From 3b80085c530ed5423a3668c108bceafc575a61de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20Str=C3=BCbe?= <florian@firebolt.io>
Date: Tue, 3 Mar 2026 15:36:49 +0100
Subject: [PATCH 1/2] ci: bump node version

---
 .github/workflows/pull-request.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
index 924d1198..89286a5b 100644
--- a/.github/workflows/pull-request.yaml
+++ b/.github/workflows/pull-request.yaml
@@ -18,7 +18,7 @@ jobs:
     - name: Set up node.js
       uses: actions/setup-node@v6
       with:
-        node-version: '16'
+        node-version: '20'
     
     - name: Install dependencies
       run: npm install

From 9f622ef3bad0f4e3b12d275328a053f5730ecac7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20Str=C3=BCbe?= <florian@firebolt.io>
Date: Tue, 3 Mar 2026 15:52:50 +0100
Subject: [PATCH 2/2] ci: support sonar runs for forks

---
 .github/workflows/integration-tests-v1.yaml |  2 +-
 .github/workflows/pull-request.yaml         | 48 ++++++++++-----------
 .github/workflows/release-workflow.yaml     |  8 ++--
 .github/workflows/sonar.yaml                | 36 ++++++++++++++++
 4 files changed, 64 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/sonar.yaml

diff --git a/.github/workflows/integration-tests-v1.yaml b/.github/workflows/integration-tests-v1.yaml
index d58f424f..55084264 100644
--- a/.github/workflows/integration-tests-v1.yaml
+++ b/.github/workflows/integration-tests-v1.yaml
@@ -46,4 +46,4 @@ jobs:
           FIREBOLT_CLIENT_ID: ${{ secrets.SERVICE_ID_STG }}
           FIREBOLT_CLIENT_SECRET: ${{ secrets.SERVICE_SECRET_STG }}
         run: |
-          npm run test:ci integration/v1
\ No newline at end of file
+          npm run test:ci integration/v1
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
index 89286a5b..28da9885 100644
--- a/.github/workflows/pull-request.yaml
+++ b/.github/workflows/pull-request.yaml
@@ -8,31 +8,29 @@ on:
 
 jobs:
   code-checks:
-
     runs-on: ubuntu-latest
 
     steps:
-    - name: Check out code
-      uses: actions/checkout@v6
-    
-    - name: Set up node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: '20'
-    
-    - name: Install dependencies
-      run: npm install
-
-    - name: Type check with typescript
-      run: |
-        npm run type-check
-
-    - name: Test with jest
-      run: |
-        npm test -- --coverage test/unit
-        
-    - name: "Security Scan"
-      uses: SonarSource/sonarqube-scan-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '16'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Type check with typescript
+        run: npm run type-check
+
+      - name: Test with jest
+        run: npm test -- --coverage test/unit
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: coverage
+          path: coverage/
+          retention-days: 1
diff --git a/.github/workflows/release-workflow.yaml b/.github/workflows/release-workflow.yaml
index cd784de4..e376d090 100644
--- a/.github/workflows/release-workflow.yaml
+++ b/.github/workflows/release-workflow.yaml
@@ -23,18 +23,18 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     needs: integration-tests
-    steps:    
+    steps:
     - name: Check out code
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
         token: ${{ secrets.RELEASE_PAT }}
-    
+
     - name: Set up node.js
       uses: actions/setup-node@v6
       with:
         node-version: '16'
-    
+
     - name: Install dependencies
       run: |
         npm install 
@@ -43,7 +43,7 @@ jobs:
       run: |
         git config user.name "GitHub Actions Bot"
         git config user.email "<>"
-        
+
     - name: Build
       run: |
         npm run build
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
new file mode 100644
index 00000000..a1418862
--- /dev/null
+++ b/.github/workflows/sonar.yaml
@@ -0,0 +1,36 @@
+name: Sonar scan
+
+on:
+  workflow_run:
+    workflows: [ "PR checks" ]
+    types: [ completed ]
+
+jobs:
+  sonar:
+    runs-on: ubuntu-latest
+    # Only run if the triggering workflow succeeded
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Check out the exact commit that was tested, not the base branch
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+
+      - name: Download coverage report
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        with:
+          name: coverage
+          path: coverage/
+          # Pull the artifact from the run that triggered this workflow,
+          # not from this (sonar) run which has no artifacts of its own
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Security scan
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}