lint: 修复sonar issue

.github/workflows/ci.yml

@@ -18,10 +18,10 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
         go-version: ['1.24']
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
@@ -40,7 +40,7 @@ jobs:
         run: gotestsum --junitfile test-results.xml -- -v -race -coverprofile=coverage.txt -covermode=atomic ./...
 
       - name: Upload test results to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: test-results.xml
@@ -49,7 +49,7 @@ jobs:
           fail_ci_if_error: false
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage.txt
@@ -90,10 +90,10 @@ jobs:
           --health-retries=5
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: '1.24'
           cache: true
@@ -120,7 +120,7 @@ jobs:
         run: gotestsum --junitfile e2e-test-results.xml -- -v -tags=e2e -coverprofile=coverage-e2e.txt -covermode=atomic -coverpkg=github.com/zx06/xsql/internal/... ./tests/e2e/...
 
       - name: Upload integration test results to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: integration-test-results.xml,e2e-test-results.xml
@@ -129,7 +129,7 @@ jobs:
           fail_ci_if_error: false
 
       - name: Upload integration coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage-integration.txt,coverage-e2e.txt
@@ -143,26 +143,26 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: '1.24'
           cache: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
 
   build:
     name: Build binaries
     runs-on: ubuntu-latest
     needs: [test, integration, lint]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: '1.24'
           cache: true
@@ -180,7 +180,7 @@ jobs:
         run: GOOS=darwin GOARCH=arm64 go build -ldflags "-s -w" -o xsql-darwin-arm64 ./cmd/xsql
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: binaries
           path: xsql-*

.github/workflows/release.yml

@@ -5,27 +5,26 @@ on:
     tags:
       - "v*"
 
-permissions:
-  contents: write
-
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: "1.24"
           cache: true
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser
           version: "~> v2"
@@ -43,10 +42,10 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: "20"
           registry-url: "https://registry.npmjs.org"

sonar-project.properties

@@ -0,0 +1,42 @@
+sonar.projectKey=zx06_xsql
+sonar.organization=zx06
+
+# Go 测试惯例使用下划线命名（如 TestFoo_Bar），与 S100 默认正则冲突
+# 测试文件中字符串重复、认知复杂度高、变量命名等均为误报，统一排除
+sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7,e8,e9
+
+# S100: 函数命名规范 - 排除测试文件（Go 测试函数惯用下划线分隔子测试名）
+sonar.issue.ignore.multicriteria.e1.ruleKey=go:S100
+sonar.issue.ignore.multicriteria.e1.resourceKey=**/*_test.go
+
+# S1192: 字符串字面量重复 - 排除测试文件（测试中重复字符串是正常的）
+sonar.issue.ignore.multicriteria.e2.ruleKey=go:S1192
+sonar.issue.ignore.multicriteria.e2.resourceKey=**/*_test.go
+
+# S3776: 认知复杂度 - 排除测试文件（表驱动测试天然复杂度高）
+sonar.issue.ignore.multicriteria.e3.ruleKey=go:S3776
+sonar.issue.ignore.multicriteria.e3.resourceKey=**/*_test.go
+
+# S1135: TODO 注释 - 全局排除（TODO 是可接受的）
+sonar.issue.ignore.multicriteria.e4.ruleKey=go:S1135
+sonar.issue.ignore.multicriteria.e4.resourceKey=**/*.go
+
+# S117: 变量命名规范 - 排除测试文件
+sonar.issue.ignore.multicriteria.e5.ruleKey=go:S117
+sonar.issue.ignore.multicriteria.e5.resourceKey=**/*_test.go
+
+# S2068: 硬编码密码 - 排除测试文件（测试夹具中的密码不是真实凭据）
+sonar.issue.ignore.multicriteria.e6.ruleKey=go:S2068
+sonar.issue.ignore.multicriteria.e6.resourceKey=**/*_test.go
+
+# S4036: PATH 环境变量 - 排除测试文件（测试中操作 PATH 是正常的）
+sonar.issue.ignore.multicriteria.e7.ruleKey=go:S4036
+sonar.issue.ignore.multicriteria.e7.resourceKey=**/*_test.go
+
+# S4721: OS 命令执行 - 排除构建脚本（构建脚本执行系统命令是预期行为）
+sonar.issue.ignore.multicriteria.e8.ruleKey=javascript:S4721
+sonar.issue.ignore.multicriteria.e8.resourceKey=scripts/**/*.js
+
+# S2612: 文件权限 - 排除构建脚本（设置可执行权限是预期行为）
+sonar.issue.ignore.multicriteria.e9.ruleKey=javascript:S2612
+sonar.issue.ignore.multicriteria.e9.resourceKey=scripts/**/*.js