SonarCloud analysis is broken

[jfpanisset]

The SonarCloud analysis for OCIO has been broken since 2025-11-27, for example:

https://github.com/AcademySoftwareFoundation/OpenColorIO/actions/runs/23099434512/job/67097431524

fails with:

Error: Unable to resolve action sonarsource/sonarcloud-github-c-cpp, repository not found

Around that time SonarCloud had a security issue and switched to updated actions.

Installing, running the Sonar Scanner and uploading results for non C/C++ projects should now be as simple as:

    - name: Install and Run Sonar Scanner
      uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

as demonstrated here:

https://github.com/AcademySoftwareFoundation/aswf-docker/blob/main/.github/workflows/python-sonar.yml

The repo for the new action is here:

https://github.com/SonarSource/sonarqube-scan-action

For C/C++ projects you still need to download and install the build wrapper, as documented here:

https://github.com/SonarSource/sonarqube-scan-action?tab=readme-ov-file#ccobjective-c-with-build-wrapper

Another important detail: when OCIO was first registered against SonarCloud, it was still using master as the main git branch, it is now using main, but SonarCloud still sees master:

https://sonarcloud.io/project/branches_list?id=AcademySoftwareFoundation_OpenColorIO

I believe that once CI integration is restored, the main branch should get automatically added to the SonarCloud console, but it will still show old warnings from the master branch, and will default to those when you first navigate to the SonarCloud project page for OCIO. Someone from the OCIO team will need to open a ticket with the LF Release Engineering helpdesk to have them remove the master branch from Sonar Cloud and tag the main branch as the MAIN BRANCH.

[doug-walker]

Thank you @jfpanisset, this is very helpful! I will add this topic to the TSC meeting agenda.