ci: add Sourcery AI and SonarCloud review tools

[zaferdace]

Summary

• Add .sourcery.yaml for automatic PR code review
• Add SonarCloud scan job to CI workflow

Setup Required

After merge:

1. Sourcery AI: Install from https://github.com/apps/sourcery-ai → enable for this repo
2. SonarCloud: Add SONAR_TOKEN secret (Settings → Secrets → Actions)

Test plan

• CI build job passes
• SonarCloud job runs (will fail until SONAR_TOKEN is set — expected)

🤖 Generated with Claude Code

Summary by Sourcery

Add automated static analysis and review tooling configuration for Sourcery AI and SonarCloud in the repository and CI pipeline.

Build:

• Configure SonarCloud project and organization settings for CI scans via the SonarQube GitHub Action.

CI:

• Introduce a SonarCloud scan job to the GitHub Actions CI workflow for pushes and eligible pull requests.

Chores:

• Add Sourcery AI configuration file to enable automatic PR code reviews while ignoring generated and non-code files.

[sourcery-ai]

Reviewer's Guide

Adds Sourcery AI configuration for automated PR reviews and introduces a new SonarCloud scan job to the CI workflow, including basic conditions and path exclusions for generated and non-source files.

File-Level Changes

Change	Details	Files
Add SonarCloud analysis as a separate CI job.	Define a new sonarcloud job in GitHub Actions running on ubuntu-latest. Gate the job to run only on pushes or pull requests from branches within the same repository to avoid permission issues on forks. Check out the repository with full history via fetch-depth: 0 to support Sonar analysis. Invoke the SonarSource SonarQube scan action with SONAR_TOKEN from GitHub secrets and hard-coded organization and project key arguments.	.github/workflows/ci.yml
Configure Sourcery AI automated PR reviews and path exclusions.	Introduce a .sourcery.yaml config file enabling automatic review requests but disabling auto-approval and auto-merge. Exclude common generated, dependency, and non-code paths (dist, node_modules, plugin, JSON, Markdown) from Sourcery analysis.	.sourcery.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path=".github/workflows/ci.yml" line_range="31-33" />
<code_context>
       - name: Quality checks
         run: npm run check
+
+  sonarcloud:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+
+    steps:
</code_context>
<issue_to_address>
**issue (bug_risk):** Consider using the SonarCloud-specific GitHub Action rather than the SonarQube scan action.

`SonarSource/sonarqube-scan-action@v5` is intended for self-hosted SonarQube. For SonarCloud, prefer `SonarSource/sonarcloud-github-action@v2`, which applies SonarCloud-specific defaults (host URL, auth, etc.) and better matches the `sonar.organization` / `sonar.projectKey` configuration used here, reducing configuration risk.
</issue_to_address>

### Comment 2
<location path=".github/workflows/ci.yml" line_range="40-47" />
<code_context>
+        with:
+          fetch-depth: 0
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=zaferdace
+            -Dsonar.projectKey=zaferdace_roblox-shipcheck
</code_context>
<issue_to_address>
**suggestion (testing):** The Sonar job runs without any build/test steps, which may lead to incomplete analysis (e.g. missing coverage).

Since this job only checks out the repo and runs the scan, Sonar won’t see build artifacts, type information, or coverage reports. Please either consume artifacts from an existing build/test job or add the minimal install/build/test steps here before running the scan so Sonar can use the generated reports.

Suggested implementation:

```
  sonarcloud:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci

      - name: Run tests with coverage
        run: npm test -- --coverage

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.organization=zaferdace
            -Dsonar.projectKey=zaferdace_roblox-shipcheck
            -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

```

1. If this project is not Node.js-based, replace the `setup-node`, `npm ci`, and `npm test -- --coverage` steps with the appropriate toolchain setup, build, and test commands that generate coverage for your language.
2. Update the Sonar argument `-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info` to the correct coverage property and path for your stack (e.g., `sonar.python.coverage.reportPaths`, `sonar.go.coverage.reportPaths`, etc.).
3. If you already produce coverage in another job, you may instead:
   - Use `actions/download-artifact` here to fetch that coverage artifact.
   - Remove the install/test steps from this job.
   - Point the Sonar args to the downloaded coverage file(s).
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): The Sonar job runs without any build/test steps, which may lead to incomplete analysis (e.g. missing coverage).

Since this job only checks out the repo and runs the scan, Sonar won’t see build artifacts, type information, or coverage reports. Please either consume artifacts from an existing build/test job or add the minimal install/build/test steps here before running the scan so Sonar can use the generated reports.

Suggested implementation:

  sonarcloud:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci

      - name: Run tests with coverage
        run: npm test -- --coverage

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.organization=zaferdace
            -Dsonar.projectKey=zaferdace_roblox-shipcheck
            -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

1. If this project is not Node.js-based, replace the setup-node, npm ci, and npm test -- --coverage steps with the appropriate toolchain setup, build, and test commands that generate coverage for your language.
2. Update the Sonar argument -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info to the correct coverage property and path for your stack (e.g., sonar.python.coverage.reportPaths, sonar.go.coverage.reportPaths, etc.).
3. If you already produce coverage in another job, you may instead:
   • Use actions/download-artifact here to fetch that coverage artifact.
   • Remove the install/test steps from this job.
   • Point the Sonar args to the downloaded coverage file(s).

[zaferdace]

Superseded by PR #2 which includes these CI changes plus shooter genre features.