ci: Fix SonarCloud for fork PRs and harden CI workflows

- Add fork guard to ci.yml SonarCloud job to prevent failures when
  SONAR_TOKEN is unavailable on fork PRs
- Add permissions (least-privilege) and concurrency (cancel stale runs)
  to pr-checks.yml
- Remove duplicate sonarcloud-pr job from pr-checks.yml (handled by
  ci.yml for internal PRs, sonar-fork-pr.yml for fork PRs)
- Remove continue-on-error from spotless and OWASP checks
- Update sonar-fork-pr.yml with permissions, Maven cache, upstream
  fetch for proper diff, and separate build/analyze steps

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dfcoffin

.github/workflows/ci.yml

@@ -86,6 +86,7 @@ jobs:
     name: SonarCloud Analysis
     runs-on: ubuntu-latest
     needs: build-and-test
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
 
     steps:
       - name: Checkout code

.github/workflows/pr-checks.yml

@@ -4,6 +4,14 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: pr-checks-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 env:
   JAVA_VERSION: '25'
   MAVEN_OPTS: -Xmx3072m
@@ -46,52 +54,9 @@ jobs:
 
       - name: Check code formatting
         run: mvn spotless:check
-        continue-on-error: true
 
       - name: Run quick tests
         run: mvn test -pl openespi-common,openespi-datacustodian
 
       - name: Check for security vulnerabilities
-        run: mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=8
-        continue-on-error: true
-
-  sonarcloud-pr:
-    name: SonarCloud PR Analysis
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.head.repo.full_name == github.repository
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up JDK 25
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ env.JAVA_VERSION }}
-          distribution: 'temurin'
-          cache: 'maven'
-
-      - name: Cache SonarCloud packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-          restore-keys: ${{ runner.os }}-sonar
-
-      - name: Build modules for SonarCloud
-        run: mvn clean verify -pl openespi-common,openespi-datacustodian,openespi-thirdparty -am
-
-      - name: Analyze with SonarCloud
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: |
-          mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-            -Dsonar.projectKey=GreenButtonAlliance_OpenESPI-GreenButton-Java \
-            -Dsonar.organization=greenbuttonalliance \
-            -Dsonar.host.url=https://sonarcloud.io \
-            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} \
-            -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} \
-            -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
+        run: mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=8

.github/workflows/sonar-fork-pr.yml

@@ -0,0 +1,85 @@
+name: SonarCloud Fork PR Analysis
+
+on:
+  workflow_run:
+    workflows: ["CI/CD Pipeline"]
+    types: [completed]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  sonarcloud-fork:
+    name: SonarCloud Analysis (Fork PR)
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_repository.full_name != github.repository
+
+    steps:
+      - name: Checkout fork PR code
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+
+      - name: Fetch base branch for diff
+        run: |
+          git remote add upstream https://github.com/${{ github.repository }}.git
+          git fetch upstream
+
+      - name: Get PR number
+        uses: actions/github-script@v7
+        id: pr-number
+        with:
+          script: |
+            const pulls = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.payload.workflow_run.head_repository.owner.login}:${context.payload.workflow_run.head_branch}`,
+              state: 'open'
+            });
+            return pulls.data[0]?.number || '';
+          result-encoding: string
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v4
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: Build modules
+        run: mvn clean verify -pl openespi-common,openespi-datacustodian,openespi-thirdparty -am
+
+      - name: Analyze with SonarCloud
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
+            -Dsonar.projectKey=GreenButtonAlliance_OpenESPI-GreenButton-Java \
+            -Dsonar.organization=greenbuttonalliance \
+            -Dsonar.host.url=https://sonarcloud.io \
+            -Dsonar.pullrequest.key=${{ steps.pr-number.outputs.result }} \
+            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }} \
+            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref || 'main' }} \
+            -Dsonar.coverage.jacoco.xmlReportPaths=**/target/site/jacoco/jacoco.xml