feat: regression testing system (Phase 1) — 5 scenarios x 4 SQ versions#127
Conversation
Matrix-based GitHub Actions workflow that tests 5 PRIORITY bug scenarios (#53, #56, #57, #70, #88, #91, #94, #98) across all 4 SonarQube versions (9.9, 10.0, 10.4, 2025.1) using ephemeral Docker containers. Architecture: - Ephemeral SQ Enterprise containers with PostgreSQL per job - SQC target keys namespaced (cv-regression-*) for isolation - Shared assertion helpers with retry/backoff for SQC API - Data enrichment scripts (comments, status changes, hotspots) - Integrated into existing regression.yml orchestrator New files: - .github/workflows/regression-bug-fixes.yml (20 matrix jobs) - .github/actions/setup-sonarqube/action.yml (ephemeral SQ setup) - test/regression/helpers/ (sqc-client, assert-utils, config tools) - test/regression/enrichment/ (3 data enrichment scripts) - test/regression/assert-*.js (5 Phase 1 assertion scripts) - test/regression/sample-projects/ (minimal JS project for small scenarios) Reviewed by 5 parallel code review agents. 10 P1s, 8 P2s, 4 P3s found and fixed before commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SummaryThis PR adds a regression testing system (Phase 1) for 5 critical bug fix scenarios across all 4 supported SonarQube versions (9.9, 10.0, 10.4, 2025.1), creating 20 parallel test jobs. What changed:
Why: Ensures critical fixes remain fixed across SQ version upgrades and migration runs. Integrated into existing What reviewers should knowWhere to start
Key implementation detailsTest flow per job:
Test data preparation: Enrichment scripts ( Assertions: Each API resilience: Non-obvious decisions
Prerequisites before CI passes
Review checklist
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d751b0c. Configure here.
| TOKEN_RESPONSE=$(curl -s -u admin:admin \ | ||
| -X POST "http://localhost:9000/api/user_tokens/generate" \ | ||
| -d "name=regression-test-$(date +%s)" \ | ||
| -d "type=GLOBAL_ANALYSIS_TOKEN") |
There was a problem hiding this comment.
Wrong token type blocks enrichment script API access
High Severity
The token is created with type=GLOBAL_ANALYSIS_TOKEN, which is scoped exclusively to scanner analysis operations (submitting reports via /api/ce/submit). However, the enrichment scripts and migration tool need full user-level API access — including /api/issues/search, /api/issues/add_comment, /api/issues/do_transition, /api/hotspots/search, and /api/hotspots/change_status. A GLOBAL_ANALYSIS_TOKEN cannot perform these operations, causing 403 errors. The type needs to be USER_TOKEN (or omitted entirely, which defaults to USER_TOKEN).
Additional Locations (1)
Reviewed by Cursor Bugbot for commit d751b0c. Configure here.
| if: success() | ||
| run: node test/regression/enrichment/add-hotspot-data.js | ||
| env: | ||
| SQ_PROJECT_KEY: angular |
There was a problem hiding this comment.
Workflow enrichment fails on empty SonarQube instance
High Severity
The workflow starts a fresh, empty SonarQube instance (no db-dump-artifact is provided and no sonar-scanner step exists), yet the enrichment steps immediately query for issues in project angular which doesn't exist. Both add-issue-comments.js and change-issue-status.js unconditionally throw when zero issues are found, failing the step. Since all subsequent steps (migration, assertions) use the default if: success() condition, they're skipped — making all 20 matrix jobs non-functional.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit d751b0c. Configure here.
- CHANGELOG.md: add Phase 1 regression testing entry with scenarios table - architecture.md: add regression testing architecture section with ASCII diagram - local-development.md: add regression testing setup and local run guide - technical-details.md: add ephemeral SQ container architecture details - CONTRIBUTING.md: add regression test conventions for new bug fixes - design-review-regression-testing.md: mark as SHIPPED with PR #127 link Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>


Summary
regression.ymlorchestrator as aworkflow_callchildScenarios covered (Phase 1)
large-project-10k-plusgithub-actions-languageexternal-analyzersissue-sync-first-migrationkill-and-continueNew files (22)
.github/workflows/regression-bug-fixes.yml— main workflow.github/actions/setup-sonarqube/action.yml— ephemeral SQ container setuptest/regression/helpers/— shared SQC client (retry/backoff), assertion utilities, config toolstest/regression/enrichment/— data enrichment scripts (comments, statuses, hotspots)test/regression/assert-*.js— 5 assertion scripts, one per scenariotest/regression/sample-projects/— minimal JS project for small scenariosPrerequisites (before CI will pass)
SONARQUBE_9_9_LICENSE_KEY,SONARQUBE_10_0_LICENSE_KEY,SONARQUBE_10_4_LICENSE_KEY,SONARQUBE_2025_1_LICENSE_KEYsonarqube:9.9-enterpriseetc.)Review process
Code reviewed by 5 parallel AI agents (helpers, enrichment, workflow YAML, assertions, meta-tests). 10 P1s, 8 P2s, 4 P3s found and fixed before commit.
Test plan
🤖 Generated with Claude Code
Note
Medium Risk
Adds a new matrix-based GitHub Actions regression workflow that spins up ephemeral SonarQube Enterprise containers and performs real migrations/assertions against SonarCloud, which could be flaky or resource-intensive and depends on new secrets and external APIs.
Overview
Adds a new
regression-bug-fixes.ymlworkflow (wired intoregression.yml) that runs 5 bug-fix scenarios × 4 SonarQube versions and asserts post-migration outcomes by querying SonarCloud.Introduces a composite action
setup-sonarqubethat boots PostgreSQL + SonarQube Enterprise in Docker, waits for health, injects an Enterprise license, and generates an admin analysis token for the job.Adds Node-based regression tooling under
test/regression/(SQC API client with retry/backoff, config patch/cleanup helpers, enrichment scripts to mutate SQ issues/hotspots, and per-scenario assertion scripts), plus updates docs to reflect the shift to single-analysisbackdateChangesets()SCM date-bucket distribution terminology.Reviewed by Cursor Bugbot for commit d751b0c. Bugbot is set up for automated code reviews on this repo. Configure here.