Add SonarQube scan workflow with security-hardened permissions

[Copilot]

Adds GitHub Actions workflow for SonarQube code analysis triggered on pushes to maintree/main.

Changes

• Created .github/workflows/build.yml with SonarSource scan action v5
• Configured explicit permissions: contents: read to limit GITHUB_TOKEN scope
• Enabled full git history checkout (fetch-depth: 0) for accurate analysis
• Included commented quality gate action for optional deployment gates

Configuration Required

Repository secrets needed:

• SONAR_TOKEN - SonarQube authentication token
• SONAR_HOST_URL - SonarQube server endpoint

Existing sonar-project.properties already configured with project key.

Original prompt

create this for meee

.github/workflows/build.yml

name: Build

on:
push:
branches:
- maintree/main

jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest

steps:
  - uses: actions/checkout@v4
    with:
      fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
  - uses: SonarSource/sonarqube-scan-action@v5
    env:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
  # If you wish to fail your job when the Quality Gate is red, uncomment the
  # following lines. This would typically be used to fail a deployment.
  # - uses: SonarSource/sonarqube-quality-gate-action@v1
  #   timeout-minutes: 5
  #   env:
  #     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
vibe-prompting	Ready	Preview	Comment	Nov 17, 2025 7:05am