implimenting sonarqube

.config/nextest.toml

@@ -0,0 +1,5 @@
+[profile.ci]
+test-threads = "num-cpus"
+
+[profile.ci.junit]
+path = "junit.xml"

.gitea/workflows/ci.yml

@@ -0,0 +1,84 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+jobs:
+  # Format check is platform-independent.
+  fmt:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - run: cargo fmt --all -- --check
+
+  # Clippy → SARIF + coverage + tests → lcov/JUnit, then upload to SonarQube.
+  # Runs on Linux. rfd pulls in gtk3 on Linux so we install those headers first.
+  sonarqube:
+    name: SonarQube
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0   # full history required for blame data and new-code detection
+
+      - name: Install Linux GUI dependencies
+        run: sudo apt-get update && sudo apt-get install -y libgtk-3-dev pkg-config
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy, llvm-tools-preview
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo tooling
+        run: cargo install clippy-sarif sarif-fmt cargo-nextest cargo-llvm-cov --locked
+
+      # Emit Clippy diagnostics as SARIF for SonarQube generic issue import.
+      # continue-on-error so clippy failures surface in SQ rather than aborting here.
+      - name: Clippy → SARIF
+        run: |
+          mkdir -p target
+          cargo clippy --workspace --message-format=json -- -D warnings \
+            | clippy-sarif \
+            | tee target/clippy-report.sarif \
+            | sarif-fmt
+        continue-on-error: true
+
+      # Run tests under llvm-cov to get both coverage (lcov) and JUnit results
+      # in a single pass. The nextest CI profile writes JUnit to
+      # target/nextest/ci/junit.xml as configured in .config/nextest.toml.
+      - name: Coverage + tests
+        run: |
+          cargo llvm-cov nextest \
+            --workspace \
+            --profile ci \
+            --lcov --output-path target/lcov.info
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v7
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+
+      - name: SonarQube Quality Gate
+        uses: SonarSource/sonarqube-quality-gate-action@v1
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+
+  # cargo-deny handles what SQ Community cannot: RustSec advisories and license policy.
+  deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check advisories licenses bans

.gitignore

@@ -1,7 +1,6 @@
 /target
 # Local Qryon index/cache (created by `qryon scan`)
 .qryon/
-.gitea
 .cursor
 .idea/
 target/*

sonar-project.properties

@@ -0,0 +1,18 @@
+sonar.projectKey=bytedraft
+sonar.projectName=ByteDraft
+sonar.projectVersion=1.0
+
+sonar.sources=crates
+sonar.exclusions=**/target/**,**/*.lock
+sonar.inclusions=**/*.rs
+
+# Clippy issues imported via SARIF (generated in CI workflow)
+sonar.sarifReportPaths=target/clippy-report.sarif
+
+# Test results from cargo-nextest CI profile
+sonar.testExecutionReportPaths=target/nextest/ci/junit.xml
+
+# Code coverage from cargo-llvm-cov
+sonar.coverageReportPaths=target/lcov.info
+
+sonar.scm.provider=git