fix(ci): bump sonarcloud reusable workflow SHA and pin remaining @main refs

[williaby]

Summary

Closes #22

• sonarcloud.yml: Bumped the ByronWilliamsCPA/.github python-sonarcloud.yml pin to 6bad2f898be1d387b8424e9deddefa519674cb19 (which upgrades to sonarqube-scan-action v7.2.0 and resolves the /analysis/analyses 404 bug on new projects, per org .github PR 43).
• sonarcloud.yml: Corrected sonar-organization from byronwilliamscpa to williaby (the actual SonarCloud account name).
• 12 other workflow files (fips-compatibility, qlty, security-analysis, reuse, mutation-testing, sbom, docs, slsa-provenance, scorecard, codecov, coverage, python-compatibility): Pinned all remaining @main refs to e067cdb7294f6221dbde74ef1f4c3ca735eed570 # main to satisfy supply-chain pinning requirements.

pr-validation.yml was already pinned to a specific SHA, so it was left unchanged. The @main references remaining in .github/workflows/README.md are prose/documentation, not actual uses: invocations.

Test plan

• CI workflows resolve the new reusable workflow SHAs and run successfully
• SonarCloud workflow uploads analysis without /analysis/analyses 404
• SonarCloud dashboard receives the project under the williaby organization

https://claude.ai/code/session_01AhVcx2FwNFMhtwFCNnmh8L

---

Generated by Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@williaby has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 8 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fe6f4bc9-dfc9-4a92-a8b0-17a1cae1e60e

📥 Commits

Reviewing files that changed from the base of the PR and between c0eb24a and 2d9a7a8.

📒 Files selected for processing (13)

• .github/workflows/codecov.yml
• .github/workflows/coverage.yml
• .github/workflows/docs.yml
• .github/workflows/fips-compatibility.yml
• .github/workflows/mutation-testing.yml
• .github/workflows/python-compatibility.yml
• .github/workflows/qlty.yml
• .github/workflows/reuse.yml
• .github/workflows/sbom.yml
• .github/workflows/scorecard.yml
• .github/workflows/security-analysis.yml
• .github/workflows/slsa-provenance.yml
• .github/workflows/sonarcloud.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/update-sonarcloud-workflow-DwanO

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR hardens CI workflow supply-chain usage by pinning reusable GitHub Actions workflows to commit SHAs and updates the SonarCloud workflow to use the intended reusable workflow revision and organization.

Changes:

• Updates SonarCloud reusable workflow SHA and changes sonar-organization to williaby.
• Pins remaining reusable workflow @main references to fixed commit SHAs.
• Leaves prose-only @main references in workflow documentation unchanged.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/sonarcloud.yml	Updates SonarCloud reusable workflow pin and organization input.
.github/workflows/slsa-provenance.yml	Pins SLSA reusable workflow to a commit SHA.
.github/workflows/security-analysis.yml	Pins security analysis reusable workflow to a commit SHA.
.github/workflows/scorecard.yml	Pins Scorecard reusable workflow to a commit SHA.
.github/workflows/sbom.yml	Pins SBOM reusable workflow to a commit SHA.
.github/workflows/reuse.yml	Pins REUSE reusable workflow to a commit SHA.
.github/workflows/qlty.yml	Pins Qlty coverage reusable workflow to a commit SHA.
.github/workflows/python-compatibility.yml	Pins Python compatibility reusable workflow to a commit SHA.
.github/workflows/mutation-testing.yml	Pins mutation testing reusable workflow to a commit SHA.
.github/workflows/fips-compatibility.yml	Pins FIPS compatibility reusable workflow to a commit SHA.
.github/workflows/docs.yml	Pins documentation reusable workflow to a commit SHA.
.github/workflows/coverage.yml	Pins coverage upload reusable workflow to a commit SHA.
.github/workflows/codecov.yml	Pins Codecov reusable workflow to a commit SHA.