Skip to content

ci: enforce complete blocking Sonar scans#432

Closed
willkill07 wants to merge 2 commits into
NVIDIA:mainfrom
willkill07:ci/sonar-rust-quality-gate
Closed

ci: enforce complete blocking Sonar scans#432
willkill07 wants to merge 2 commits into
NVIDIA:mainfrom
willkill07:ci/sonar-rust-quality-gate

Conversation

@willkill07

@willkill07 willkill07 commented Jul 15, 2026

Copy link
Copy Markdown
Member

Overview

Harden the Sonar pipeline so Rust Clippy analysis is complete, deterministic, and blocking after the source-remediation PRs clear the current backlog. This PR should merge after the four remediation PRs.

  • I confirm this contribution is my own work, or I have the right to submit it under this project's license.
  • I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

  • Add a Rust 1.93 Clippy job that explicitly installs Clippy, runs cargo clippy --workspace --all-targets --message-format=json, and publishes a non-empty JSON artifact.
  • Import that report with sonar.rust.clippyReport.reportPaths and disable Sonar's duplicate automatic Clippy execution.
  • Pin the SonarScanner CLI image to 12.1.0.3233_8.0.1 and its immutable digest.
  • Enable a blocking quality-gate wait with a 300-second timeout and remove allow_failure.

Validation:

  • Exact Clippy report command completed successfully; the output is valid JSON and non-empty.
  • .gitlab-ci.yml passed the official GitLab CI JSON schema.
  • uv run pre-commit run --all-files

Where should the reviewer start?

Start with analyze:rust-clippy and check:sonar in .gitlab-ci.yml, then review the four new properties in sonar-project.properties.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

  • Relates to: none

Summary by CodeRabbit

  • Quality & Reliability
    • Added automated Rust static analysis to the CI pipeline and generate a reviewable report.
    • Updated quality checks to consume the generated analysis report and validate it before proceeding.
    • Pinned the SonarScanner version for more consistent CI behavior.
    • Configured Sonar quality-gate waiting with a five-minute result timeout (and aligned Rust analysis settings accordingly).

Signed-off-by: Will Killian <wkillian@nvidia.com>
@willkill07 willkill07 requested a review from a team as a code owner July 15, 2026 14:34
@github-actions github-actions Bot added size:S PR is small Maintenance CI or Build or general repository maintenance labels Jul 15, 2026
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 94f51276-6098-4c6a-a31a-27892131cbf9

📥 Commits

Reviewing files that changed from the base of the PR and between cd9ebab and de78fd8.

📒 Files selected for processing (1)
  • .gitlab-ci.yml
📜 Recent review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Check / Run
🧰 Additional context used
📓 Path-based instructions (2)
.gitlab-ci.yml

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow commands and package references in .gitlab-ci.yml aligned with the current install, build, and example commands.

Files:

  • .gitlab-ci.yml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .gitlab-ci.yml
🧠 Learnings (2)
📚 Learning: 2026-04-15T18:16:52.951Z
Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

  • .gitlab-ci.yml
📚 Learning: 2026-05-01T13:41:07.485Z
Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

  • .gitlab-ci.yml
🔇 Additional comments (1)
.gitlab-ci.yml (1)

13-13: LGTM!

Also applies to: 23-66, 76-83


Walkthrough

The CI pipeline adds Rust Clippy analysis, publishes its JSON report, passes it to a pinned SonarScanner job, and configures Sonar quality-gate waiting with a 300-second timeout.

Changes

Rust analysis and Sonar quality gate

Layer / File(s) Summary
Rust Clippy analysis pipeline
.gitlab-ci.yml
Adds the analyze stage and a branch-push analyze:rust-clippy job that runs Clippy, caches Cargo data, validates and uploads clippy-report.json.
Sonar artifact consumption and quality gate
.gitlab-ci.yml, sonar-project.properties
Pins the SonarScanner image, requires the Clippy artifact, removes permissive failure handling, and enables quality-gate waiting with a 300-second timeout.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitLabPipeline
  participant RustClippy
  participant CheckSonar
  participant SonarQube
  GitLabPipeline->>RustClippy: run cargo clippy and create clippy-report.json
  RustClippy->>CheckSonar: provide artifact through needs
  CheckSonar->>SonarQube: run pinned sonar-scanner
  SonarQube-->>CheckSonar: return quality-gate result
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed Uses conventional commit format and clearly matches the CI/Sonar pipeline hardening changes.
Description check ✅ Passed Matches the template sections and includes overview, details, reviewer start, and checklist items.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitlab-ci.yml:
- Around line 32-34: Update the Rust analysis job’s image reference under the
image configuration to use an immutable registry digest instead of only the rust
version and Debian tags, following the existing Sonar image pinning pattern.
Include that digest in the job’s cache key when the digest can change
independently, while preserving the current toolchain version variables.
- Line 55: Update the CI Clippy command in the workspace lint step to include
the --locked flag, ensuring Cargo uses the existing lockfile without
re-resolving dependencies while preserving the current targets, JSON output, and
report file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d654aa1c-9924-42e7-a05d-e6ca69fe070e

📥 Commits

Reviewing files that changed from the base of the PR and between 45831fc and cd9ebab.

📒 Files selected for processing (2)
  • .gitlab-ci.yml
  • sonar-project.properties
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Check / Run
🧰 Additional context used
📓 Path-based instructions (3)
**/*

📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)

**/*: Format changed files with the language-native formatter before the final lint/test pass.
If dynamic plugin behavior changed, use maintain-dynamic-plugins and include the native SDK, worker protocol, Python SDK, docs, packaging, and Codecov surfaces in the validation plan.
If code changes alter APIs, bindings, commands, paths, packaging behavior, observability/adaptive semantics, or documented best practices, update any dependent maintainer or consumer skills in the same branch.
During iteration, prefer uv run pre-commit run --files <changed files...>.
Before review or handoff, run uv run pre-commit run --all-files.

Files:

  • sonar-project.properties
.gitlab-ci.yml

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow commands and package references in .gitlab-ci.yml aligned with the current install, build, and example commands.

Files:

  • .gitlab-ci.yml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .gitlab-ci.yml
🧠 Learnings (2)
📚 Learning: 2026-04-15T18:16:52.951Z
Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

  • .gitlab-ci.yml
📚 Learning: 2026-05-01T13:41:07.485Z
Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

  • .gitlab-ci.yml
🔇 Additional comments (4)
.gitlab-ci.yml (3)

13-13: LGTM!


30-31: LGTM!

Also applies to: 35-54, 56-60


62-65: LGTM!

Also applies to: 75-77

sonar-project.properties (1)

5-8: LGTM!

Comment thread .gitlab-ci.yml
Comment thread .gitlab-ci.yml Outdated
Signed-off-by: Will Killian <wkillian@nvidia.com>
@willkill07 willkill07 closed this Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Maintenance CI or Build or general repository maintenance size:S PR is small

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant