Remove quality gate check from SonarCloud workflow

[devin-ai-integration]

Remove quality gate failures while preserving Devin auto-remediation

Summary

Removed the SonarCloud quality gate check that was causing workflow failures and "red X" status on PRs, while preserving the automatic Devin session triggering when real code issues are found. The workflow now stays green but still triggers Devin remediation for vulnerabilities, bugs, and code smells.

Key changes:

• Removed the SonarSource/sonarqube-quality-gate-action step that was failing on coverage/hotspot metrics
• Removed the exit 1 step that made the workflow fail
• Removed verbose coverage/hotspot review comments
• Added explicit wait-for-analysis step that polls SonarCloud CE task API (max 300s)
• Changed issue collection to always run (not conditional on quality gate failure)
• Trigger Devin based on actual code issues found (has_code_issues=true) rather than quality gate status

Workflow behavior now:

1. ✅ Runs SonarCloud scan on every PR/push
2. ⏳ Waits for analysis to complete (polls every 5s, max 300s timeout)
3. 🔍 Collects issue summary (vulnerabilities, bugs, code smells with BLOCKER/CRITICAL/MAJOR severity)
4. 🤖 Triggers Devin session if: PR event + human commit + code issues found
5. ✅ Workflow stays green (no red X failures)

Infinite loop prevention:

• Checks commit author for "Devin AI"
• Checks commit message for [devin-remediation] tag
• Only triggers on PR events (not master pushes)
• Skips triggering if Devin commit detected

Review & Testing Checklist for Human

⚠️ CRITICAL - This workflow has not been tested end-to-end. The following items MUST be verified:

• Test with a real PR containing code issues: Create a test PR with intentional SonarCloud issues (vulnerability/bug/code smell) and verify the workflow triggers a Devin session
• Verify infinite loop prevention: After Devin pushes a fix, check that the commit message includes [devin-remediation] tag and that a new Devin session is NOT triggered
• Confirm workflow stays green: Verify the workflow completes with success (green checkmark) even when issues are found, instead of failing with red X
• Check analysis wait timeout: Monitor the "Wait for SonarCloud analysis" step to ensure 300s is sufficient; increase timeout if needed for larger PRs
• Validate Devin triggering logic: Verify Devin is triggered ONLY when all three conditions are met: (1) PR event (2) human commit (3) code issues found

Recommended Test Plan

1. Create a test PR with a small code change that introduces a SonarCloud issue
2. Push commit and wait for workflow to complete
3. Verify workflow stays green and check for Devin session comment on PR
4. Wait for Devin to push fix and verify no new session is triggered
5. Check SonarCloud dashboard to confirm issues are resolved

Notes

• The workflow now triggers on vulnerabilities + bugs + code smells (BLOCKER/CRITICAL/MAJOR). Consider adjusting if this is too noisy.
• Coverage failures and unreviewed security hotspots will no longer trigger Devin or post comments.
• The Sonar API queries are scoped to the PR (pullRequest=${{ github.event.pull_request.number }}) to only detect new issues in the PR.
• Session requested by: Jake Cosme (@jakexcosme) - Devin Session

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring