Disabled sonar scanner

[mdellabitta]

Removed sonar scanning build step due to security vulnerability.

Summary by CodeRabbit

• Chores
  • Streamlined the CI pipeline by removing an external code analysis scan, reducing external dependencies and required secrets.
  • Maintains existing checkout, setup, install, build, and test steps to preserve validation coverage.
  • Expected to slightly speed up CI runs and reduce potential pipeline failures related to third-party services.
  • No impact on application behavior or user experience; no changes to public APIs.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to cc2f17e in 21 seconds. Click for details.

• Reviewed 15 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/node.js.yml:29

• Draft comment:
  Updated the SonarQube Scan action version to v5.3.1. Ensure that this new version’s configuration (inputs/outputs) remains compatible with our current setup.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is related to a dependency change, specifically updating the SonarQube Scan action version. It asks the PR author to ensure compatibility, which violates the rule against asking the author to ensure things are tested or verified. Therefore, this comment should be removed.

2. .github/workflows/node.js.yml:33

• Draft comment:
  A trailing newline was added. Good practice for consistent file formatting.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_JobZ7R2aOuDteBy3

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/node.js.yml (2)

29-29: Upgrade looks good; consider pinning to a commit SHA for supply-chain safety.

Tag-only references can be retagged. Pin to the release commit and keep the human-readable tag as a comment.

Apply:

-      uses: SonarSource/sonarqube-scan-action@v5.3.1
+      uses: SonarSource/sonarqube-scan-action@<commit-sha-for-v5.3.1> # v5.3.1

---

31-33: Add minimal permissions, skip forks without secrets, and (optionally) surface SONAR_HOST_URL.

• Limit GITHUB_TOKEN scope for PR decoration.
• Avoid failures on external fork PRs where secrets aren’t available.
• If you don’t set sonar.host.url in sonar-project.properties, expose SONAR_HOST_URL here.

Apply:

   build:
-
-    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-latest
@@
-    - name: SonarQube Scan
+    - name: SonarQube Scan
+      if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
       uses: SonarSource/sonarqube-scan-action@v5.3.1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # if not set in sonar-project.properties

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5044c06 and cc2f17e.

📒 Files selected for processing (1)

• .github/workflows/node.js.yml (1 hunks)

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 03511f3 in 24 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/node.js.yml:25

• Draft comment:
  Removed SonarQube scan step. If updating the scanner was intended, ensure the new configuration is applied so code scanning isn’t inadvertently disabled.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the author to ensure that the new configuration is applied, which violates the rule against asking the author to ensure something. It also seems to be more of a cautionary note rather than a specific suggestion or question about the code.

Workflow ID: wflow_bm2dzY8iou9jeHag

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Walkthrough

Removed the SonarQube Scan step and its environment variables from the Node.js CI GitHub Actions workflow; all other steps remain unchanged.

Changes

Cohort / File(s)	Summary of Changes
CI Workflow .github/workflows/node.js.yml	Removed SonarQube Scan step and its GITHUB_TOKEN/SONAR_TOKEN env vars; kept checkout, setup-node, npm ci, build, and test steps unchanged.

Sequence Diagram(s)

sequenceDiagram
    actor Dev as Developer
    participant GH as GitHub
    participant Runner as Actions Runner
    Dev->>GH: Push/PR
    GH->>Runner: Trigger Node.js CI
    Runner->>Runner: Checkout repo
    Runner->>Runner: Setup Node.js
    Runner->>Runner: npm ci
    Runner->>Runner: npm run build
    Runner->>Runner: npm test
    note over Runner: SonarQube scan step removed

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5044c06 and 03511f3.

📒 Files selected for processing (1)

• .github/workflows/node.js.yml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/node.js.yml

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sonar-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.