Hello,

As we discussed, here is the workflow file adding the CI for analyzing the code in SonarQube Cloud.
Here is an example of a successful run. We can see this in the logs:

06:33:03.769 INFO  0 compilation units were partially analyzed
06:33:03.778 INFO  Analysis measures statistics:
100% of classes were parsed successfully (0 out of 1163 have parsing errors)
100% of functions were parsed successfully (0 out of 1036 have parsing errors)
100% of statements were parsed successfully (0 out of 9318 have parsing errors)
100% of the project includes directives were resolved (0 out of 1108 were not resolved)

Which means there was nothing that we had trouble parsing, and hence the results are complete.

And here you can see the results of the analysis.

I am not sure about the reliability of coverage, though. I can see some consteval being flagged as not being executed during runtime, which of course they aren't. Since coverage is handled by clang for instrumentation and llvm-cov for extracting the information, I imagine it's more on their side.

If you are happy with this, you will need two new secrets: SONAR_TOKEN and SONAR_HOST_URL (the latter just being https://sonarcloud.io, not really a secret). For the token you will need to onboard the project, then go to Administration / Analysis Method, disable automatic analysis and follow the instructions for GitHub Actions.

If you need help setting anything up, I'll happy to help.

P.S I think it may be better to merge into a temporary branch that lives under your repo to make sure it works, since I believe actions with secrets do not run when the PR comes from the outside.

P.P.S Full disclosure, I have seen a handful of kind-of-false positives for "Identical sub-expressions on both sides of operator" (they are identical, but they are within requires, and it should not apply there IMHO). I have filed a ticket for these.
Rules you disagree with can be disabled, though.