chore(ci): add SonarCloud, Snyk SAST, and Codecov — fix blocking lint

[Rahul Dass (rahuldass19)]

What

Brings qwed-a2a's CI/CD tooling to parity with qwed-verification.

Changes

New: .github/workflows/sonar.yml

• Dedicated SonarCloud workflow on push + PR
• Runs pytest with coverage before scanning
• fetch-depth: 0 for accurate blame/history analysis

New: .github/workflows/snyk.yml

• Two jobs: dependency scan + SAST (code analysis)
• Runs on PRs and weekly Monday schedule
• Both upload SARIF to GitHub Security tab

Updated: .github/workflows/ci.yml

• Removed inline Sonar/Snyk steps (now in dedicated workflows)
• Added Codecov coverage upload
• Lint is now blocking — removed || echo "failed" fallback

Updated: sonar-project.properties

• Added sonar.python.coverage.reportPaths=coverage.xml

Why

PRs (including contributor PRs like #21) were running without Sonar quality gate, Snyk SAST, or Codecov coverage tracking. Lint was also non-blocking, meaning formatting violations were silently ignored.

Summary by CodeRabbit

Release Notes

• Chores
  • Improved continuous integration testing pipeline with automated coverage tracking and comprehensive reporting to enhance code quality visibility
  • Added automated security scanning to detect and prevent vulnerability issues in dependencies and source code
  • Integrated continuous code quality analysis for consistent assessment throughout the development lifecycle

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Warning

Review limit reached

@rahuldass19, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 49 minutes and 54 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d401d78e-6777-4318-803a-d264d1930a9e

📥 Commits

Reviewing files that changed from the base of the PR and between f3ef4e1 and 973a189.

📒 Files selected for processing (9)

• .github/workflows/ci.yml
• .github/workflows/snyk.yml
• .github/workflows/sonar.yml
• src/qwed_a2a/interceptor.py
• src/qwed_a2a/protocol/endpoints.py
• src/qwed_a2a/protocol/schema.py
• src/qwed_a2a/security/crypto.py
• src/qwed_a2a/security/trust_boundary.py
• src/qwed_a2a/utils/telemetry.py

📝 Walkthrough

Walkthrough

This PR refactors the GitHub Actions CI infrastructure by decoupling coverage reporting from the main CI workflow, integrating Codecov for coverage tracking, and moving Snyk and SonarCloud quality/security scans into independent dedicated workflows that are triggered on push/PR events and weekly schedules.

Changes

CI Workflow Refactoring and Security Scanning

Layer / File(s)	Summary
Coverage infrastructure in CI test job .github/workflows/ci.yml	The test job adds pytest-asyncio and pytest-cov dependencies, runs pytest with coverage collection for src/qwed_a2a, outputs coverage.xml and test-results.xml artifacts, and conditionally uploads coverage to Codecov using CODECOV_TOKEN for Python 3.11 only.
Test result reporting .github/workflows/ci.yml	Mergify CI Insights step uploads test-results.xml to track test results in CI, guarded by MERGIFY_TOKEN.
Lint job simplification .github/workflows/ci.yml	Black and Ruff lint commands now run in blocking mode (removing prior || echo fallback patterns), and linters installation is streamlined.
Snyk security scanning workflow .github/workflows/snyk.yml	New workflow runs dependency scanning (snyk test) and SAST scanning (snyk code test) on PRs to main and weekly, uploading SARIF results to GitHub Security with SNYK_TOKEN and SNYK_ORG_ID.
SonarCloud code quality workflow .github/workflows/sonar.yml	New workflow triggers on main pushes and PR events, installs dev dependencies including pytest-asyncio and pytest-cov, runs pytest with coverage reporting, and executes SonarCloud scan via sonarqube-scan-action.
SonarCloud coverage configuration sonar-project.properties	Adds sonar.python.coverage.reportPaths=coverage.xml to direct SonarCloud's Python analysis to the generated coverage report.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• QWED-AI/qwed-a2a#1: Earlier CI scaffolding changes for pytest reporting and SonarCloud/Snyk integration in .github/workflows/ci.yml test job behavior.
• QWED-AI/qwed-a2a#4: Updates SonarCloud and Snyk GitHub Action version pins in workflows, aligning with this PR's dedicated workflow consolidation.

Poem

🐰 Coverage flows like morning dew,
From tests to Sonar, old and new.
Snyk guards while CodeCov gleams,
CI workflows dance in separate streams.
Quality and speed combine—
A rabbit's pipeline, oh so fine! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and comprehensively describes the main changes: adding SonarCloud, Snyk SAST, and Codecov integrations, plus fixing the blocking lint issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-security-tooling

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/snyk.yml (1)

22-23: ⚡ Quick win

Add persist-credentials: false to checkout actions.

The checkout action persists git credentials by default. Since this workflow only reads the repository and doesn't need to push changes, disabling credential persistence reduces the risk of credential exposure in subsequent steps or artifacts.

The same change should be applied to the checkout on line 56.

🔐 Proposed fix

       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false

Apply the same to the second checkout (lines 55-56):

       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/snyk.yml around lines 22 - 23, Update the two checkout
steps that use "uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
(the steps titled "Checkout repository") to include the option
persist-credentials: false under their step configuration so git credentials are
not persisted; ensure both occurrences (the initial checkout and the second
checkout later in the workflow) are updated with the same key/value.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 21-22: The checkout steps using "uses:
actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332" should be hardened by
adding persist-credentials: false to their step configuration; locate each
actions/checkout step (the one in the test job and the other in the lint job)
and add a persist-credentials: false key under that step so Git credentials are
not left in the runner's credential store.

In @.github/workflows/sonar.yml:
- Around line 20-24: The actions/checkout step currently uses fetch-depth: 0 but
leaves the GITHUB_TOKEN persisted; update the checkout configuration (the step
that uses actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332) to set
persist-credentials: false so the token is not written to the checked-out repo
git config during PR runs; keep fetch-depth: 0 as-is and ensure the change is
applied in the same checkout step block in the sonar workflow.

---

Nitpick comments:
In @.github/workflows/snyk.yml:
- Around line 22-23: Update the two checkout steps that use "uses:
actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332" (the steps titled
"Checkout repository") to include the option persist-credentials: false under
their step configuration so git credentials are not persisted; ensure both
occurrences (the initial checkout and the second checkout later in the workflow)
are updated with the same key/value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b7b69a26-d7a4-4199-ad1a-79b01eb55f76

📥 Commits

Reviewing files that changed from the base of the PR and between ff2b0c8 and f3ef4e1.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/snyk.yml
• .github/workflows/sonar.yml
• sonar-project.properties