[AAASM-2774] 🔧 (sonar): Wire projectVersion off 0.0.0 + cover in release skills

[Chisanan232]

Target

Fix the SonarCloud quality gate showing "Not computed" on node-sdk, caused by sonar.projectVersion=0.0.0 in sonar-project.properties, and make the version self-maintaining across releases.

• Task summary:

  • Set sonar.projectVersion off 0.0.0 (static fallback now 0.0.1-rc.1, the current package.json version).
  • Wired the CI Sonar scan to dynamically derive sonar.projectVersion from package.json (-Dsonar.projectVersion=<version>), so the gate auto-advances every release with no manual bump.
  • Documented the auto-derive behaviour in both release skills so future releases keep the gate current.

• Task tickets:

  • Task ID: AAASM-2774.
  • Relative task IDs:
    • N/A.
  • Relative PRs:
    • N/A.

• Key point change (optional):

  • .github/workflows/quality-report.yml: new Resolve package version for Sonar step reads package.json version into a step output; the SonarQube Scan step passes it via args: -Dsonar.projectVersion=.... This overrides the static value at scan time, so the gate version always tracks package.json.
  • sonar-project.properties: 0.0.0 -> 0.0.1-rc.1, kept only as a fallback (the CI override is authoritative). Annotated so it stays off 0.0.0.
  • .claude/skills/release-runbook/SKILL.md + .claude/skills/sdk-only-release/SKILL.md: note that sonar.projectVersion is auto-derived from package.json -- no manual bump required on the release path.

Effecting Scope

• Action Types:
  • 🔧 Fixing bug
• Scopes:
  • 🚀 Building
    • 🤖 CI/CD
    • 📦 Project configurations
  • 📚 Documentation
• Additional description:
  Config + workflow + docs only; no source or test changes. Validated with pnpm install, pnpm lint, pnpm typecheck (all clean).

Description

• sonar.projectVersion=0.0.0 left the SonarCloud gate "Not computed". This sets a real version and, more importantly, wires CI to derive it from package.json so it auto-advances each release. Both release runbooks now document the auto-derive so the gate never regresses to 0.0.0.

Closes AAASM-2774

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

🤖 Claude Code — PR Review (AAASM-2774)

CI: All checks green (test 18/20/22/24, napi-build, module-smoke, quality, coverage-and-analysis, SonarCloud Code Analysis, CodeQL, audit).

Scope: Correct and minimal — sonar-project.properties 0.0.0 → 0.0.1-rc.1 (matches current package.json); CI quality-report.yml derives the live version and overrides via -Dsonar.projectVersion=…; both release skills (release-runbook, sdk-only-release) document the auto-derive. git diff --stat is limited to sonar config + the Sonar CI step + skills — no source/test changes. Closes AAASM-2774 present.

Side-effects / injection-safety: ✅ The resolve step reads only in-repo content — node -p "require('./package.json').version" — no ${{ github.event.* }} input, so no script-injection surface. The Sonar scan step was not made gating (gating behavior unchanged by this PR; fork PRs skip the scan as SONAR_TOKEN is empty). Workflow still parses (CI ran green).

Verdict: APPROVE-READY