docs(skill): diagnose SonarCloud green-on-PR but red-on-main#91
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Code Review
This pull request adds a new section to SKILL.md explaining why SonarCloud might pass on a PR but fail on the main branch, along with helper commands to query the SonarCloud API. The feedback suggests making the jq parsing in these commands more robust by utilizing optional chaining and default fallbacks to prevent errors from missing or null fields.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
A PR can pass SonarCloud's new-code gate while the default-branch gate fails on new_security_hotspots_reviewed (must be 100%) or overall coverage. Hotspots need reviewing (marked Safe/Fixed), not fixing, and are often pre-existing in untouched files. Add a section to security-config.md with the project_status and hotspots API calls. (Kept out of SKILL.md, which is at its 500-word cap.) Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
c180fd1 to
6dac42b
Compare
|



Adds a Quick Diagnostics entry for a confusing CI state: a PR passes SonarCloud's new-code quality gate (0 new issues) but the default-branch gate goes red after merge.
Root cause: the branch gate evaluates conditions the PR analysis doesn't — most often
new_security_hotspots_reviewed(must be 100%) and overall coverage. Security Hotspots require reviewing (marked Safe/Fixed in the UI), not code fixes, and are frequently pre-existing in files the PR never touched. Entry includes theproject_statusandhotspots/searchAPI calls to confirm before blaming the merge. Sourced from a real session.