From 0e41d14a29bc63dcee5a2fed8e6fdab5e00e9503 Mon Sep 17 00:00:00 2001 From: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Date: Fri, 26 Jun 2026 14:39:22 +0000 Subject: [PATCH 1/3] =?UTF-8?q?feat:=20implement=20issue=20#404=20?= =?UTF-8?q?=E2=80=94=20Compliance:=20sonar-s7637-exemption-missing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sonar-project.properties | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/sonar-project.properties b/sonar-project.properties index 969dd87a..1232a978 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -3,3 +3,44 @@ sonar.organization=petry-projects sonar.projectName=google-app-scripts sonar.sources=. sonar.exclusions=_bmad/**,_bmad-output/**,.claude/** + +# SonarCloud S7637 exemption for first-party reusable-ref caller stubs (#498). +# These thin caller stubs contain ONLY a petry-projects/.github(-private) +# reusable `uses:` ref, pinned to a moving channel/tag (`@/stable`, +# `@v1`/`@v2`) by org standard — intentionally NOT SHA-pinned (see +# standards/ci-standards.md#sonarcloud-exemption-first-party-reusable-ref-s7637 +# and the Action Pinning Policy exemption). S7637 is suppressed on each stub +# file individually; ci.yml / sonarcloud.yml and any third-party `uses:` keep +# full SHA-pin enforcement — do NOT replace these with a blanket +# `workflows/*.yml` resourceKey. +sonar.issue.ignore.multicriteria=s7637_agentshield,s7637_prreviewmention,s7637_prautoreview,s7637_autorebase,s7637_dependabotrebase,s7637_dependabotautomerge,s7637_dependencyaudit,s7637_featureideation,s7637_addtoproject,s7637_devlead + +sonar.issue.ignore.multicriteria.s7637_agentshield.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_agentshield.resourceKey=**/agent-shield.yml + +sonar.issue.ignore.multicriteria.s7637_prreviewmention.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_prreviewmention.resourceKey=**/pr-review-mention.yml + +sonar.issue.ignore.multicriteria.s7637_prautoreview.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_prautoreview.resourceKey=**/pr-auto-review.yml + +sonar.issue.ignore.multicriteria.s7637_autorebase.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_autorebase.resourceKey=**/auto-rebase.yml + +sonar.issue.ignore.multicriteria.s7637_dependabotrebase.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependabotrebase.resourceKey=**/dependabot-rebase.yml + +sonar.issue.ignore.multicriteria.s7637_dependabotautomerge.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependabotautomerge.resourceKey=**/dependabot-automerge.yml + +sonar.issue.ignore.multicriteria.s7637_dependencyaudit.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_dependencyaudit.resourceKey=**/dependency-audit.yml + +sonar.issue.ignore.multicriteria.s7637_featureideation.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_featureideation.resourceKey=**/feature-ideation.yml + +sonar.issue.ignore.multicriteria.s7637_addtoproject.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_addtoproject.resourceKey=**/add-to-project.yml + +sonar.issue.ignore.multicriteria.s7637_devlead.ruleKey=githubactions:S7637 +sonar.issue.ignore.multicriteria.s7637_devlead.resourceKey=**/dev-lead.yml From c875f9de08d5348e8d39e12044b5eb34dc330e13 Mon Sep 17 00:00:00 2001 From: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Date: Fri, 26 Jun 2026 18:21:55 +0000 Subject: [PATCH 2/3] chore: apply manual instructions [skip ci-relay] --- sonar-project.properties | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index 1232a978..b50d159c 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -13,7 +13,17 @@ sonar.exclusions=_bmad/**,_bmad-output/**,.claude/** # file individually; ci.yml / sonarcloud.yml and any third-party `uses:` keep # full SHA-pin enforcement — do NOT replace these with a blanket # `workflows/*.yml` resourceKey. -sonar.issue.ignore.multicriteria=s7637_agentshield,s7637_prreviewmention,s7637_prautoreview,s7637_autorebase,s7637_dependabotrebase,s7637_dependabotautomerge,s7637_dependencyaudit,s7637_featureideation,s7637_addtoproject,s7637_devlead +sonar.issue.ignore.multicriteria=\ + s7637_agentshield,\ + s7637_prreviewmention,\ + s7637_prautoreview,\ + s7637_autorebase,\ + s7637_dependabotrebase,\ + s7637_dependabotautomerge,\ + s7637_dependencyaudit,\ + s7637_featureideation,\ + s7637_addtoproject,\ + s7637_devlead sonar.issue.ignore.multicriteria.s7637_agentshield.ruleKey=githubactions:S7637 sonar.issue.ignore.multicriteria.s7637_agentshield.resourceKey=**/agent-shield.yml From 1a032c81814d23f56308e7f29536a6419952d1d7 Mon Sep 17 00:00:00 2001 From: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Date: Fri, 26 Jun 2026 18:23:59 +0000 Subject: [PATCH 3/3] chore: apply manual instructions [skip ci-relay] --- sonar-project.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index b50d159c..f1dec612 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -4,7 +4,7 @@ sonar.projectName=google-app-scripts sonar.sources=. sonar.exclusions=_bmad/**,_bmad-output/**,.claude/** -# SonarCloud S7637 exemption for first-party reusable-ref caller stubs (#498). +# SonarCloud S7637 exemption for first-party reusable-ref caller stubs (#404). # These thin caller stubs contain ONLY a petry-projects/.github(-private) # reusable `uses:` ref, pinned to a moving channel/tag (`@/stable`, # `@v1`/`@v2`) by org standard — intentionally NOT SHA-pinned (see