Skip to content

chore: add strict codecov and zero-issue quality gates #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Prekzursil merged 5 commits into from
Mar 3, 2026
Merged

chore: add strict codecov and zero-issue quality gates #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
55bf3e1
chore: add strict codecov and zero-issue quality gates
Prekzursil Mar 3, 2026
a63ce4a
chore: align codecov yaml with strict org policy
Prekzursil Mar 3, 2026
3663b79
chore: relax unavailable secret requirements and deepscan API dependency
Prekzursil Mar 3, 2026
9dcc31b
fix: repair codecov analytics workflow syntax
Prekzursil Mar 3, 2026
3eaafc5
ci: harden snyk zero target detection
Prekzursil Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/codacy-zero.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Codacy Zero

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read

jobs:
codacy-zero:
name: Codacy Zero
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Assert Codacy zero-open gate
env:
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
run: |
python3 scripts/quality/check_codacy_zero.py \
--owner "${GITHUB_REPOSITORY_OWNER}" \
--repo "${GITHUB_REPOSITORY#*/}" \
--out-json "codacy-zero/codacy.json" \
--out-md "codacy-zero/codacy.md"
- name: Upload Codacy artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: codacy-zero
path: codacy-zero
42 changes: 42 additions & 0 deletions .github/workflows/codecov-analytics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Codecov Analytics

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read

jobs:
codecov-analytics:
name: Codecov Analytics
runs-on: ubuntu-latest
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: '3.12'
- uses: actions/setup-node@v6
with:
Comment on lines +20 to +25
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

❓ Verification inconclusive

Script executed:

cat .github/workflows/codecov-analytics.yml

Repository: Prekzursil/SWFOC-Mod-Menu

Repository: Prekzursil/SWFOC-Mod-Menu
Exit code: 0

stdout:

name: Codecov Analytics

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  codecov-analytics:
    name: Codecov Analytics
    runs-on: ubuntu-latest
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'
      - uses: actions/setup-node@v6
        with:
          node-version: '20'
      - name: Validate Codecov token
        run: |
          if [ -z "${CODECOV_TOKEN}" ]; then
            echo "Missing CODECOV_TOKEN" >&2
            exit 1
          fi

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '8.0.x'
      - name: Run tests with coverage
        run: |
          mkdir -p coverage
          dotnet restore
          dotnet test tests/SwfocTrainer.Tests/SwfocTrainer.Tests.csproj -c Release             /p:CollectCoverage=true             /p:CoverletOutput=./TestResults/coverage.cobertura.xml             /p:CoverletOutputFormat=cobertura
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: tests/SwfocTrainer.Tests/TestResults/coverage.cobertura.xml
          flags: dotnet
          fail_ci_if_error: true
          verbose: true

GitHub Actions pinning best practices security mutable tags SHA

GitHub Actions pinning (security) — best practices

  • Prefer pinning every third‑party action to a full‑length commit SHA (40 chars) in uses: to make the reference immutable and reduce supply‑chain risk from moved tags/branches. Example: uses: actions/checkout@<sha> # vX.Y.Z. [1][2]
  • Don’t rely on mutable tags like @v1 / @main (or even @v1.2.3 if it’s not protected by immutability), because tags can be moved/deleted if a repo is compromised. [1]
  • If you use tags, prefer “immutable releases/tags” (GitHub’s immutable releases lock the release tag and assets so they can’t be changed). [3][4]
  • Pin to SHAs that correspond to a tagged release (not an arbitrary commit) and record the human version in a comment—this makes review/auditing easier and helps automation propose safe upgrades. [2]
  • Enable Dependabot “github-actions” updates so SHA-pinned actions can be regularly bumped via PRs. [5][6]
  • Enforce pinning via policy (enterprise/org/repo): GitHub Actions policy can require actions to be pinned to a full-length SHA; noncompliant workflows fail. [7][8]
  • Remember: SHA pinning isn’t enough if the action has mutable dependencies (e.g., unpinned container images, downloaded scripts, nested actions not pinned). Audit for hidden mutability. [2]

Sources

[1] GitHub Docs – Security hardening for GitHub Actions (third‑party actions, SHA vs tags) (docs.github.com)
[2] GitHub Well‑Architected – Actions security recommendations (SHA pinning, comments, mutable deps, enforcement) (wellarchitected.github.com)
[3] GitHub Docs – Immutable releases (what they protect) (docs.github.com)
[4] GitHub Docs – Using immutable releases and tags for actions (docs.github.com)
[5] GitHub Docs – Keeping your actions up to date with Dependabot (docs.github.com)
[6] GitHub Changelog – Dependabot updates support reusable workflows (github.blog)
[7] GitHub Docs (Enterprise) – Policies: “Require actions to be pinned to a full-length commit SHA” (docs.github.com)
[8] GitHub Changelog (2025‑08‑15) – Policy supports SHA pinning enforcement (github.blog)

Citations:

Pin all GitHub Actions to immutable commit SHAs.

