chore: add SonarCloud integration

[hcvdwerf]

Summary

Adds SonarCloud static analysis to the project.

Changes

• Added sonar-project.properties with project key Health-RI_FAIRDataPoint-client and organization health-ri
• Added SonarCloud scan step to the CI workflow (.github/workflows/test.yml) using SonarSource/sonarcloud-github-action@v5

Setup required

Add a SONAR_TOKEN secret to the repository (Settings → Secrets → Actions). Generate the token in your SonarCloud account under Security settings.

Summary by Sourcery

Integrate SonarCloud static analysis into the project and CI pipeline.

Build:

• Add SonarCloud scan step to the GitHub Actions test workflow using repository and Sonar tokens for authentication.

CI:

• Extend the test workflow to run a SonarCloud analysis job after linting.

Chores:

• Add SonarCloud project configuration via sonar-project.properties to define project metadata, sources, exclusions, and coverage reporting.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds SonarCloud static analysis by introducing a SonarCloud scan step to the CI test workflow and configuring project-level Sonar settings via a new sonar-project.properties file.

Sequence diagram for CI test workflow with SonarCloud scan

sequenceDiagram
  actor Developer
  participant GitHub
  participant GitHubActions
  participant TestJob
  participant SonarCloudAction
  participant SonarCloud

  Developer->>GitHub: Push or open PR
  GitHub->>GitHubActions: Trigger test workflow
  GitHubActions->>TestJob: Start job (uses test.yml)
  TestJob->>TestJob: Install dependencies
  TestJob->>TestJob: Run tests and generate coverage lcov.info
  TestJob->>SonarCloudAction: Execute SonarSource_sonarcloud_github_action_v5
  SonarCloudAction->>GitHubActions: Read SONAR_TOKEN secret
  SonarCloudAction->>SonarCloud: Send analysis using sonar-project.properties
  SonarCloud-->>SonarCloudAction: Analysis results stored and quality reports
  SonarCloudAction-->>GitHubActions: Job status
  GitHubActions-->>GitHub: Report workflow status on commit/PR

Loading

File-Level Changes

Change	Details	Files
Integrate SonarCloud scan into the existing CI workflow.	Add a dedicated SonarCloud Scan job step after linting in the test workflow job. Use the official SonarCloud GitHub Action v5 for running the analysis. Configure the step to use GITHUB_TOKEN and SONAR_TOKEN from GitHub Actions secrets for authentication.	.github/workflows/test.yml
Configure SonarCloud project and analysis parameters for this repository.	Define SonarCloud project key, organization, name, and version to match the FAIRDataPoint client project. Restrict analysis to the src directory and exclude build artifacts and test files from analysis. Wire coverage and TypeScript configuration by pointing SonarCloud to coverage/lcov.info and tsconfig.json.	sonar-project.properties

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[kburger]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Hardcoding sonar.projectVersion=2.0.0 in sonar-project.properties may quickly drift from the actual app version; consider sourcing this from your build (e.g., package.json or a CI variable) or omitting it to avoid version mismatches.
• Instead of excluding **/*.spec.ts and **/*.test.ts via sonar.exclusions, consider configuring them as test sources with sonar.tests so you still get static analysis on test code while keeping the coverage and metrics separation clear.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Hardcoding `sonar.projectVersion=2.0.0` in `sonar-project.properties` may quickly drift from the actual app version; consider sourcing this from your build (e.g., package.json or a CI variable) or omitting it to avoid version mismatches.
- Instead of excluding `**/*.spec.ts` and `**/*.test.ts` via `sonar.exclusions`, consider configuring them as test sources with `sonar.tests` so you still get static analysis on test code while keeping the coverage and metrics separation clear.

## Individual Comments

### Comment 1
<location path="sonar-project.properties" line_range="7-10" />
<code_context>
+sonar.projectVersion=2.0.0
+
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/dist/**,**/*.spec.ts,**/*.test.ts
+
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
</code_context>
<issue_to_address>
**suggestion (testing):** Revisit exclusions to avoid unintentionally hiding test code from Sonar or missing other generated directories.

Excluding `*.spec.ts` and `*.test.ts` means Sonar won’t see tests at all, which also limits test-level metrics and can skew coverage. Consider using `sonar.test.inclusions` for test patterns, keeping `sonar.sources` for production code, and reserving `sonar.exclusions` for generated/third‑party directories (e.g. `**/coverage/**`, `**/build/**`).

```suggestion
sonar.sources=src
sonar.tests=src
sonar.exclusions=**/node_modules/**,**/dist/**,**/coverage/**,**/build/**
sonar.test.inclusions=**/*.spec.ts,**/*.test.ts

sonar.javascript.lcov.reportPaths=coverage/lcov.info
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[kburger]

👍