Skip to content

feat(ci-template): add secret-scan + coverage jobs to template ci.yml (#575)#578

Merged
don-petry merged 3 commits into
mainfrom
feat/template-ci-secretscan-coverage-575
Jul 2, 2026
Merged

feat(ci-template): add secret-scan + coverage jobs to template ci.yml (#575)#578
don-petry merged 3 commits into
mainfrom
feat/template-ci-secretscan-coverage-575

Conversation

@don-petry

@don-petry don-petry commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the two org required-check producers to the day-0 CI template standards/workflows/ci.yml, so repos created from repo-template are forward-compatible with the code-quality ruleset. Folded in from closed #569 (epic #964), with both review fixes applied.

Jobs added (alongside the existing build-and-test stub)

secret-scanSecret scan (gitleaks) — copied verbatim from push-protection.md#required-ci-job:

  • gitleaks CLI (not gitleaks/gitleaks-action — its v2+ needs a paid org license), fully pinned + checksum-verified via GITLEAKS_CHECKSUM.
  • Review fix (a): permissions: contents: read only — no SARIF upload, so no security-events: write.
  • Review fix (b): runs gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1. Requires a .gitleaks.toml at root — seeded by the companion .github-private PR (wires seed-repo-template.sh).

coveragecoverage — stack-aware, default shell/bats via kcov:

  • Green-until-tests (per your call): no bats tests → job succeeds without a report. Seeding it fleet-wide never bricks a repo without a suite; it enforces once tests exist.
  • Per-stack expansion (Node/Go/Python/Rust) documented inline; job id + name: kept coverage so the required check is stable.

Pins & lint

  • actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 — verified via gh api (matches the existing template + push-protection.md).
  • yamllint (repo rules: line-length 200, document-start disable) ✅ · pinned actionlint 1.7.7 ✅.

Sequencing / coupling

Part of #575. Epic #964.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Added automated secret detection to catch exposed credentials before changes are merged.
    • Added a coverage validation check that reports test coverage when repository tests are present.
  • Bug Fixes
    • Improved CI reliability by keeping required check names stable, even when optional checks have nothing to run.

…lows/ci.yml (#575)

The day-0 CI template gains the two org required-check producers so repos created
from repo-template are forward-compatible with the code-quality ruleset:

- secret-scan → `Secret scan (gitleaks)`: copied verbatim from
  push-protection.md#required-ci-job — gitleaks CLI (the action's v2+ needs a paid
  org license), fully pinned + checksum-verified, `--config .gitleaks.toml`,
  `--redact`, `--exit-code 1`, `contents: read` only (no SARIF upload, so no
  `security-events: write`). Requires a .gitleaks.toml at repo root, seeded
  alongside this template (companion .github-private PR wires seed-repo-template.sh).
- coverage → `coverage`: stack-aware, default shell/bats via kcov. Green-until-tests
  — succeeds with no report when a stack emits no coverage, so seeding it fleet-wide
  never bricks a repo without a test suite; enforces once tests exist. Per-stack
  expansion blocks (Node/Go/Python/Rust) documented inline; job name kept `coverage`.

checkout pinned to actions/checkout@de0fac2e…#v6.0.2 (verified via API; matches the
existing template + push-protection.md). yamllint (repo rules) + actionlint clean.

Adding these contexts to the code-quality ruleset is sequenced SEPARATELY (follow-up
PR) and scoped to template/new repos — existing fleet repos have no coverage job, so
a fleet-wide required `coverage` would brick them (the #575 finding).

Part of #575 (folded-in from closed #569). Epic #964.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry don-petry requested a review from a team as a code owner July 2, 2026 14:43
Copilot AI review requested due to automatic review settings July 2, 2026 14:43
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The CI workflow template gains two new required jobs: secret-scan, which installs a checksum-verified gitleaks CLI and fails on detected secrets, and coverage, which runs bats/kcov coverage generation when bats tests exist and otherwise passes. Documentation comments were added describing these required job names.

