[ACA-5022]Initial configuration for SonarQube cloud

.github/workflows/sonarcloud.yml

@@ -0,0 +1,41 @@
+---
+# SonarCloud analysis for cloud.aws_ops
+#
+# Uses the same-repo + default-branch push model: GitHub does not expose org secrets to workflows
+# from fork PRs (see https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
+# This job is gated so the Sonar token is never available in untrusted fork contexts. A follow-up
+# workflow triggered by workflow_run + artifacts is an alternative if the org later requires Sonar
+# with coverage on fork PRs (see README.md and https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run).
+name: SonarCloud
+
+on:
+  push:
+    branches:
+      - main
+      - stable-*
+  pull_request:
+    branches:
+      - main
+      - stable-*
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  sonarqube:
+    name: SonarCloud Scan
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: SonarCloud Scan
+        # Same pinned version as ansible-collections/amazon.aws sonarcloud.yml
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
+        env:
+          SONAR_TOKEN: ${{ secrets.ANSIBLE_COLLECTIONS_ORG_SONAR_TOKEN_CICD_BOT }}

README.md

@@ -2,6 +2,23 @@
 
 This repository hosts the `cloud.aws_ops` Ansible Collection.
 
+## SonarCloud (code quality)
+
+Static analysis runs on [SonarCloud](https://sonarcloud.io) using `sonar-project.properties` and
+`.github/workflows/sonarcloud.yml`. **Note:** Coverage in SonarCloud is not wired yet.
+
+The SonarCloud project key must match `sonar.projectKey` (`ansible-collections_cloud.aws_ops`). Adding
+or renaming the project is coordinated via Ansible Collections maintainers.
+
+GitHub does not expose organization secrets to workflows for pull requests opened from forks. The
+Sonar job therefore only runs on pushes to this repository's branches and on pull requests where the
+head branch is on `redhat-cop/cloud.aws_ops` (not from forks). That matches GitHub's
+documented behavior for [secrets in Actions](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
+
+If the project later needs Sonar with coverage on **fork** PRs, maintainers typically add a separate
+trusted job after a workflow that uploads coverage artifacts, using GitHub's `workflow_run` event.
+See [workflow_run (GitHub Docs)](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run).
+
 ## Description
 
 This collection is curated to provide users with a robust set of roles, playbooks, and rulebooks that simplify and streamline various AWS operations.

sonar-project.properties

@@ -0,0 +1,14 @@
+# SonarCloud project configuration for cloud.aws_ops
+# Complete documentation: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
+
+sonar.projectKey=ansible-collections_cloud.aws_ops
+sonar.organization=ansible-collections
+sonar.sources=.
+sonar.projectName=cloud.aws_ops
+sonar.python.coverage.reportPaths=coverage.xml
+
+sonar.tests=tests/integration
+sonar.python.version=3.12
+sonar.newCode.referenceBranch=main
+
+sonar.exclusions=tests/**,.tox/**