CCM-17846: Sonar PR Decoration Fix

[jamesthompson26-nhs]

Problem

SonarCloud PR decoration (quality gate comment on PRs) was not appearing reliably on pushes to open PRs.

Two root causes were identified:

1. scripts/reports/perform-static-analysis.sh always passed -Dsonar.branch.name, forcing SonarCloud into branch analysis mode.
   PR decoration requires PR analysis mode with:

   • sonar.pullrequest.key
   • sonar.pullrequest.branch
   • sonar.pullrequest.base

2. The PR workflow did not previously run with PR context on every PR update.
   Without pull_request: synchronize, pushes to an open PR could miss the required PR event context for Sonar PR analysis.

---

Fix

1) Sonar scanner context switching in static analysis script

Updated scripts/reports/perform-static-analysis.sh to build Sonar arguments dynamically:

• For GITHUB_EVENT_NAME=pull_request:
  • -Dsonar.pullrequest.key=...
  • -Dsonar.pullrequest.branch=...
  • -Dsonar.pullrequest.base=...
• Otherwise:
  • -Dsonar.branch.name=...

This enables proper SonarCloud PR decoration for PR-triggered runs while preserving branch analysis for non-PR runs.

2) PR workflow now triggers on PR updates (synchronize)

Updated .github/workflows/cicd-1-pull-request.yaml:

• pull_request.types now includes:
  • opened
  • reopened
  • synchronize

This ensures each push to an open PR runs in PR event context, allowing the script above to select PR analysis mode.

3) Added concurrency guard to avoid duplicate CI spend

Added workflow concurrency for same ref:

• Group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
• cancel-in-progress: true

4) Added push trigger for main

Updated .github/workflows/cicd-1-pull-request.yaml to also run on:

• push.branches: [main]

This ensures the pipeline runs after PR merge to main for post-merge validation/publish flow.

---

Resulting behavior

• On PR open/reopen/update: workflow runs with pull_request context, Sonar uses PR analysis mode, decoration can be posted to PR.
• On merge to main: workflow runs on push to main.
• Duplicate run protection: concurrency cancels superseded runs for the same branch/workflow key.
• PR Workflow no longer runs on commits prior to PR creation: may be contentious but more in line with the workflow's intention.

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

DT3-Specific Checklist

• If I have added a new resource (SQS, Lambda, Gateway, DDB table, etc), I have created the appropriate alarms

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud