Skip to content

fix(code-quality): add secret-scan + coverage to template ci.yml; reconcile required-checks docs (#966)#569

Closed
don-petry wants to merge 2 commits into
mainfrom
fix/code-quality-secret-scan-coverage-966
Closed

fix(code-quality): add secret-scan + coverage to template ci.yml; reconcile required-checks docs (#966)#569
don-petry wants to merge 2 commits into
mainfrom
fix/code-quality-secret-scan-coverage-966

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

What

Makes the code-quality ruleset enable-able by default on repos created from petry-projects/repo-template by ensuring the template's ci.yml produces the required checks, and reconciles the documented required-checks table with the codified ruleset.

standards/workflows/ci.yml

  • Adds the secret-scan job (check Secret scan (gitleaks)) — the org standard (ci-standards.md §4, push-protection.md Layer 3) requires it in every repo's ci.yml; the template stub was missing it. Free on public repos; uses GITLEAKS_LICENSE on private org repos. Pinned gitleaks/gitleaks-action@e0c47f4f… # v3.0.0.
  • Adds the coverage job (check coverage) — stack-aware: default lane runs shell (bats) line-coverage via kcov (the org's current YAML/Shell stack), passes green until tests/**/*.bats exist, and has commented per-stack blocks (Node/Go/Python) to expand. Makes coverage a real, producible required check instead of a stack-specific unknown.
  • build-and-test stub unchanged (still the customize-per-stack, non-required job).

standards/github-settings.md §243

Reconciles the "Required Check Categories" table with the codified source of truth (.github-private/.github/rulesets/code-quality.json):

  • Adds the actually-enforced agent-shield / AgentShield and dependency-audit / Detect ecosystems contexts.
  • Keeps Secret scan (gitleaks) and coverage (now genuinely produced by the template ci.yml above and added to the ruleset in the companion .github-private PR).
  • Marks Dev-Lead Agent (per-PR; supplies the CODEOWNER approval, not a status-check context) and CI Pipeline (repo-specific job name, not universal) as not-required-contexts, removing the docs↔enforcement divergence.

Why

Validation of repo-template surfaced that (a) the enforced code-quality.json (SonarCloud, CodeQL, AgentShield, dependency-audit) diverged from the documented table (which listed Coverage + Secret Scan + Dev-Lead + CI Pipeline), and (b) the template ci.yml didn't produce Secret scan (gitleaks) or coverage. Companion .github-private PR adds the two contexts to code-quality.json.

Validation

  • ci.yml passes yamllint under this repo's exact config; jobs parse; check contexts are exactly Secret scan (gitleaks) and coverage.
  • gitleaks + checkout SHAs verified via the API.

Refs #966, epic #964.

@don-petry don-petry requested a review from a team as a code owner July 1, 2026 16:33
Copilot AI review requested due to automatic review settings July 1, 2026 16:33
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 52 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 776c686a-72c4-43bb-89eb-58c37b61123e

📥 Commits

Reviewing files that changed from the base of the PR and between 4751514 and 21f0c39.

📒 Files selected for processing (2)
  • standards/github-settings.md
  • standards/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/code-quality-secret-scan-coverage-966

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 1, 2026 16:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Aligns the org’s repo-template CI workflow template with the code-quality ruleset by ensuring the template produces the required Secret scan (gitleaks) and coverage check contexts, and updates the required-checks documentation to match the codified ruleset source of truth.

Changes:

  • Added a secret-scan job (Gitleaks) and a stack-aware coverage job to standards/workflows/ci.yml so new repos can enable code-quality by default.
  • Updated standards/github-settings.md to make the required-checks table match the codified ruleset contexts (and clarify what is/isn’t a required status-check context).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
standards/workflows/ci.yml Adds Secret scan (gitleaks) and coverage jobs to produce required code-quality contexts.
standards/github-settings.md Reconciles required-check documentation with the codified code-quality ruleset contexts and clarifies non-context requirements.

Comment on lines +64 to +67
permissions:
contents: read
security-events: write
steps:
Comment on lines +76 to +77
with:
args: detect --source . --redact --verbose --exit-code 1
@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 21f0c39b422b9e7b28016c50e0e82d4331a34636
Cascade: triage → audit (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5)

Summary

Confirmed both deep-review/Copilot findings against the codified org standard (push-protection.md 'Required CI job'): the new secret-scan job in the org repo-template ci.yml grants an unused security-events: write scope (the standard mandates contents: read only) and invokes gitleaks WITHOUT the mandatory --config .gitleaks.toml flag. Both defects ship verbatim into every new org repo. Action SHAs (gitleaks v3.0.0, checkout v6.0.2) independently re-verified correct and no injection/secret-handling issues found, but the two standards deviations block approval; escalating.

Findings

  • MAJOR: secret-scan job grants 'security-events: write' with no SARIF/upload-sarif step, so the scope is unused. The codified org standard's canonical secret-scan template (push-protection.md 'Required CI job') specifies 'permissions: contents: read' ONLY. The over-broad token scope contradicts the PR's own 'least-privilege per job' convention comment and, because this is the repo-template ci.yml, propagates org-wide to every new repo. Fix: drop 'security-events: write', leaving 'contents: read'. (standards/workflows/ci.yml, line 67)
  • MAJOR: gitleaks is invoked as 'detect --source . --redact --verbose --exit-code 1', missing the standard-mandated '--config .gitleaks.toml'. Verified against push-protection.md: the example (line ~241) and the MUST list (line ~257) both require '--config .gitleaks.toml' to suppress known false positives (generic-api-key rule firing on _bmad/ knowledge-file paths). Omitting it makes adopting repos diverge from mandated behavior and risks noisy false-positive failures. Fix nuance: the same standard also requires every adopting repo to ship a root '.gitleaks.toml' (else '--config' fails file-not-found), so the corrected template must both add the flag AND ensure repo-template ships '.gitleaks.toml' (copy standards/gitleaks.toml) to stay green on day 0. (standards/workflows/ci.yml, line 77)
  • INFO: Independently re-verified both action pins via the GitHub API: gitleaks/gitleaks-action@e0c47f4 == v3.0.0 and actions/checkout@de0fac2 == v6.0.2. Both correct; no typosquat/unpinned/lockfile-drift issues. Using the licensed action (with GITLEAKS_LICENSE) instead of the standard's default CLI install is explicitly permitted by push-protection.md, so it is NOT a finding. (standards/workflows/ci.yml)
  • INFO: No expression-injection or untrusted-input surface: no pull_request_target, no interpolation of untrusted ${{ }} into run: steps; GITHUB_TOKEN and GITLEAKS_LICENSE are passed via secrets. fetch-depth: 0, --redact, and --exit-code 1 are all present and correct. The coverage job's apt/kcov install runs on trusted template content. reviewDecision REVIEW_REQUIRED and mergeStateStatus BLOCKED — required human/CODEOWNER approval gate is not yet satisfied regardless. (standards/workflows/ci.yml)

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing and folding into #575. The template ci.yml secret-scan + coverage jobs (with two review fixes: drop security-events:write; gitleaks --config .gitleaks.toml + seed a .gitleaks.toml) and the §243 table reconciliation will land against the RELOCATED code-quality ruleset, sequenced safely. Details captured in #575.

@don-petry don-petry closed this Jul 2, 2026
auto-merge was automatically disabled July 2, 2026 13:54

Pull request was closed

don-petry added a commit that referenced this pull request Jul 2, 2026
…#575) (#578)

* feat(ci-template): add secret-scan + coverage jobs to standards/workflows/ci.yml (#575)

The day-0 CI template gains the two org required-check producers so repos created
from repo-template are forward-compatible with the code-quality ruleset:

- secret-scan → `Secret scan (gitleaks)`: copied verbatim from
  push-protection.md#required-ci-job — gitleaks CLI (the action's v2+ needs a paid
  org license), fully pinned + checksum-verified, `--config .gitleaks.toml`,
  `--redact`, `--exit-code 1`, `contents: read` only (no SARIF upload, so no
  `security-events: write`). Requires a .gitleaks.toml at repo root, seeded
  alongside this template (companion .github-private PR wires seed-repo-template.sh).
- coverage → `coverage`: stack-aware, default shell/bats via kcov. Green-until-tests
  — succeeds with no report when a stack emits no coverage, so seeding it fleet-wide
  never bricks a repo without a test suite; enforces once tests exist. Per-stack
  expansion blocks (Node/Go/Python/Rust) documented inline; job name kept `coverage`.

checkout pinned to actions/checkout@de0fac2e…#v6.0.2 (verified via API; matches the
existing template + push-protection.md). yamllint (repo rules) + actionlint clean.

Adding these contexts to the code-quality ruleset is sequenced SEPARATELY (follow-up
PR) and scoped to template/new repos — existing fleet repos have no coverage job, so
a fleet-wide required `coverage` would brick them (the #575 finding).

Part of #575 (folded-in from closed #569). Epic #964.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(bot): address bot feedback [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants