diff --git a/sonar-project.properties b/sonar-project.properties index 969dd87..f1dec61 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -3,3 +3,54 @@ sonar.organization=petry-projects sonar.projectName=google-app-scripts sonar.sources=. sonar.exclusions=_bmad/**,_bmad-output/**,.claude/** + +# SonarCloud S7637 exemption for first-party reusable-ref caller stubs (#404). +# These thin caller stubs contain ONLY a petry-projects/.github(-private) +# reusable `uses:` ref, pinned to a moving channel/tag (`@/stable`, +# `@v1`/`@v2`) by org standard — intentionally NOT SHA-pinned (see +# standards/ci-standards.md#sonarcloud-exemption-first-party-reusable-ref-s7637 +# and the Action Pinning Policy exemption). S7637 is suppressed on each stub +# file individually; ci.yml / sonarcloud.yml and any third-party `uses:` keep +# full SHA-pin enforcement — do NOT replace these with a blanket +# `workflows/*.yml` resourceKey. +sonar.issue.ignore.multicriteria=\ + s7637_agentshield,\ + s7637_prreviewmention,\ + s7637_prautoreview,\ + s7637_autorebase,\ + s7637_dependabotrebase,\ + s7637_dependabotautomerge,\ + s7637_dependencyaudit,\ + s7637_featureideation,\ + s7637_addtoproject,\ + s7637_devlead + +sonar.issue.ignore.multicriteria.s7637_agentshield.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_agentshield.resourceKey=**/agent-shield.yml + +sonar.issue.ignore.multicriteria.s7637_prreviewmention.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_prreviewmention.resourceKey=**/pr-review-mention.yml + +sonar.issue.ignore.multicriteria.s7637_prautoreview.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_prautoreview.resourceKey=**/pr-auto-review.yml + +sonar.issue.ignore.multicriteria.s7637_autorebase.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_autorebase.resourceKey=**/auto-rebase.yml + +sonar.issue.ignore.multicriteria.s7637_dependabotrebase.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependabotrebase.resourceKey=**/dependabot-rebase.yml + +sonar.issue.ignore.multicriteria.s7637_dependabotautomerge.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependabotautomerge.resourceKey=**/dependabot-automerge.yml + +sonar.issue.ignore.multicriteria.s7637_dependencyaudit.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependencyaudit.resourceKey=**/dependency-audit.yml + +sonar.issue.ignore.multicriteria.s7637_featureideation.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_featureideation.resourceKey=**/feature-ideation.yml + +sonar.issue.ignore.multicriteria.s7637_addtoproject.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_addtoproject.resourceKey=**/add-to-project.yml + +sonar.issue.ignore.multicriteria.s7637_devlead.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_devlead.resourceKey=**/dev-lead.yml