feat(ci-template): add secret-scan + coverage jobs to template ci.yml (#575)#578
Conversation
…lows/ci.yml (#575) The day-0 CI template gains the two org required-check producers so repos created from repo-template are forward-compatible with the code-quality ruleset: - secret-scan → `Secret scan (gitleaks)`: copied verbatim from push-protection.md#required-ci-job — gitleaks CLI (the action's v2+ needs a paid org license), fully pinned + checksum-verified, `--config .gitleaks.toml`, `--redact`, `--exit-code 1`, `contents: read` only (no SARIF upload, so no `security-events: write`). Requires a .gitleaks.toml at repo root, seeded alongside this template (companion .github-private PR wires seed-repo-template.sh). - coverage → `coverage`: stack-aware, default shell/bats via kcov. Green-until-tests — succeeds with no report when a stack emits no coverage, so seeding it fleet-wide never bricks a repo without a test suite; enforces once tests exist. Per-stack expansion blocks (Node/Go/Python/Rust) documented inline; job name kept `coverage`. checkout pinned to actions/checkout@de0fac2e…#v6.0.2 (verified via API; matches the existing template + push-protection.md). yamllint (repo rules) + actionlint clean. Adding these contexts to the code-quality ruleset is sequenced SEPARATELY (follow-up PR) and scoped to template/new repos — existing fleet repos have no coverage job, so a fleet-wide required `coverage` would brick them (the #575 finding). Part of #575 (folded-in from closed #569). Epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
📝 WalkthroughWalkthroughThe CI workflow template gains two new required jobs: ChangesCI Template Job Additions
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
There was a problem hiding this comment.
Pull request overview
Updates the day-0 CI workflow template (standards/workflows/ci.yml) so repositories created from repo-template will produce the org’s required-check contexts for secret scanning and coverage, aligning the template with evolving code-quality ruleset expectations.
Changes:
- Add a
secret-scanjob that runs gitleaks and produces theSecret scan (gitleaks)check. - Add a stack-aware
coveragejob (defaulting to shell/bats via kcov) that is “green until tests exist”. - Update the top-of-file adoption notes to document the additional default jobs and required check stability expectations.
Dev-Lead — fix-bot-comment (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 1190d33b3d52c0152d8cf2cf7aae8b765659ed62
Review mode: triage-approved (single reviewer)
Summary
Adds the two org required-check producers (secret-scan → Secret scan (gitleaks) and coverage) to the day-0 CI template standards/workflows/ci.yml (+72/-0, one file). The triage assessment holds: this is a template file (not an executing workflow in this repo), the gitleaks job matches the canonical push-protection.md#required-ci-job (version 8.30.1 and checksum 551f6fc8… verified identical), and the actions/checkout pin de0fac2e… was verified via the GitHub API to be exactly the v6.0.2 tag commit. Permissions are least-privilege (contents: read per job), --redact prevents secret values reaching logs, and the coverage job is green-until-tests so seeding cannot brick repos without suites.
Linked issue analysis
No formally linked closing issue; the PR body references #575 (epic #964). Verified against issue #575: this PR implements scope item 5(a) — ship the required-check producer jobs via the template ci.yml — while correctly deferring the code-quality ruleset context additions to a separate follow-up, exactly the sequencing #575 mandates to avoid bricking existing fleet repos. Substantively on-scope.
Findings
No blocking findings.
- Both Copilot inline review threads (misleading ".gitleaks.toml seeded with this template" wording;
tar -C /usr/local/binfailing on root-owned dirs) are resolved — fixes verified in the head commit (wording clarified to "seeded by repo-template tooling"; extraction now goes to /tmp +sudo mv). - Non-blocking observation: the PR calls the gitleaks job "copied verbatim" from push-protection.md, but the tar-extraction fix now deviates from the doc (which still has the
tar -C /usr/local/binvariant that would fail on hosted runners). Consider a follow-up updating push-protection.md#required-ci-job to match, so the canonical doc stays authoritative. - Coupling noted in the PR body: repos seeded from this template need the
.gitleaks.tomlfrom the companion .github-private seed PR, orsecret-scanfails on missing config. Land together as stated. - MCP
run_secret_scanningtool was not available in this environment; the repo's ownSecret scan (gitleaks)CI check passed on the head SHA. No secrets in the diff (the hex string is a published release checksum, deliberately namedGITLEAKS_CHECKSUMto avoid the SonarCloud false positive).