Changes

CI Template Job Additions

Layer / File(s) Summary
Secret-scan and coverage jobs
standards/workflows/ci.yml
Adds secret-scan job (checksum-verified gitleaks install, requires .gitleaks.toml, runs gitleaks detect --redact --verbose --exit-code 1) and coverage job (bats/kcov coverage generation, passes green when no bats tests exist, placeholder for per-stack expansion), plus comments documenting these org-required job names.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • petry-projects/.github#11: Adds the same required secret-scan and coverage jobs to the shared ci.yml template.
  • petry-projects/.github#167: Introduces the canonical gitleaks checksum verification and .gitleaks.toml pattern used by the new secret-scan job.
  • petry-projects/.github#260: Adjusts a secret-scan job running gitleaks detect with the same --redact --verbose --exit-code 1 flags.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The CI jobs align with #569, but the required-checks docs/ruleset reconciliation requested in the issue isn't shown in this PR. Update the required-checks documentation table in standards/github-settings.md, or link the separate PR that performs that reconciliation.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding secret-scan and coverage jobs to the template CI.
Out of Scope Changes check ✅ Passed All observed changes are scoped to the requested CI workflow jobs and related workflow documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/template-ci-secretscan-coverage-575

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:44
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@don-petry don-petry disabled auto-merge July 2, 2026 14:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the day-0 CI workflow template (standards/workflows/ci.yml) so repositories created from repo-template will produce the org’s required-check contexts for secret scanning and coverage, aligning the template with evolving code-quality ruleset expectations.

Changes:

  • Add a secret-scan job that runs gitleaks and produces the Secret scan (gitleaks) check.
  • Add a stack-aware coverage job (defaulting to shell/bats via kcov) that is “green until tests exist”.
  • Update the top-of-file adoption notes to document the additional default jobs and required check stability expectations.

