ci: enforce complete blocking Sonar scans#432
Conversation
Signed-off-by: Will Killian <wkillian@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout. (1)
🧰 Additional context used📓 Path-based instructions (2).gitlab-ci.yml📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)
Files:
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}⚙️ CodeRabbit configuration file
Files:
🧠 Learnings (2)📚 Learning: 2026-04-15T18:16:52.951ZApplied to files:
📚 Learning: 2026-05-01T13:41:07.485ZApplied to files:
🔇 Additional comments (1)
WalkthroughThe CI pipeline adds Rust Clippy analysis, publishes its JSON report, passes it to a pinned SonarScanner job, and configures Sonar quality-gate waiting with a 300-second timeout. ChangesRust analysis and Sonar quality gate
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant GitLabPipeline
participant RustClippy
participant CheckSonar
participant SonarQube
GitLabPipeline->>RustClippy: run cargo clippy and create clippy-report.json
RustClippy->>CheckSonar: provide artifact through needs
CheckSonar->>SonarQube: run pinned sonar-scanner
SonarQube-->>CheckSonar: return quality-gate result
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.gitlab-ci.yml:
- Around line 32-34: Update the Rust analysis job’s image reference under the
image configuration to use an immutable registry digest instead of only the rust
version and Debian tags, following the existing Sonar image pinning pattern.
Include that digest in the job’s cache key when the digest can change
independently, while preserving the current toolchain version variables.
- Line 55: Update the CI Clippy command in the workspace lint step to include
the --locked flag, ensuring Cargo uses the existing lockfile without
re-resolving dependencies while preserving the current targets, JSON output, and
report file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: d654aa1c-9924-42e7-a05d-e6ca69fe070e
📒 Files selected for processing (2)
.gitlab-ci.ymlsonar-project.properties
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: Check / Run
🧰 Additional context used
📓 Path-based instructions (3)
**/*
📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)
**/*: Format changed files with the language-native formatter before the final lint/test pass.
If dynamic plugin behavior changed, usemaintain-dynamic-pluginsand include the native SDK, worker protocol, Python SDK, docs, packaging, and Codecov surfaces in the validation plan.
If code changes alter APIs, bindings, commands, paths, packaging behavior, observability/adaptive semantics, or documented best practices, update any dependent maintainer or consumer skills in the same branch.
During iteration, preferuv run pre-commit run --files <changed files...>.
Before review or handoff, runuv run pre-commit run --all-files.
Files:
sonar-project.properties
.gitlab-ci.yml
📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)
Keep CI workflow commands and package references in
.gitlab-ci.ymlaligned with the current install, build, and example commands.
Files:
.gitlab-ci.yml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}
⚙️ CodeRabbit configuration file
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.
Files:
.gitlab-ci.yml
🧠 Learnings (2)
📚 Learning: 2026-04-15T18:16:52.951Z
Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.
Applied to files:
.gitlab-ci.yml
📚 Learning: 2026-05-01T13:41:07.485Z
Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.
Applied to files:
.gitlab-ci.yml
🔇 Additional comments (4)
.gitlab-ci.yml (3)
13-13: LGTM!
30-31: LGTM!Also applies to: 35-54, 56-60
62-65: LGTM!Also applies to: 75-77
sonar-project.properties (1)
5-8: LGTM!
Signed-off-by: Will Killian <wkillian@nvidia.com>
Overview
Harden the Sonar pipeline so Rust Clippy analysis is complete, deterministic, and blocking after the source-remediation PRs clear the current backlog. This PR should merge after the four remediation PRs.
Details
cargo clippy --workspace --all-targets --message-format=json, and publishes a non-empty JSON artifact.sonar.rust.clippyReport.reportPathsand disable Sonar's duplicate automatic Clippy execution.12.1.0.3233_8.0.1and its immutable digest.allow_failure.Validation:
.gitlab-ci.ymlpassed the official GitLab CI JSON schema.uv run pre-commit run --all-filesWhere should the reviewer start?
Start with
analyze:rust-clippyandcheck:sonarin.gitlab-ci.yml, then review the four new properties insonar-project.properties.Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)
Summary by CodeRabbit