diff --git a/.gitlab/ci/common.yml b/.gitlab/ci/common.yml
index e858331898..7323505d8d 100644
--- a/.gitlab/ci/common.yml
+++ b/.gitlab/ci/common.yml
@@ -298,10 +298,9 @@ variables:
   before_script:
     - *git_init
     - *git_fetch_from_mirror_url_if_exists
-    - |
-      git fetch origin refs/tags/"${LATEST_GIT_TAG}":refs/tags/"${LATEST_GIT_TAG}" --depth=1
-      git repack -d
-      git fetch origin $CI_COMMIT_SHA --shallow-since=$(git log -1 --format=%as "${LATEST_GIT_TAG}")
+    - git fetch origin refs/tags/"${LATEST_GIT_TAG}":refs/tags/"${LATEST_GIT_TAG}" --depth=1
+    - git repack -d
+    - git fetch origin $PIPELINE_COMMIT_SHA --shallow-since=$(git log -1 --format=%as "${LATEST_GIT_TAG}")
     - *git_checkout_fetch_head
     - *common-before_scripts
     - *setup_tools_and_idf_python_venv
diff --git a/.gitlab/ci/static-code-analysis.yml b/.gitlab/ci/static-code-analysis.yml
index 2ce8a1bfc1..ef99c8bf45 100644
--- a/.gitlab/ci/static-code-analysis.yml
+++ b/.gitlab/ci/static-code-analysis.yml
@@ -30,7 +30,7 @@ check_pylint:
   script:
     - |
       if [ -n "$CI_MERGE_REQUEST_IID" ]; then
-        export files=$(echo $GIT_DIFF_OUTPUT | grep ".py$" | xargs);
+        export files=$(echo "$GIT_DIFF_OUTPUT" | grep ".py$" | xargs);
       else
         export files=$(git ls-files "*.py" | xargs);
       fi
@@ -53,8 +53,10 @@ check_pylint:
 .sonar_scan_template:
   stage: build
   extends: .pre_check_template
-  image:
-    name: $SONARQUBE_SCANNER_IMAGE
+  # full clone since this image does not support fetch --shallow-since-cutoff
+  # shiny runners are used for full clone
+  tags: [build, shiny]
+  image: $SONARQUBE_SCANNER_IMAGE
   before_script:
     - source tools/ci/utils.sh
     - export PYTHONPATH="$CI_PROJECT_DIR/tools:$CI_PROJECT_DIR/tools/ci/python_packages:$PYTHONPATH"
@@ -68,7 +70,7 @@ check_pylint:
     - export SONAR_SCANNER_OPTS="-Xmx2048m"
   variables:
     GIT_DEPTH: 0
-    REPORT_PATTERN: clang_tidy_reports/*.txt
+    REPORT_PATTERN: clang_tidy_reports/**/*.txt
   artifacts:
     when: always
     paths:
@@ -81,7 +83,7 @@ code_quality_check:
   extends:
     - .sonar_scan_template
     - .rules:patterns:static-code-analysis-preview
-  allow_failure: true  # since now it's using exit code to indicate the code analysis result,
+  allow_failure: true  # it's using exit code to indicate the code analysis result,
                        # we don't want to block ci when critical issues founded
   script:
     - export CI_MERGE_REQUEST_COMMITS=$(python ${CI_PROJECT_DIR}/tools/ci/ci_get_mr_info.py commits --src-branch ${CI_COMMIT_REF_NAME} | tr '\n' ',')
@@ -104,7 +106,7 @@ code_quality_report:
   extends:
     - .sonar_scan_template
     - .rules:protected
-  allow_failure: true  # since now it's using exit code to indicate the code analysis result,
+  allow_failure: true  # it's using exit code to indicate the code analysis result,
                        # we don't want to block ci when critical issues founded
   script:
     - sonar-scanner