Comment thread standards/workflows/ci.yml Outdated
Comment thread standards/workflows/ci.yml Outdated
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 2, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:49
@don-petry don-petry disabled auto-merge July 2, 2026 14:49
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Files changed: none
Skipped (informational): 0
Summary: Quality Gate passed with 0 new issues, 0 security hotspots, and no Tier 1 blockers. No action required.
```

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:50

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 1190d33b3d52c0152d8cf2cf7aae8b765659ed62
Review mode: triage-approved (single reviewer)

Summary

Adds the two org required-check producers (secret-scan → Secret scan (gitleaks) and coverage) to the day-0 CI template standards/workflows/ci.yml (+72/-0, one file). The triage assessment holds: this is a template file (not an executing workflow in this repo), the gitleaks job matches the canonical push-protection.md#required-ci-job (version 8.30.1 and checksum 551f6fc8… verified identical), and the actions/checkout pin de0fac2e… was verified via the GitHub API to be exactly the v6.0.2 tag commit. Permissions are least-privilege (contents: read per job), --redact prevents secret values reaching logs, and the coverage job is green-until-tests so seeding cannot brick repos without suites.

Linked issue analysis

No formally linked closing issue; the PR body references #575 (epic #964). Verified against issue #575: this PR implements scope item 5(a) — ship the required-check producer jobs via the template ci.yml — while correctly deferring the code-quality ruleset context additions to a separate follow-up, exactly the sequencing #575 mandates to avoid bricking existing fleet repos. Substantively on-scope.

Findings

No blocking findings.

  • Both Copilot inline review threads (misleading ".gitleaks.toml seeded with this template" wording; tar -C /usr/local/bin failing on root-owned dirs) are resolved — fixes verified in the head commit (wording clarified to "seeded by repo-template tooling"; extraction now goes to /tmp + sudo mv).
  • Non-blocking observation: the PR calls the gitleaks job "copied verbatim" from push-protection.md, but the tar-extraction fix now deviates from the doc (which still has the tar -C /usr/local/bin variant that would fail on hosted runners). Consider a follow-up updating push-protection.md#required-ci-job to match, so the canonical doc stays authoritative.
  • Coupling noted in the PR body: repos seeded from this template need the .gitleaks.toml from the companion .github-private seed PR, or secret-scan fails on missing config. Land together as stated.
  • MCP run_secret_scanning tool was not available in this environment; the repo's own Secret scan (gitleaks) CI check passed on the head SHA. No secrets in the diff (the hex string is a published release checksum, deliberately named GITLEAKS_CHECKSUM to avoid the SonarCloud false positive).

CI status

All checks green on head 1190d33: Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud (quality gate passed, 0 new issues / 0 hotspots), CodeRabbit, dependency-audit ecosystem detection (language-specific audits skipped as expected for a YAML-only change). Merge state is BEHIND main — needs a branch update before merge, but nothing failing.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@don-petry don-petry merged commit 2bad8dd into main Jul 2, 2026
20 of 21 checks passed
@don-petry don-petry deleted the feat/template-ci-secretscan-coverage-575 branch July 2, 2026 15:40

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/workflows/ci.yml`:
- Around line 85-86: The gitleaks install block in the CI workflow is not
matching the canonical copied snippet, so make the `gitleaks` setup in the
workflow template verbatim with the source standard used by the job comment.
Locate the install sequence around the `tar -xzf` and `sudo mv` commands in the
workflow, then either update the referenced standard snippet first and copy it
exactly or change this workflow to match the documented command block without
regeneration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ea3a5011-f154-4510-988a-4888d35734fd

📥 Commits

Reviewing files that changed from the base of the PR and between 166725e and a2c9632.

📒 Files selected for processing (1)
  • standards/workflows/ci.yml

Comment on lines +85 to +86
tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
sudo mv /tmp/gitleaks /usr/local/bin

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Keep the copied gitleaks install block verbatim.

This install sequence differs from the canonical standards/push-protection.md snippet even though the job comment says it is copied verbatim. Either update the source standard first and copy that exact block here, or align this template with the documented command.

Align with the referenced standard
-          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
-          sudo mv /tmp/gitleaks /usr/local/bin
+          tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks

As per coding guidelines, standards/workflows/**: Workflow templates in standards/workflows/ should be copied verbatim, not regenerated.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
sudo mv /tmp/gitleaks /usr/local/bin
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@standards/workflows/ci.yml` around lines 85 - 86, The gitleaks install block
in the CI workflow is not matching the canonical copied snippet, so make the
`gitleaks` setup in the workflow template verbatim with the source standard used
by the job comment. Locate the install sequence around the `tar -xzf` and `sudo
mv` commands in the workflow, then either update the referenced standard snippet
first and copy it exactly or change this workflow to match the documented
command block without regeneration.

Source: Coding guidelines

don-petry added a commit to petry-projects/.github-private that referenced this pull request Jul 3, 2026
…leaks.toml (#575) (#1014)

* feat(seed): seed .gitleaks.toml into the repo template from standards/gitleaks.toml (#575)

The template ci.yml's secret-scan job runs `gitleaks detect --config .gitleaks.toml`
(push-protection.md), which fails file-not-found unless every repo ships a
.gitleaks.toml at root. Seed it as a baseline file so day-0 repos are green.

- BASELINE_MANIFEST: add `.gitleaks.toml|fetch:standards/gitleaks.toml`.
- _emit_baseline: generalize the fetch source — bare `fetch` stays the Dependabot
  stack special case; new `fetch:<standards-path>` fetches that path verbatim
  (the form the manifest header already documented). Unknown sources fail loud.
- Tests: verbatim-fetch + fail-loud for .gitleaks.toml; add it to the baseline-set
  list; provision the fixture + assert the cross-repo write in the seeding e2e.
  28/28 seed bats pass; shellcheck --severity=warning -x clean.

Companion to petry-projects/.github#578 (adds the secret-scan job to the template
ci.yml). Land together so a seeded repo has both the job and its config.

Part of #575 (folded-in from closed #1001). Epic #964.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore: dev-lead update (review-changes) [skip ci-relay]

* chore: dev-lead update (review-changes) [skip ci-relay]

---------

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants