Estate campaign: roll SonarCloud across all repos (parked, resume later)

[hyperpolymath]

Goal

Replicate the boj-server SonarCloud setup across the whole estate: 384 active hyperpolymath repos (1 archived + 3 forks excluded) + 3 Joshua-owned shared repos (paint-type, IDApTIK, IDApixiTIK).

Parked 2026-06-29 — resume later. Everything mechanical is built and proven; only the SonarCloud-side (token + provisioning) is outstanding.

Reference: boj-server (complete, working)

Four components per repo:

1. Root sonar-project.properties — sonar.organization + sonar.projectKey=hyperpolymath_<repo> + exclusions.
2. A sonarqube job (boj-server folds it into build.yml; the rollout uses a standalone .github/workflows/sonarcloud.yml — safer across varied repos). SonarSource/sonarqube-scan-action@7006c44… v8.1.0 (SHA-pinned), actions/checkout@34e1148… v4.3.1 fetch-depth:0.
3. Quality-gate badge in README (.md/.adoc) + EXPLAINME.adoc + site/index.html.
4. The SONAR_TOKEN repository secret.

Decisions (owner, 2026-06-26)

• SonarCloud: auto-provision projects + ONE global analysis token (not per-repo tokens).
• Include all 3 Joshua repos.
• All-at-once rollout: one PR per repo, --auto --squash armed.

Key constraint

hyperpolymath and JoshuaJewell are GitHub user accounts, not orgs → there is no org-level secret. SONAR_TOKEN must be set per-repo (gh secret set SONAR_TOKEN --repo …). Automatable with one token value (owner has admin on own 384; Joshua's 3 need his admin to set the secret).

What's done

• Generator built + dry-run-validated, then live-tested on 2 repos:
  • resource-record-fluctuator → PR rsr-antipattern.yml: BUILTIN_GLOBS bash block stranded outside Python heredoc (exit 127) #49 merged (files + badges landed; workflow guarded-green with no token yet).
  • rsr-template-how-to → already had sonar-project.properties (skipped).
• Generator + repo list preserved at dev-notes/estate/sonarcloud-rollout-2026-06-26/ (sonar_rollout.py, myrepos.json). Idempotent: skips repos that already have the properties file or an in-flight chore/sonarcloud-setup branch; self-heals auto-merge.
• Workflow carries a guard (if: env.SONAR_TOKEN != '') so the scan skips cleanly (green) until the token is added, then activates automatically — lets PRs merge now without red checks.

Blocked on (SonarCloud-side, owner-only)

1. Confirm the SonarCloud GitHub App is installed on the hyperpolymath account with access to all repos.
2. Enable auto-provisioning so hyperpolymath_<repo> projects auto-create on first analysis.
3. Generate one Global Analysis Token → write to ~/.secrets/sonar-token (one line). Rollout reads it from there and sets the per-repo secret.

Heads-ups

• 22 private repos need a paid SonarCloud plan (public is free) — decide skip vs upgrade.
• Joshua's 3 repos: PRs can be opened, but SONAR_TOKEN needs his admin, and their project key/org depends on how JoshuaJewell is bound on SonarCloud.

To resume

cd ~/developer/repos
# refresh repo list, then run for real once ~/.secrets/sonar-token exists:
SONAR_TOKEN="$(cat ~/.secrets/sonar-token)" \
  python3 dev-notes/estate/sonarcloud-rollout-2026-06-26/sonar_rollout.py
# DRY_RUN=1 to preview; LIMIT=N to batch; ONLY=a,b,c to target specific repos.