CI status
All checks green on head 1190d33: Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud (quality gate passed, 0 new issues / 0 hotspots), CodeRabbit, dependency-audit ecosystem detection (language-specific audits skipped as expected for a YAML-only change). Merge state is BEHIND main — needs a branch update before merge, but nothing failing.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@standards/workflows/ci.yml`:
- Around line 85-86: The gitleaks install block in the CI workflow is not
matching the canonical copied snippet, so make the `gitleaks` setup in the
workflow template verbatim with the source standard used by the job comment.
Locate the install sequence around the `tar -xzf` and `sudo mv` commands in the
workflow, then either update the referenced standard snippet first and copy it
exactly or change this workflow to match the documented command block without
regeneration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ea3a5011-f154-4510-988a-4888d35734fd
📒 Files selected for processing (1)
standards/workflows/ci.yml
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks | ||
| sudo mv /tmp/gitleaks /usr/local/bin |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win
Keep the copied gitleaks install block verbatim.
This install sequence differs from the canonical standards/push-protection.md snippet even though the job comment says it is copied verbatim. Either update the source standard first and copy that exact block here, or align this template with the documented command.
Align with the referenced standard
- tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
- sudo mv /tmp/gitleaks /usr/local/bin
+ tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaksAs per coding guidelines, standards/workflows/**: Workflow templates in standards/workflows/ should be copied verbatim, not regenerated.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks | |
| sudo mv /tmp/gitleaks /usr/local/bin | |
| tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@standards/workflows/ci.yml` around lines 85 - 86, The gitleaks install block
in the CI workflow is not matching the canonical copied snippet, so make the
`gitleaks` setup in the workflow template verbatim with the source standard used
by the job comment. Locate the install sequence around the `tar -xzf` and `sudo
mv` commands in the workflow, then either update the referenced standard snippet
first and copy it exactly or change this workflow to match the documented
command block without regeneration.
Source: Coding guidelines
…leaks.toml (#575) (#1014) * feat(seed): seed .gitleaks.toml into the repo template from standards/gitleaks.toml (#575) The template ci.yml's secret-scan job runs `gitleaks detect --config .gitleaks.toml` (push-protection.md), which fails file-not-found unless every repo ships a .gitleaks.toml at root. Seed it as a baseline file so day-0 repos are green. - BASELINE_MANIFEST: add `.gitleaks.toml|fetch:standards/gitleaks.toml`. - _emit_baseline: generalize the fetch source — bare `fetch` stays the Dependabot stack special case; new `fetch:<standards-path>` fetches that path verbatim (the form the manifest header already documented). Unknown sources fail loud. - Tests: verbatim-fetch + fail-loud for .gitleaks.toml; add it to the baseline-set list; provision the fixture + assert the cross-repo write in the seeding e2e. 28/28 seed bats pass; shellcheck --severity=warning -x clean. Companion to petry-projects/.github#578 (adds the secret-scan job to the template ci.yml). Land together so a seeded repo has both the job and its config. Part of #575 (folded-in from closed #1001). Epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore: dev-lead update (review-changes) [skip ci-relay] * chore: dev-lead update (review-changes) [skip ci-relay] --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>



Summary
Adds the two org required-check producers to the day-0 CI template
standards/workflows/ci.yml, so repos created fromrepo-templateare forward-compatible with thecode-qualityruleset. Folded in from closed #569 (epic #964), with both review fixes applied.Jobs added (alongside the existing
build-and-teststub)secret-scan→Secret scan (gitleaks)— copied verbatim frompush-protection.md#required-ci-job:gitleaks/gitleaks-action— its v2+ needs a paid org license), fully pinned + checksum-verified viaGITLEAKS_CHECKSUM.permissions: contents: readonly — no SARIF upload, so nosecurity-events: write.gitleaks detect --source . --config .gitleaks.toml --redact --verbose --exit-code 1. Requires a.gitleaks.tomlat root — seeded by the companion.github-privatePR (wiresseed-repo-template.sh).coverage→coverage— stack-aware, default shell/bats via kcov:name:keptcoverageso the required check is stable.Pins & lint
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2— verified viagh api(matches the existing template + push-protection.md).yamllint(repo rules: line-length 200, document-start disable) ✅ · pinnedactionlint 1.7.7✅.Sequencing / coupling
code-qualityruleset does not yet requirecoverage/Secret scan (gitleaks)fleet-wide — that's a separate follow-up PR, scoped to template/new repos. Existing fleet repos have no coverage job, so a fleet-wide requiredcoveragewould brick them (the original Relocate org-wide compliance rulesets (code-quality, pr-quality) from .github-private to .github/standards/rulesets/ #575 finding).ci.ymlneeds the.gitleaks.tomlfrom the companion.github-privateseed PR, or itssecret-scanfails on missing config. Land them together.Part of #575. Epic #964.
🤖 Generated with Claude Code
Summary by CodeRabbit