[AAASM-3815] 🔧 (sonar): Wire projectVersion off 0.0.0 + cover in release skills

[Chisanan232]

Description

Fixes the SonarCloud quality gate showing "Not computed" for python-sdk,
caused by sonar.projectVersion=0.0.0 in sonar-project.properties.

• sonar-project.properties: bump the static sonar.projectVersion off 0.0.0
  to 0.0.1 (local-scan fallback only).
• rw_run_all_test_and_record.yaml (SonarCloud Scan job): derive the version
  from pyproject.toml at scan time and pass it via the scanner args
  (-Dsonar.projectVersion=...), so the gate always tracks the current
  release without manual bumps. The step reads only in-repo content (no
  untrusted event input).
• Release skills (release-runbook, sdk-only-release): document the
  auto-derivation so operators do not hand-bump the literal per release.

Type of Change

• 🔧 Bug fix

Breaking Changes

• No

Related Issues

• Related JIRA ticket: AAASM-3815

Testing

• No tests required (explain why)

CI/config + docs change. The edited workflow passes actionlint cleanly. No
application code changed.

Checklist

• Code follows project style guidelines
• Self-review completed
• Documentation updated if needed

Closes AAASM-3815

🤖 Generated with Claude Code

https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Chisanan232]

🤖 Claude Code — PR Review (AAASM-3815)

CI: All checks green (CI Success aggregate ✅, unit/integration tests, codecov, SonarCloud Code Analysis, CodeQL, pip-audit).

Scope: Correct and minimal — sonar-project.properties 0.0.0 → 0.0.1; rw_run_all_test_and_record.yaml derives the version from pyproject.toml and overrides via -Dsonar.projectVersion=…; both release skills (release-runbook, sdk-only-release) document the auto-derive. Diff limited to sonar config + Sonar CI step + skills — no source/test changes. Closes AAASM-3815 present.

Side-effects / injection-safety: ✅ Resolve step reads only in-repo content — grep … pyproject.toml | sed … — no untrusted GitHub event input, no injection surface, and it fails closed (exit 1) if the version can't be parsed. The SonarCloud Scan job was not made gating. Workflow parses (CI green).

Verdict: APPROVE-READY

[Chisanan232]

Amended: the static sonar.projectVersion fallback in sonar-project.properties was a bare 0.0.1; it now matches the repo's real current version 0.0.1rc1 from pyproject.toml (PEP 440). The dynamic CI override (live pyproject version via -Dsonar.projectVersion=...) was already correct — this fixes the local-scan fallback so it no longer diverges from the real release.

Commit cc15287: 🔧 (sonar): Align static fallback to real pyproject version 0.0.1rc1. Pre-commit passed; pushed to remote. PR kept ready, not merged.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud