fix(code-quality): add secret-scan + coverage to template ci.yml; reconcile required-checks docs (#966)#569
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
Next review available in: 52 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Pull request overview
Aligns the org’s repo-template CI workflow template with the code-quality ruleset by ensuring the template produces the required Secret scan (gitleaks) and coverage check contexts, and updates the required-checks documentation to match the codified ruleset source of truth.
Changes:
- Added a
secret-scanjob (Gitleaks) and a stack-awarecoveragejob tostandards/workflows/ci.ymlso new repos can enablecode-qualityby default. - Updated
standards/github-settings.mdto make the required-checks table match the codified ruleset contexts (and clarify what is/isn’t a required status-check context).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| standards/workflows/ci.yml | Adds Secret scan (gitleaks) and coverage jobs to produce required code-quality contexts. |
| standards/github-settings.md | Reconciles required-check documentation with the codified code-quality ruleset contexts and clarifies non-context requirements. |
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: |
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 |
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryConfirmed both deep-review/Copilot findings against the codified org standard (push-protection.md 'Required CI job'): the new secret-scan job in the org repo-template ci.yml grants an unused security-events: write scope (the standard mandates contents: read only) and invokes gitleaks WITHOUT the mandatory --config .gitleaks.toml flag. Both defects ship verbatim into every new org repo. Action SHAs (gitleaks v3.0.0, checkout v6.0.2) independently re-verified correct and no injection/secret-handling issues found, but the two standards deviations block approval; escalating. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Closing and folding into #575. The template ci.yml secret-scan + coverage jobs (with two review fixes: drop security-events:write; gitleaks --config .gitleaks.toml + seed a .gitleaks.toml) and the §243 table reconciliation will land against the RELOCATED code-quality ruleset, sequenced safely. Details captured in #575. |
Pull request was closed
…#575) (#578) * feat(ci-template): add secret-scan + coverage jobs to standards/workflows/ci.yml (#575) The day-0 CI template gains the two org required-check producers so repos created from repo-template are forward-compatible with the code-quality ruleset: - secret-scan → `Secret scan (gitleaks)`: copied verbatim from push-protection.md#required-ci-job — gitleaks CLI (the action's v2+ needs a paid org license), fully pinned + checksum-verified, `--config .gitleaks.toml`, `--redact`, `--exit-code 1`, `contents: read` only (no SARIF upload, so no `security-events: write`). Requires a .gitleaks.toml at repo root, seeded alongside this template (companion .github-private PR wires seed-repo-template.sh). - coverage → `coverage`: stack-aware, default shell/bats via kcov. Green-until-tests — succeeds with no report when a stack emits no coverage, so seeding it fleet-wide never bricks a repo without a test suite; enforces once tests exist. Per-stack expansion blocks (Node/Go/Python/Rust) documented inline; job name kept `coverage`. checkout pinned to actions/checkout@de0fac2e…#v6.0.2 (verified via API; matches the existing template + push-protection.md). yamllint (repo rules) + actionlint clean. Adding these contexts to the code-quality ruleset is sequenced SEPARATELY (follow-up PR) and scoped to template/new repos — existing fleet repos have no coverage job, so a fleet-wide required `coverage` would brick them (the #575 finding). Part of #575 (folded-in from closed #569). Epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>



What
Makes the
code-qualityruleset enable-able by default on repos created frompetry-projects/repo-templateby ensuring the template'sci.ymlproduces the required checks, and reconciles the documented required-checks table with the codified ruleset.standards/workflows/ci.ymlsecret-scanjob (checkSecret scan (gitleaks)) — the org standard (ci-standards.md §4,push-protection.md Layer 3) requires it in every repo'sci.yml; the template stub was missing it. Free on public repos; usesGITLEAKS_LICENSEon private org repos. Pinnedgitleaks/gitleaks-action@e0c47f4f… # v3.0.0.coveragejob (checkcoverage) — stack-aware: default lane runs shell (bats) line-coverage viakcov(the org's current YAML/Shell stack), passes green untiltests/**/*.batsexist, and has commented per-stack blocks (Node/Go/Python) to expand. Makescoveragea real, producible required check instead of a stack-specific unknown.build-and-teststub unchanged (still the customize-per-stack, non-required job).standards/github-settings.md §243Reconciles the "Required Check Categories" table with the codified source of truth (
.github-private/.github/rulesets/code-quality.json):agent-shield / AgentShieldanddependency-audit / Detect ecosystemscontexts.Secret scan (gitleaks)andcoverage(now genuinely produced by the templateci.ymlabove and added to the ruleset in the companion.github-privatePR).Why
Validation of
repo-templatesurfaced that (a) the enforcedcode-quality.json(SonarCloud, CodeQL, AgentShield, dependency-audit) diverged from the documented table (which listed Coverage + Secret Scan + Dev-Lead + CI Pipeline), and (b) the templateci.ymldidn't produceSecret scan (gitleaks)orcoverage. Companion.github-privatePR adds the two contexts tocode-quality.json.Validation
ci.ymlpasses yamllint under this repo's exact config; jobs parse; check contexts are exactlySecret scan (gitleaks)andcoverage.Refs #966, epic #964.