Skip to content

feat(ci): add Quality Orchestrator action for PR risk analysis#147

Merged
mrdailey99 merged 2 commits into
developfrom
feature/quality-orchestrator-action
May 7, 2026
Merged

feat(ci): add Quality Orchestrator action for PR risk analysis#147
mrdailey99 merged 2 commits into
developfrom
feature/quality-orchestrator-action

Conversation

@mrdailey99
Copy link
Copy Markdown
Collaborator

@mrdailey99 mrdailey99 commented May 7, 2026

Summary

Adds a parallel quality-analysis job to CI_Execution.yml that runs on every PR targeting develop. The job uses mrdailey99/QualityOrchestrator@v1.0.0 to:

  • Map changed files to existing test coverage
  • Score overall risk (high / med / low)
  • Post a risk-tier comment on the PR

The job runs in parallel with provardx-ci-execution and never blocks merges (fail-on-high: false).

Pre-Landing Review

Adversarial review found 4 issues — all fixed before merge:

  • [AUTO-FIXED] @v1 tag does not exist on action repo → pinned to @v1.0.0
  • [AUTO-FIXED] Stub writer had path-traversal risk via unvalidated filenames → generate-stubs: false
  • [AUTO-FIXED] persist-credentials not disabled before third-party Python process runs → added persist-credentials: false
  • [INFORMATIONAL] fail-on-high: false means no merge blocking — intentional; can be flipped to true when confidence in the action is established

Test Coverage

Workflow YAML only — no application code paths changed.

Test plan

  • Open a PR targeting develop and verify the quality-analysis job appears and posts a risk comment

🤖 Generated with Claude Code

mrdailey99 and others added 2 commits May 7, 2026 08:14
@mrdailey99 @claude
PDX-0: feat(ci): add Quality Orchestrator action to CI workflow
a79da41 
RCA: No automated PR risk analysis or test coverage mapping existed in the CI pipeline
Fix: Add parallel quality-analysis job using mrdailey99/QualityOrchestrator@v1 to score PR risk and post coverage comments

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mrdailey99 @claude
PDX-0: fix(ci): address adversarial review findings for quality-analy…
df7c748 
…sis job

RCA: @v1 tag does not exist on the action repo; mutable tag and unvalidated stub paths posed supply chain and path-traversal risk
Fix: pin to @v1.0.0, disable stub generation, add persist-credentials: false to checkout step

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 7, 2026 13:20
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new GitHub Actions job to run PR risk analysis in parallel with the existing CI workflow for PRs targeting develop.

Changes:

  • Introduces a quality-analysis job that checks out the repo and runs mrdailey99/QualityOrchestrator@v1.0.0.
  • Configures minimal permissions for reading contents and writing PR feedback, with persist-credentials: false.
  • Ensures the analysis is non-blocking (fail-on-high: 'false').

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/CI_Execution.yml
Comment thread .github/workflows/CI_Execution.yml
Comment thread .github/workflows/CI_Execution.yml
@mrdailey99 mrdailey99 merged commit 9fe10b3 into develop May 7, 2026
4 checks passed
@mrdailey99 mrdailey99 deleted the feature/quality-orchestrator-action branch May 7, 2026 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrdailey99