranco]

Closes #

📑 Description

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

☢️ Does this introduce a breaking change?

• Yes
• No

ℹ Additional Information

Summary by CodeRabbit

• New Features
  • Introduced a new GitHub Actions workflow for SonarCloud analysis, enhancing code quality checks during development.
• Chores
  • Set up automated processes for Java configuration, code checkout, and caching to optimize analysis performance.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow named sonarcloud.yml has been added to facilitate SonarCloud analysis. This workflow is triggered on pushes to the main branch and specific pull request events. It includes steps for setting up Java, checking out the code, caching SonarCloud packages and the scanner, defining environment variables, and executing the SonarCloud analysis along with project builds and tests.

Changes

File	Change Summary
.github/workflows/sonarcloud.yml	Introduced a new workflow for SonarCloud analysis, including setup and caching steps.

Possibly related PRs

• Add SonarCloud Integration Workflow for Pixeebot #314: This PR introduces a new GitHub Actions workflow for SonarCloud, which is directly related to the main PR that also adds a SonarCloud analysis workflow.
• Enhance AppVeyor Configuration for Pull Requests #317: This PR enhances the AppVeyor configuration, which includes modifications related to Sonar integration, aligning with the focus of the main PR on CI/CD workflows involving SonarCloud.

Suggested labels

enhancement, Review effort [1-5]: 2

Suggested reviewers

• gstraccini

Poem

🐇 In the meadow, bright and clear,
A workflow hops, bringing cheer.
SonarCloud scans with joyful glee,
Analyzing code, as happy as can be!
With Java set and secrets tight,
Our code shines, oh what a sight! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (3)

.github/workflows/sonarcloud.yml (3)

10-13: Consider pinning the Ubuntu version.

While ubuntu-latest works, consider pinning to a specific version (e.g., ubuntu-22.04) for better stability and predictability.

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04

---

16-20: Consider using Java 17 LTS instead of Java 21.

While Java 21 works, Java 17 is the current LTS version and would be more suitable for CI environments. SonarCloud scanner doesn't require Java 21 specific features.

-          java-version: 21
+          java-version: 17

---

9-9: Remove trailing spaces.

There are trailing spaces on several lines that should be removed for consistency.

Also applies to: 14-14, 21-21, 32-32, 40-40, 44-44, 52-52

🧰 Tools

🪛 yamllint

[error] 9-9: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 847b95f and 97f5fc6.

📒 Files selected for processing (1)

• .github/workflows/sonarcloud.yml (1 hunks)

🧰 Additional context used

🪛 yamllint

.github/workflows/sonarcloud.yml

[error] 9-9: trailing spaces

(trailing-spaces)

---

[error] 14-14: trailing spaces

(trailing-spaces)

---

[error] 21-21: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 40-40: trailing spaces

(trailing-spaces)

---

[error] 44-44: trailing spaces

(trailing-spaces)

---

[error] 52-52: trailing spaces

(trailing-spaces)

🔇 Additional comments (4)

.github/workflows/sonarcloud.yml (4)

3-8: LGTM! Workflow triggers are properly configured.

The workflow triggers are appropriately set for both push events to main and relevant pull request events.

---

22-24: LGTM! Proper checkout configuration for SonarCloud.

The checkout configuration with full history is correct for accurate SCM blame information in SonarCloud.

---

54-57: Verify SONAR_TOKEN secret availability.

Ensure the SONAR_TOKEN secret is configured in your repository's secrets.

#!/bin/bash
# Check if SONAR_TOKEN is mentioned in repository documentation
rg -g '*.md' 'SONAR_TOKEN'

---

45-51: Verify the SonarCloud project key format.

The current key format (owner_repo) might need validation against your SonarCloud organization's conventions.

✅ Verification successful

SonarCloud project key format is correct

Based on the existing SonarCloud badges in README.md, the current project key format matches the convention used in this repository. The existing project key guibranco_VTEX-SDK-dotnet follows the same owner_repo pattern that's being implemented in the workflow (${{ github.repository_owner }}_${{ github.event.repository.name }}).

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any existing SonarCloud configurations in the repository
# that might indicate the expected key format

rg -g '!.github/' -l 'sonar.projectKey|sonar.organization'

Length of output: 198

---

Script:

#!/bin/bash
# Let's check for sonar-project.properties file and any other potential SonarCloud configuration files
fd -t f "sonar-project.properties|sonar.properties"

# Also check for any SonarCloud related configuration in package.json or similar files
fd -t f "package.json|pom.xml|build.gradle" -x cat {} \; | grep -i "sonar"

# Check for any existing SonarCloud analysis in the repository
fd -t f ".sonarcloud.properties|sonar-project.js"

# Look for any documentation mentioning SonarCloud setup
rg -i "sonarcloud" -g "*.md"

Length of output: 2797

[coderabbitai]

🛠️ Refactor suggestion

Add explicit restore step and make coverage path more flexible.

