feat: implement issue #367 — [Fleet Monitor] petry-projects/google-app-scripts — sonarcloud.yml

[don-petry]

Closes #367

Implemented by dev-lead agent. Please review.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea2f695f-b917-46be-9616-0da8692e0132

📥 Commits

Reviewing files that changed from the base of the PR and between f923f61 and fd191d3.

📒 Files selected for processing (1)

• .github/workflows/sonarcloud.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-367-20260604-1011

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Open review threads from bot: 0
Scan of changed files for SonarQube hotspot patterns:
  .github/workflows/sonarcloud.yml — CLEAN
    ✓ No curl|bash / wget|bash script injection (RSPEC-4830)
    ✓ No hardcoded credentials (SONAR_TOKEN sourced from secrets)
    ✓ No eval/exec with user-controlled input
    ✓ No HTTP (non-HTTPS) download URLs
    ✓ All action references pinned to SHA digests
Files changed: none required
Skipped (informational): 0
```
The bot comment was empty and no open review threads exist from this bot on PR #368. The only changed file (`.github/workflows/sonarcloud.yml`) contains no SonarQube hotspot patterns — action SHAs are pinned, the `SONAR_TOKEN` comes from repository secrets, and no script-injection or insecure-download patterns are present. No fixes are needed.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0
Analysis:
- PR diff: Only .github/workflows/sonarcloud.yml changed
- Hotspot scan (S4830 script injection, hardcoded creds, HTTP URLs, eval/exec): No matches
- All action steps are pinned to full SHAs ✓
- `actions: write` permission is required by actions/cache@v5 to save cache — not an overly-permissive hotspot
- Open review threads from bot: 0 (query returned [])
Files changed: none
Skipped (informational): N/A — bot comment body was empty; no actionable findings
```
The PR is clean. The only comments present are from `coderabbitai` (rate-limited, no review completed) and `gemini-code-assist` (unsupported file type). No SonarQube bot has commented, no review threads exist, and the diff contains no known SonarQube hotspot patterns.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd191d37df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR updates the SonarCloud Analysis GitHub Actions workflow to reduce intermittent failures reported by Fleet Monitor (issue #367), aiming to improve reliability and reduce repeated setup work during scans.

Changes:

• Add caching for the SonarScanner installation directory to reduce repeated downloads between runs.
• Add a retry pass for the SonarCloud scan by allowing the first attempt to fail and rerunning the scan once.