ci: add SonarQube analysis with coverage

.github/workflows/ci.yml

@@ -1,15 +1,23 @@
 name: CI
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
+  workflow_call:
+    outputs:
+      backend-coverage-artifact-name:
+        description: "Name of the uploaded backend coverage artifact"
+        value: ${{ jobs.test.outputs.backend-coverage-artifact-name }}
+      backend-junit-artifact-name:
+        description: "Name of the uploaded backend JUnit test report artifact"
+        value: ${{ jobs.test.outputs.backend-junit-artifact-name }}
 
 jobs:
   test:
     name: Unit · PHP ${{ matrix.php }}
     runs-on: ubuntu-latest
+    outputs:
+      # SonarQube uses the latest PHP version's coverage as the result.
+      backend-coverage-artifact-name: coverage-report-8.4
+      backend-junit-artifact-name: junit-report-8.4
     strategy:
       fail-fast: false
       matrix:
@@ -24,12 +32,12 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           extensions: hash, mbstring
-          coverage: none
+          coverage: pcov
           tools: composer:v2
 
       - name: Get composer cache directory
         id: composer-cache
-        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
 
       - name: Cache composer dependencies
         uses: actions/cache@v5
@@ -48,8 +56,25 @@ jobs:
       - name: Run PHPStan (static analysis)
         run: vendor/bin/phpstan analyse --no-progress
 
-      - name: Run Pest (unit tests + parity lock)
-        run: composer test
+      - name: Run Pest (unit tests + parity lock, with coverage)
+        run: vendor/bin/pest --testsuite=Unit --coverage-clover=coverage/clover.xml --log-junit=coverage/junit.xml
+
+      - name: Normalize report paths
+        run: sed -i "s|${GITHUB_WORKSPACE}/||g" coverage/clover.xml coverage/junit.xml
+
+      - name: Upload Coverage Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report-${{ matrix.php }}
+          path: coverage/clover.xml
+          if-no-files-found: error
+
+      - name: Upload JUnit Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: junit-report-${{ matrix.php }}
+          path: coverage/junit.xml
+          if-no-files-found: error
 
   conformance:
     name: W3C Conformance

.github/workflows/main.yml

@@ -0,0 +1,39 @@
+name: Main
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  ci:
+    name: Continuous Integration
+    uses: ./.github/workflows/ci.yml
+
+  sonar:
+    needs: ci
+    name: SonarQube Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # full history for SCM blame
+
+      - name: Download Backend Coverage Report
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.ci.outputs.backend-coverage-artifact-name }}
+          path: coverage_BE
+
+      - name: Download Backend JUnit Report
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.ci.outputs.backend-junit-artifact-name }}
+          path: junit_BE
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v8.2.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull-request.yml

@@ -0,0 +1,22 @@
+name: Pull Request
+
+on:
+  pull_request:
+
+jobs:
+  actionlint:
+    name: Lint GitHub Actions workflows
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash
+
+  ci:
+    name: Continuous Integration
+    uses: ./.github/workflows/ci.yml

sonar-project.properties

@@ -0,0 +1,11 @@
+sonar.projectKey=Accredifysg_PHP-RDF-Canonicalize
+sonar.projectName=PHP-RDF-Canonicalize
+
+# sources and tests
+sonar.sources=src
+sonar.tests=tests
+
+# coverage
+sonar.php.coverage.reportPaths=coverage_BE/clover.xml
+sonar.php.tests.reportPath=junit_BE/junit.xml
+sonar.exclusions=coverage_BE/**,junit_BE/**