The current configuration has several potential improvements:

1. Add an explicit dotnet restore step
2. Make the coverage path pattern more flexible to support multiple .NET versions

-         ~/.sonar/cache/dotnet-sonarscanner begin /k:"${{ env.KEY }}" /o:"${{ env.ORG }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.scanner.scanAll=false /d:sonar.cs.opencover.reportsPaths="Tests/**/coverage.net8.0.opencover.xml"
+         ~/.sonar/cache/dotnet-sonarscanner begin /k:"${{ env.KEY }}" /o:"${{ env.ORG }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.scanner.scanAll=false /d:sonar.cs.opencover.reportsPaths="Tests/**/coverage.*.opencover.xml"
+         dotnet restore
          dotnet build -c Release --verbosity minimal
          dotnet test -c Release --verbosity minimal --no-build --no-restore /p:CollectCoverage=true /p:CoverletOutputFormat="opencover"
          ~/.sonar/cache/dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	~/.sonar/cache/dotnet-sonarscanner begin /k:"${{ env.KEY }}" /o:"${{ env.ORG }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.scanner.scanAll=false /d:sonar.cs.opencover.reportsPaths="Tests/**/coverage.net8.0.opencover.xml"
	dotnet build -c Release --verbosity minimal
	dotnet test -c Release --verbosity minimal --no-build --no-restore /p:CollectCoverage=true /p:CoverletOutputFormat="opencover"
	~/.sonar/cache/dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"
	~/.sonar/cache/dotnet-sonarscanner begin /k:"${{ env.KEY }}" /o:"${{ env.ORG }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.scanner.scanAll=false /d:sonar.cs.opencover.reportsPaths="Tests/**/coverage.*.opencover.xml"
	dotnet restore
	dotnet build -c Release --verbosity minimal
	dotnet test -c Release --verbosity minimal --no-build --no-restore /p:CollectCoverage=true /p:CoverletOutputFormat="opencover"
	~/.sonar/cache/dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

[coderabbitai]

⚠️ Potential issue

Fix conflicting cache paths.

Both cache steps are using the same path (~/.sonar/cache), which will cause conflicts. The scanner should use a different path.

  - name: Cache SonarCloud scanner
    id: cache-sonar-scanner
    uses: actions/cache@v4
    with:
-     path: ~/.sonar/cache
+     path: ./.sonar/scanner
      key: ${{ runner.os }}-sonar-scanner
      restore-keys: ${{ runner.os }}-sonar-scanner

  - name: Install SonarCloud scanner
    if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
-   run: dotnet tool update dotnet-sonarscanner --tool-path ~/.sonar/cache/
+   run: dotnet tool update dotnet-sonarscanner --tool-path ./.sonar/scanner/

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Cache SonarCloud packages
	uses: actions/cache@v4
	with:
	path: ~/.sonar/cache
	key: ${{ runner.os }}-sonar
	restore-keys: ${{ runner.os }}-sonar
	- name: Cache SonarCloud scanner
	id: cache-sonar-scanner
	uses: actions/cache@v4
	with:
	path: ~/.sonar/cache
	key: ${{ runner.os }}-sonar-scanner
	restore-keys: ${{ runner.os }}-sonar-scanner
	- name: Install SonarCloud scanner
	if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
	run: dotnet tool update dotnet-sonarscanner --tool-path ~/.sonar/cache/
	- name: Cache SonarCloud packages
	uses: actions/cache@v4
	with:
	path: ~/.sonar/cache
	key: ${{ runner.os }}-sonar
	restore-keys: ${{ runner.os }}-sonar
	- name: Cache SonarCloud scanner
	id: cache-sonar-scanner
	uses: actions/cache@v4
	with:
	path: ./.sonar/scanner
	key: ${{ runner.os }}-sonar-scanner
	restore-keys: ${{ runner.os }}-sonar-scanner
	- name: Install SonarCloud scanner
	if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
	run: dotnet tool update dotnet-sonarscanner --tool-path ./.sonar/scanner/

🧰 Tools

🪛 yamllint

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 40-40: trailing spaces

(trailing-spaces)

[AppVeyorBot]

✅ Build VTEX-SDK-dotnet 2.3.1646 completed (commit c03a513d4d by @gstraccini[bot])

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (39ab137)	1774	4	0.23%
Head commit (cf9b98c)	1774 (+0)	4 (+0)	0.23% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#365)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.22%. Comparing base (39ab137) to head (cf9b98c).
Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #365   +/-   ##
=====================================
  Coverage   0.22%   0.22%           
=====================================
  Files        117     117           
  Lines       1774    1774           
  Branches      75      75           
=====================================
  Hits           4       4           
+ Misses      1770    1768    -2     
- Partials       0       2    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2:36PM INF scanning for exposed secrets...
2:36PM INF 559 commits scanned.
2:36PM INF scan completed in 293ms
2:36PM INF no leaks found

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[AppVeyorBot]

✅ Build VTEX-SDK-dotnet 2.3.1684 completed (commit 21ede976fa by @gstraccini[bot])