Skip to content

Add SonarQube analysis workflow#103

Merged
bernardladenthin merged 3 commits into
mainfrom
claude/loving-curie-uj5dvn
Jun 13, 2026
Merged

Add SonarQube analysis workflow#103
bernardladenthin merged 3 commits into
mainfrom
claude/loving-curie-uj5dvn

Conversation

@bernardladenthin

@bernardladenthin bernardladenthin commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add GitHub Actions workflow to run SonarQube code analysis on pushes to main and pull requests
  • Configure SonarQube organization in pom.xml to enable analysis integration
  • Workflow includes JDK 21 setup, Maven/SonarQube package caching, and automated build + analysis

Test plan

  • CI is green on this branch

Related issues / PRs

Checklist

  • I have read CONTRIBUTING.md and CODE_OF_CONDUCT.md
  • My commits follow Conventional Commits
  • No security-sensitive changes (if there are, I have notified the maintainer privately per SECURITY.md)

https://claude.ai/code/session_012WHHfb7tuYQkFz1YQ1BRmd

@claude

claude Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review posted as inline comments. Key issues: missing SPDX header (project convention), unpinned sonar-maven-plugin version, and missing SONAR_HOST_URL env var for clarity.

claude[bot]
claude Bot reviewed Jun 13, 2026
View reviewed changes
Comment thread .github/workflows/sonarqube.yml
@@ -0,0 +1,36 @@
name: SonarQube

@claude claude Bot Jun 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow file should include the SPDX license header to match the project's convention. Compare with other workflows in .github/workflows/ — they all include the Apache 2.0 header.\n\nsuggestion\n# SPDX-FileCopyrightText: 2014-2026 Bernard Ladenthin <bernard.ladenthin@gmail.com>\n#\n# SPDX-License-Identifier: Apache-2.0\n\nname: SonarQube\n",
true

claude[bot]
claude Bot reviewed Jun 13, 2026
View reviewed changes
Comment thread .github/workflows/sonarqube.yml
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=bernardladenthin_streambuffer

@claude claude Bot Jun 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SonarQube Maven plugin version is not pinned. For consistency with the pinned action versions above (e.g., actions/checkout@v4.3.1), either:\n1. Pin the plugin version explicitly in pom.xml, or\n2. Specify the version in the Maven command\n\nAlso consider adding SONAR_HOST_URL as an environment variable for clarity — it defaults to SonarCloud, but explicitly setting it makes the intent clear.",
true

@claude
Suppress USO_UNSAFE_ACCESSIBLE_OBJECT_SYNCHRONIZATION false positive …
7f87323 
…in toString()

bufferLock is private final; the synthetic access$N bridge is a Java 8
compiler artifact from private inner classes accessing the private field.
jcstress ConcurrentWriteRace confirms the synchronization is sound.
@sonarqubecloud

sonarqubecloud Bot commented Jun 13, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@bernardladenthin bernardladenthin merged commit e67c3c0 into main Jun 13, 2026
11 of 24 checks passed
@bernardladenthin bernardladenthin deleted the claude/loving-curie-uj5dvn branch June 13, 2026 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bernardladenthin @claude