Lines 20, 21, 24, and 43 use mutable version tags (@v6, @v5), which can be moved, deleted, or compromised. According to GitHub security hardening guidance, pin to full-length commit SHAs (40 chars) and add a comment with the human-readable version for maintainability and auditability. Use Dependabot to automate SHA updates.

Example hardening pattern 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@abc123def456... # v6
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@abc123def456... # v6
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@abc123def456... # v6
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@abc123def456... # v5
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codecov-analytics.yml around lines 20 - 25, Replace
mutable action tags with immutable full-length commit SHAs for each used action
(e.g., actions/checkout@v6, actions/setup-python@v6, actions/setup-node@v6 and
any other `@v5/`@v6 uses) by finding those occurrences and changing them to the
corresponding 40-character commit SHA for the action repository; also add a
trailing comment on each step with the human-readable tag (e.g., //
actions/checkout@v6) for auditability and enable Dependabot to update SHAs
automatically. Ensure you update every instance (including the uses at lines
showing actions/checkout, actions/setup-python, actions/setup-node and any other
mutable tags) and keep the step keys (uses:) and input blocks unchanged.

node-version: '20'

- uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: Run tests with coverage
run: |
mkdir -p coverage
dotnet restore
dotnet test tests/SwfocTrainer.Tests/SwfocTrainer.Tests.csproj -c Release /p:CollectCoverage=true /p:CoverletOutput=./TestResults/coverage.cobertura.xml /p:CoverletOutputFormat=cobertura
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5

Check warning on line 37 in .github/workflows/codecov-analytics.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/codecov-analytics.yml#L37 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
with:
files: tests/SwfocTrainer.Tests/TestResults/coverage.cobertura.xml
Comment on lines +31 to +39
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

4. Coverlet coverage not wired 🐞 Bug ⛯ Reliability

The workflows pass MSBuild Coverlet properties (CollectCoverage, CoverletOutput), but the test
project/repo does not reference any Coverlet package/config, so the coverage file likely won’t be
generated and downstream steps will fail.
Agent Prompt 
## Issue description
Coverage workflows configure Coverlet output but the repo has no Coverlet dependency/configuration, so the expected Cobertura file likely won’t be produced.

## Issue Context
Both the Codecov upload step and the `Coverage 100 Gate` script rely on `tests/SwfocTrainer.Tests/TestResults/coverage.cobertura.xml`.

## Fix Focus Areas
- tests/SwfocTrainer.Tests/SwfocTrainer.Tests.csproj[7-16]
- .github/workflows/codecov-analytics.yml[37-46]
- .github/workflows/coverage-100.yml[29-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

flags: dotnet
fail_ci_if_error: true
verbose: true
49 changes: 49 additions & 0 deletions .github/workflows/coverage-100.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Coverage 100

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read

jobs:
coverage-100:
name: Coverage 100 Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: '3.12'
- uses: actions/setup-node@v6
with:
node-version: '20'
Comment on lines +22 to +24
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/coverage-100.yml

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 1476

🏁 Script executed:

rg -n -C2 -e 'setup-node|node-version|npm|pnpm|yarn|\\bnode\\b' .github/workflows/coverage-100.yml

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 254

Remove unused Node setup from this workflow.

Line 22 adds actions/setup-node@v6, but this job does not execute any Node tooling. The workflow runs dotnet test and python3 scripts only. Removing it will reduce gate runtime and CI surface area.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/coverage-100.yml around lines 22 - 24, Remove the unused
Node setup step (the actions/setup-node@v6 step with node-version: '20') from
the workflow; locate the step that references actions/setup-node@v6 and delete
that entire step block so the job only runs the dotnet test and python3-related
steps, ensuring no other steps depend on Node before committing the change.


- uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: Run tests with coverage
run: |
mkdir -p coverage
dotnet restore
dotnet test tests/SwfocTrainer.Tests/SwfocTrainer.Tests.csproj -c Release /p:CollectCoverage=true /p:CoverletOutput=./TestResults/coverage.cobertura.xml /p:CoverletOutputFormat=cobertura

Comment on lines +14 to +34
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Linux runner for windows tests 🐞 Bug ✓ Correctness

The new coverage workflows run dotnet test on ubuntu-latest, but the test project targets
net8.0-windows, so these jobs are likely to fail to build/run and will block merges.
Agent Prompt 
## Issue description
Coverage workflows run on `ubuntu-latest` but execute tests from a `net8.0-windows` test project, which is expected to fail on Linux.

## Issue Context
The repo’s main CI already runs tests on `windows-latest`, indicating Windows is required.

## Fix Focus Areas
- .github/workflows/coverage-100.yml[14-34]
- .github/workflows/codecov-analytics.yml[14-41]
- (optional) tests/SwfocTrainer.Tests/SwfocTrainer.Tests.csproj[1-6]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

- name: Enforce 100% coverage
run: |
python3 scripts/quality/assert_coverage_100.py \
--xml "dotnet=tests/SwfocTrainer.Tests/TestResults/coverage.cobertura.xml" \
--out-json "coverage-100/coverage.json" \
--out-md "coverage-100/coverage.md"
- name: Upload coverage artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: coverage-100
path: |
coverage
**/coverage
**/TestResults
37 changes: 37 additions & 0 deletions .github/workflows/deepscan-zero.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: DeepScan Zero

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read
checks: read

jobs:
deepscan-zero:
name: DeepScan Zero
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v6
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual content of the workflow file
cat -n .github/workflows/deepscan-zero.yml | head -40

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 1108

🏁 Script executed:

# Run the suggested verification command to find mutable action references
rg -n '^\s*-\s*uses:\s*[^@]+@v[0-9]+' .github/workflows

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 1502

🌐 Web query:

GitHub Actions security best practices pinning version tags vs commit SHA

💡 Result:

Recommendation (security-first)

Pin third‑party actions to a full-length commit SHA (e.g., actions/checkout@6929…) because it’s the most reliable immutable reference and prevents silently picking up malicious changes if a tag/branch is moved. GitHub’s own guidance calls full SHAs “the most reliable” approach and notes “immutable tags” can be disabled by repo owners. [1]

When version tags are acceptable

If you need human-readable versions, pin to a tag that is part of an immutable release (e.g., @v1.2.3 where the release is immutable). With immutable releases enabled, the release’s associated tag can’t be moved/deleted and assets can’t be modified, reducing the “tag retargeting” supply-chain risk. [2]

Practical best practice pattern (security + maintainability)

  • Pin to a SHA that corresponds to a known release tag, and add the tag as a comment so you can track intent and let automation propose updates: [1]
    uses: actions/checkout@<full_sha> # v4.1.7
  • Use Dependabot version updates (or similar tooling) to periodically bump the pinned SHAs (GitHub explicitly recommends this pairing). [1]

Org/enterprise enforcement

GitHub Actions policies can now enforce SHA pinning (workflows fail if an action isn’t pinned to a full commit SHA) and also support blocking specific actions/versions. [3]

Sources

[1] GitHub Well-Architected Framework – “Securing GitHub Actions Workflows” (Pin versions of actions) (wellarchitected.github.com)
[2] GitHub Docs – “Immutable releases” (docs.github.com)
[3] GitHub Changelog (2025-08-15) – Actions policy supports blocking and SHA pinning (github.blog)

Citations:

Pin GitHub Actions to full commit SHAs instead of mutable version tags.

Lines 21 and 29 use mutable version tags (actions/checkout@v6, actions/upload-artifact@v4). Per GitHub's official security guidance, full commit SHAs are immutable and prevent supply-chain attacks where tags can be silently retargeted. Pin to the full SHA with a comment noting the release tag for readability: uses: actions/checkout@<full_sha> # v6.

This pattern is used throughout the repository's workflows and should be addressed consistently.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deepscan-zero.yml at line 21, Replace mutable GitHub
Actions version tags with immutable full commit SHAs for the uses entries (e.g.,
replace actions/checkout@v6 and actions/upload-artifact@v4) across the workflow;
update each "uses:" line to reference the corresponding full commit SHA and
append a trailing comment with the human-friendly release tag (e.g., "# v6" or
"# v4") so intent remains clear while preventing retargeting.

