Skip to content

chore: add SonarQube scan pipeline#2138

Open
gvc wants to merge 4 commits into
mainfrom
chore/add-sonarqube-scan
Open

chore: add SonarQube scan pipeline#2138
gvc wants to merge 4 commits into
mainfrom
chore/add-sonarqube-scan

Conversation

@gvc

@gvc gvc commented Apr 10, 2026

Copy link
Copy Markdown

Summary

  • Creates .vtex/deployment.yaml with a node-ci-v2 pipeline for SonarQube code quality scanning
  • Triggers on pull requests for PR decoration (quality gate comments)

Context

Part of a rollout to enable SonarQube across VTEX repositories.

Test plan

Summary by CodeRabbit

  • Chores
    • Updated CI/CD configuration to add a deployment entry that runs code quality scans and test coverage on push and pull requests to main.
    • Added a development dependency to enable V8-based test coverage reporting during local and CI test runs.

Review Change Stack

@gvc gvc requested a review from a team as a code owner April 10, 2026 14:27
@vercel

vercel Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
shoreline-docs Ignored Ignored Preview May 15, 2026 2:42pm

Request Review

@coderabbitai

coderabbitai Bot commented May 5, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@lucasaarcoverde has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 7 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 69fa9a56-525f-4e8b-898e-d1681aff423a

📥 Commits

Reviewing files that changed from the base of the PR and between 08fbdc6 and ff66d48.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

Adds a .vtex/deployment.yaml entry shoreline to run a SonarQube scan via the dkcicd node-ci-v2 pipeline (Node 20-bookworm, pnpm, test -- --coverage, amd64) and adds @vitest/coverage-v8@1.6.0 to devDependencies.

Changes

SonarQube Deployment Configuration

Layer / File(s) Summary
CI/CD Configuration
.vtex/deployment.yaml, package.json
Adds shoreline deployment entry with SonarQube scan configuration (dkcicd provider, node-ci-v2 pipeline, sonarProjectName: shoreline, Node 20-bookworm, packageManager: pnpm, nodeCommands: test -- --coverage, runtime amd64, triggers on pull_request and push for main) and adds devDependencies.@vitest/coverage-v8 at 1.6.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 In branches where the mainline sleeps,
A tiny config plants its seeds,
Coverage hums and Sonar peeks,
Tests dance in nodes and pnpm feeds,
Rabbity cheers for cleaner deeds.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'chore: add SonarQube scan pipeline' directly and clearly describes the main change: adding a SonarQube scanning pipeline via the new .vtex/deployment.yaml configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/add-sonarqube-scan

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.vtex/deployment.yaml:
- Line 21: The regex value "main" currently matches any branch containing
"main"; update the deployment.yaml entry for the regex key to anchor the pattern
(e.g., use ^main$ or an equivalent exact-match expression) so only the main
branch triggers the pipeline; locate the regex: main line in the deployment.yaml
and replace it with the anchored pattern.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea88b5fe-6329-422d-ad45-8bda258d608f

📥 Commits

Reviewing files that changed from the base of the PR and between a1da499 and 942e06f.

📒 Files selected for processing (1)
  • .vtex/deployment.yaml

Comment thread .vtex/deployment.yaml
source: branch
- event: push
source: branch
regex: main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Anchor the regex pattern to match only the main branch.

The pattern regex: main will match any branch name containing "main" (e.g., "main-dev", "my-main-branch", "maintain"). This could trigger the pipeline on unintended branches, wasting CI resources and potentially pushing unexpected data to SonarQube.

🔧 Proposed fix to anchor the regex pattern
-          regex: main
+          regex: ^main$
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
regex: main
regex: ^main$
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.vtex/deployment.yaml at line 21, The regex value "main" currently matches
any branch containing "main"; update the deployment.yaml entry for the regex key
to anchor the pattern (e.g., use ^main$ or an equivalent exact-match expression)
so only the main branch triggers the pipeline; locate the regex: main line in
the deployment.yaml and replace it with the anchored pattern.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 63: The package.json pins vulnerable test deps; update the
"@vitest/coverage-v8" and "vitest" entries (the dependency keys
"@vitest/coverage-v8" and "vitest" shown in the diff) to a non-vulnerable
release (at least 1.6.1 or preferably the recommended 4.1.6) in package.json,
then run your package manager to refresh lockfile (npm/yarn/pnpm install) and
verify tests; this ensures the CRITICAL RCE fix is applied and the lockfile is
updated accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d4b5189-feb4-4e0e-a124-d5cef3c13645

📥 Commits

Reviewing files that changed from the base of the PR and between 942e06f and 08fbdc6.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

Comment thread package.json Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

3 participants