You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Make coverage and Secret scan (gitleaks)fleet-wide required checks in standards/rulesets/code-quality.json — safely, without bricking any repo.
Why it's blocked today
Adding a required context to code-quality.json makes it a merge gate on every repo the ruleset targets. A repo that does not produce that check is permanently blocked. The template ci.yml now ships both jobs (#578) so new repos produce them, but existing fleet repos do not yet have a coverage job — so #575/#579 scoped the stricter set to template/new repos only.
Verify each repo's PRs now report a coverage and Secret scan (gitleaks) status (green — no tests yet is fine).
Then add {"context":"coverage"} and {"context":"Secret scan (gitleaks)"} to standards/rulesets/code-quality.json and re-apply fleet-wide (apply-rulesets.sh).
Order matters: jobs first (produce the checks), ruleset contexts last. Until step 3, the stricter set stays scoped to template/new repos.
Scope note
This is the fleet sweep #575 explicitly deferred ("the fleet-wide coverage backfill itself ... its own migration").
Goal
Make
coverageandSecret scan (gitleaks)fleet-wide required checks instandards/rulesets/code-quality.json— safely, without bricking any repo.Why it's blocked today
Adding a required context to
code-quality.jsonmakes it a merge gate on every repo the ruleset targets. A repo that does not produce that check is permanently blocked. The templateci.ymlnow ships both jobs (#578) so new repos produce them, but existing fleet repos do not yet have a coverage job — so #575/#579 scoped the stricter set to template/new repos only.What is needed (the backfill)
ci.yml— thesecret-scanjob (+ seed.gitleaks.toml) and the green-until-testscoveragejob, matching the template (feat(ci-template): add secret-scan + coverage jobs to template ci.yml (#575) #578, feat(seed): seed .gitleaks.toml into repo template from standards/gitleaks.toml (#575) .github-private#1014). Deploy via the cross-repo sync (deploy-standard-workflows.sh/aw-standards-sync.sh), one PR per repo.coverageandSecret scan (gitleaks)status (green — no tests yet is fine).{"context":"coverage"}and{"context":"Secret scan (gitleaks)"}tostandards/rulesets/code-quality.jsonand re-apply fleet-wide (apply-rulesets.sh).Order matters: jobs first (produce the checks), ruleset contexts last. Until step 3, the stricter set stays scoped to template/new repos.
Scope note
This is the fleet sweep #575 explicitly deferred ("the fleet-wide coverage backfill itself ... its own migration").
Refs: #575, #578, #579, petry-projects/.github-private#1014, epic #964.