- name: Assert DeepScan vendor check is green
run: |
python3 scripts/quality/check_required_checks.py \
--repo "${GITHUB_REPOSITORY}" \
--sha "${GITHUB_SHA}" \
--required-context "DeepScan" \
--timeout-seconds 1200 \
--poll-seconds 20 \
--out-json "deepscan-zero/deepscan.json" \
--out-md "deepscan-zero/deepscan.md"
- name: Upload DeepScan artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: deepscan-zero
path: deepscan-zero
82 changes: 82 additions & 0 deletions .github/workflows/quality-zero-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: Quality Zero Gate

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read

Check notice

Code scanning / SonarCloud

Read permissions should be defined at the job level Low

Move this read permission from workflow level to job level. See more on SonarQube Cloud

Comment on lines +10 to +12
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/quality-zero-gate.yml

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 3700

🏁 Script executed:

cat -n scripts/quality/check_required_checks.py

Repository: Prekzursil/SWFOC-Mod-Menu

Length of output: 8355

🌐 Web query:

GitHub API check-runs endpoint permissions requirements

💡 Result:

GitHub REST API “check-runs” endpoints — required permissions

Key rule: Write access to Checks (creating/updating/rerequesting check runs) is only available to GitHub Apps; OAuth apps and user tokens can view check runs but can’t create/update them. [1]

Endpoint / operation Fine-grained token / GitHub App permission PAT (classic) / OAuth app notes
Create a check run (POST /repos/{owner}/{repo}/check-runs) Checks: write [1][2] Must be a GitHub App (not OAuth / classic PAT) [1]
Update a check run (PATCH /repos/{owner}/{repo}/check-runs/{check_run_id}) Checks: write [1][2] OAuth apps and classic PATs cannot use this endpoint [1]
Get a check run (GET /repos/{owner}/{repo}/check-runs/{check_run_id}) Checks: read [1][2] For private repos, OAuth / classic PAT needs repo scope [1]
List check run annotations (GET /repos/{owner}/{repo}/check-runs/{check_run_id}/annotations) Checks: read [1][2] For private repos, OAuth / classic PAT needs repo scope [1]
Rerequest a check run (POST /repos/{owner}/{repo}/check-runs/{check_run_id}/rerequest) Checks: write [1][2] (Write action → GitHub App) [1]
List check runs in a check suite (GET /repos/{owner}/{repo}/check-suites/{check_suite_id}/check-runs) Checks: read [1][2] For private repos, OAuth / classic PAT needs repo scope [1]
List check runs for a Git ref (list-for-ref endpoint) Checks: read [1] For private repos, OAuth / classic PAT needs repo scope [1]

Tip: GitHub also returns X-Accepted-GitHub-Permissions in REST responses to tell you the required permission(s) for the endpoint you just called. [2]

Sources: GitHub REST “Check runs” docs [1]; “Permissions required for GitHub Apps” matrix [2].

🌐 Web query:

GitHub API status endpoint commits statuses permissions requirements

💡 Result:

GitHub Status endpoint (service health)

  • GitHub’s public Statuspage API endpoints are:
    • https://www.githubstatus.com/api/v2/status.json
    • https://www.githubstatus.com/api/v2/summary.json (and related /components.json, /incidents.json, etc.) [1]
  • These are public (no GitHub token/scopes required) because they’re not part of the GitHub REST API for repositories/users—it's the status site’s API. [1]

GitHub REST API commit statuses (per-commit CI/status contexts)

Key REST endpoints

  • Create a status: POST /repos/{owner}/{repo}/statuses/{sha} [2]
  • Read combined status: GET /repos/{owner}/{repo}/commits/{ref}/status [2]
  • List statuses: GET /repos/{owner}/{repo}/commits/{ref}/statuses [2]

Permission requirements

  • OAuth app / classic PAT scopes: repo:status is the targeted scope for read/write commit statuses (or repo which also grants code access). [4]
  • Fine-grained PAT: repository permission “Commit statuses”
    • write for POST .../statuses/{sha}
    • read for the two GET endpoints [3]
  • GitHub App: repository permission “Commit statuses”
    • write for POST .../statuses/{sha}
    • read for the two GET endpoints [5]

Repo access note

  • The “combined status” and “list statuses” endpoints are accessible to users with at least pull access for private repos, and can be accessed without auth when only public resources are involved. [2]

Sources: [1] GitHub Status API docs, [2] Commit Statuses REST endpoints, [3] Fine-grained PAT permissions table, [4] OAuth scopes (repo:status), [5] GitHub App permissions required table.

Grant explicit read scopes for checks and status APIs.

Lines 10-12 only grant contents: read, but the workflow's check_required_checks.py script calls the GitHub API endpoints for check-runs and commit statuses (lines 151-152). These endpoints require checks: read and statuses: read permissions. Without explicit grants, the GITHUB_TOKEN will lack the necessary scopes and the script will fail.

