fix(sonar): skip SonarCloud analysis on template repo

[williaby]

Summary

Removes the SonarCloud caller workflow and root-level sonar-project.properties from this Cookiecutter template repository. SonarCloud analysis here was failing with a curl 403 from the quality-gate API and was structurally unfixable: the source paths configured in the properties file ({{cookiecutter.project_slug}}/) are literal Jinja2 placeholders on the template-repo side, not real directories. The template body is meta-code, not application code, and is not statically analyzable as plain Python.

Generated child projects continue to opt into their own SonarCloud analysis via the rendered sonar-project.properties and sonarcloud.yml workflow that ship inside {{cookiecutter.project_slug}}/. That analysis is unaffected by this change because cookiecutter renders the placeholders at instantiation time, well before any scanner runs on the generated repo.

Why option B (skip), not option A (move into template dir)

• A rendered-only copy already exists at {{cookiecutter.project_slug}}/sonar-project.properties; the root copy was the duplicate that was failing.
• A template repository is not user-facing code. Its SonarCloud quality grade is irrelevant to the actual user-facing artifacts (the generated projects).
• Eliminating the duplicate analysis also removes the historical race condition between concurrent analyses on the same projectKey/SHA referenced in PR fix(template): resolve 13 SonarCloud code quality issues #69.

Files changed

• .github/workflows/sonarcloud.yml (deleted)
• sonar-project.properties (deleted)
• .github/workflows/ci.yml (comment block and step-summary updated to reflect new state)
• CHANGELOG.md (Unreleased / Removed entry)

Test plan

• Pre-commit run on changed files (all hooks pass)
• actionlint on ci.yml (no new findings; pre-existing SC2086/SC2129 info-level only)
• CI run on PR is green (no SonarCloud workflow triggers)
• No regressions in test-template.yml (generated children still ship sonar config)

Refs: Phase 3 Bucket E (CI Repair Sprint)

Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a3e9c410-71f9-4521-8d47-74d2b2b78c49

📥 Commits

Reviewing files that changed from the base of the PR and between 1fc987a and 52aa74f.

📒 Files selected for processing (9)

• .github/workflows/ci.yml
• .github/workflows/sonarcloud.yml
• .secrets.baseline
• .sonarlint/connectedMode.json
• CHANGELOG.md
• CLAUDE.md
• CONTRIBUTING.md
• README.md
• sonar-project.properties

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sonar-jinja-placeholder

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR removes SonarCloud analysis from the template repository itself (where Jinja2 placeholder paths prevent meaningful scanning), while keeping SonarCloud support in generated projects via the already-templated SonarCloud workflow/config inside {{cookiecutter.project_slug}}/.

Changes:

• Deleted the root SonarCloud caller workflow and root sonar-project.properties to stop running SonarCloud on the template repo.
• Updated the root CI workflow commentary/step summary to reflect that SonarCloud is intentionally not executed for the template repository.
• Documented the removal in the Unreleased changelog.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
sonar-project.properties (deleted)	Removes root SonarCloud scanner configuration that referenced non-real template paths.
.github/workflows/sonarcloud.yml (deleted)	Stops the dedicated SonarCloud workflow from running on the template repository.
.github/workflows/ci.yml	Updates inline notes and the final summary output to reflect the new “no SonarCloud in template repo” posture.
CHANGELOG.md	Adds an Unreleased “Removed” entry documenting the workflow/config removal and rationale.

[williaby]

PR Review: fix(sonar): skip SonarCloud analysis on template repo

CI: All checks passing. Merge state: CLEAN.
CodeRabbit: Rate-limited (no review produced). Copilot: 1 finding (incorporated below).

---

Critical (must fix before merge)

• README.md:4-8 — Two badge URLs link to the deleted sonarcloud.yml workflow (will fail to render). The Quality Gate / Security Rating / Code Smells SonarCloud badges (lines 5-8) will show Error after the project is abandoned. README lines 297-345 describe the template repo's own SonarCloud configuration as if it still exists.

• CLAUDE.md:576-643 — The ## SonarCloud Integration section still says "Both the template repository and generated projects support SonarCloud" and lists the deleted sonarcloud.yml and sonar-project.properties as active template-repo config. CLAUDE.md is loaded as AI working context on every session; stale entries produce incorrect guidance in future Claude Code sessions.

Important (should fix)

• ci.yml:6,14 — File header still reads # - SonarQube quality gate enforcement (line 6) and # Layer 3: Automated Code Quality (SonarQube) (line 14). The Job 3 comment block was updated but not the header governance summary.

Suggested

• .sonarlint/connectedMode.json — Still present, pointing to the deleted project key. SonarLint users will get IDE connection errors. Delete or gitignore.

• CHANGELOG.md — ### Removed is inserted before ### Changed. Keep a Changelog 1.1.0 specifies order: Added → Changed → Deprecated → Removed. Move ### Removed after ### Changed.

---

🤖 Generated with Claude Code

[williaby]

Fix-pass applied -- commit 52aa74f

The following findings from the pr-review pass have been resolved:

Critical

• README.md: Removed 5 stale SonarCloud badges (Validate Template badge retained). Updated the SonarCloud setup section to accurately reflect that this template repo does not run analysis, with a note on why (Jinja2 meta-code is not statically analyzable as Python; was failing with curl 403 from quality-gate API).
• CLAUDE.md: Removed the ### Template Repository subsection from the SonarCloud Integration section. The ### Generated Projects subsection is unchanged.

Important

• .github/workflows/ci.yml: Removed SonarQube quality gate enforcement from the features list in the header comment block. Updated Layer 3 description from Automated Code Quality (SonarQube) to Automated Code Quality (Ruff, BasedPyright, Bandit) to reflect the actual toolchain.

Suggested

• CHANGELOG.md: Reordered [Unreleased] subsections to Added, Changed, Removed, Fixed per Keep a Changelog 1.1.0 spec. The ### Removed block was previously between ### Added and ### Changed.
• .sonarlint/connectedMode.json: Deleted orphaned IDE config that pointed to the now-deleted analysis project (was causing SonarLint connection errors for local development).

Informational

• CONTRIBUTING.md: Replaced SonarCloud with qlty in the automated reviewers list (step 7 of the PR process).

Pre-commit baseline update (side-effect)

• .secrets.baseline: Updated to include the SHA-pin entries from .pre-commit-config.yaml which were triggering detect-secrets as false-positive high-entropy strings. The baseline had not been updated when SHA pins were added to that file.

All changes verified clean: ruff format, ruff check, bandit, and all 25 pre-commit hooks pass.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​ruff@​0.14.6
	pypi/​tomli@​2.3.0
	pypi/​tomli-w@​1.2.0

View full report