Suggested fix 
 permissions:
   contents: read
+  checks: read
+  statuses: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
permissions:
contents: read
checks: read
statuses: read
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/quality-zero-gate.yml around lines 10 - 12, The workflow
grants only contents: read so the GITHUB_TOKEN lacks scopes needed by
check_required_checks.py; update the permissions block in the workflow to
explicitly add checks: read and statuses: read (in addition to contents: read)
so the script can call the check-runs and commit status endpoints; ensure the
permissions YAML includes these entries and that no other steps override the
token permissions.

jobs:
secrets-preflight:
name: Quality Secrets Preflight
runs-on: ubuntu-latest
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
DEEPSCAN_POLICY_MODE: ${{ vars.DEEPSCAN_POLICY_MODE }}
DEEPSCAN_OPEN_ISSUES_URL: ${{ vars.DEEPSCAN_OPEN_ISSUES_URL }}
DEEPSCAN_API_TOKEN: ${{ secrets.DEEPSCAN_API_TOKEN }}
steps:
- uses: actions/checkout@v6
- name: Run quality secrets preflight
run: |
python3 scripts/quality/check_quality_secrets.py \
--out-json quality-secrets/secrets.json \
--out-md quality-secrets/secrets.md
Comment on lines +30 to +34
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Tooling changes lack test evidence 📘 Rule violation ⛯ Reliability

This PR introduces new CI/quality tooling but does not include deterministic test evidence artifacts
for these changes nor an explicit, documented skip justification in-repo. This reduces
auditability/reproducibility of the claimed quality enforcement behavior.
Agent Prompt 
## Issue description
The PR adds new CI/tooling workflows and scripts, but does not include deterministic test evidence artifacts for these changes and does not include an explicit documented skip justification in the repository.

## Issue Context
Compliance requires that runtime/tooling/test-affecting changes include reproducible evidence (e.g., captured logs/results committed under an agreed location) OR a documented justification for skipping such evidence.

## Fix Focus Areas
- .github/workflows/quality-zero-gate.yml[30-38]
- docs/quality/QUALITY_ZERO_GATES.md[1-10]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

- name: Upload secrets preflight artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: quality-secrets
path: quality-secrets

quality-zero-gate:
name: Quality Zero Gate
if: always()
runs-on: ubuntu-latest
needs:
- secrets-preflight
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v6
- name: Assert secrets preflight succeeded
run: |
if [ "${{ needs.secrets-preflight.result }}" != "success" ]; then
echo "Quality Secrets Preflight failed or was not successful." >&2
exit 1
fi
- name: Assert required quality contexts are green
run: |
python3 scripts/quality/check_required_checks.py \
--repo "${GITHUB_REPOSITORY}" \
--sha "${GITHUB_SHA}" \
--required-context "Coverage 100 Gate" \
--required-context "Codecov Analytics" \
--required-context "Sonar Zero" \
--required-context "Codacy Zero" \
--required-context "Snyk Zero" \
--required-context "Sentry Zero" \
--required-context "DeepScan Zero" \
--required-context "SonarCloud Code Analysis" \
--required-context "Codacy Static Code Analysis" \
--required-context "DeepScan" \
Comment on lines +60 to +72
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

6. Sonar context name mismatch 🐞 Bug ✓ Correctness

Quality Zero Gate waits for a required context named "SonarCloud Code Analysis", but this
repository’s Sonar workflow job is named sonarcloud; the required-checks poller will never observe
the expected context and will fail.
Agent Prompt 
## Issue description
The aggregate required-checks gate requires a Sonar context name that doesn’t match any workflow/job in this repo.

## Issue Context
GitHub check-run context names generally follow the workflow job name (e.g., `sonarcloud`).

## Fix Focus Areas
- .github/workflows/quality-zero-gate.yml[64-76]
- .github/workflows/sonarcloud.yml[14-16]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

--timeout-seconds 1500 \
--poll-seconds 20 \
--out-json quality-zero-gate/required-checks.json \
--out-md quality-zero-gate/required-checks.md
- name: Upload aggregate artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: quality-zero-gate
path: quality-zero-gate
34 changes: 34 additions & 0 deletions .github/workflows/sentry-zero.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Sentry Zero

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:

permissions:
contents: read

jobs:
sentry-zero:
name: Sentry Zero
runs-on: ubuntu-latest
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
steps:
- uses: actions/checkout@v6
- name: Assert Sentry unresolved issues are zero
run: |
python3 scripts/quality/check_sentry_zero.py \
--project "${SENTRY_PROJECT}" \
--out-json "sentry-zero/sentry.json" \
--out-md "sentry-zero/sentry.md"
- name: Upload Sentry artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: sentry-zero
path: sentry-zero
Loading
Loading