ci: add lean 6-gate quality template (additive)#68
Merged
Conversation
Add the lean 6-gate quality gate alongside the existing QZT workflows (additive only — no existing workflow removed, no required-status-check / branch-protection / ruleset flipped; that is deferred to the migration runbook). What this adds for this C# (.NET) repo: - .github/workflows/quality.yml: ~5-line caller of the shared reusable lean-gate workflow, pinned to the template branch so this PR's CI is real now (the runbook re-pins to a tag after the template merges). - .pre-commit-config.yaml: gate 1 (dotnet format / Roslyn) + gate 5 (gitleaks). - .gitleaks.toml: secrets gate allowlist (build output / vendored trees only). - .quality/opengrep/: pinned in-repo SAST ruleset (gate 4) — curated C# + language-agnostic security rules; 0 findings. - osv-scanner.toml + per-project packages.lock.json: dependency gate (gate 6), reads the NuGet lock graph; 0 issues. Dependabot (already configured) keeps the lockfiles current. Gate 1 autofix applied + committed so the lint/format lane is green: - align .gitattributes to eol=lf (matches the repo's LF-stored blobs and the .editorconfig end_of_line=lf rule; renormalizes the few CRLF-stored files) - dotnet format fixes: `[assembly: ThemeInfo` spacing in App/AssemblyInfo.cs and a raw-string-literal block dedent in SessionCatalogRepositoryTests.cs Tests + coverage (gate 3) continue to run in the existing dotnet CI. Verified locally: dotnet format (whitespace+style+analyzers) clean, semgrep SAST 0 findings, gitleaks 0 leaks, osv-scanner 0 issues, scripts/verify green (112 tests pass).
| [Fact] | ||
| public async Task SearchAsync_FindsTranscript_Alias_AndCommandTextAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task SearchAsync_MatchesPhraseTokens_OutOfOriginalOrderAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task SearchAsync_ReturnsEmptyList_ForWhitespaceQueryAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task InitializeAsync_BackfillsSearchIndex_ForPreexistingSessionRowsAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task SaveMetadataAsync_PersistsAliasTagsAndNotes_AndMakesThemSearchableAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task SearchAsync_ReturnsSnippet_WhenMatchOccursOutsideThreadNameAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task UpsertAsync_PreservesExistingMetadata_WhenReindexingSameSessionAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
| [Fact] | ||
| public async Task ListSessionsAsync_ReturnsPersistedMetadata_WhenStoredMetadataExistsAsync() | ||
| { | ||
| var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db"); |
…er self-skip) The shared lean reusable-quality workflow runs 'pre-commit run --all-files' without setting up a .NET SDK, so the bare 'dotnet format' hook failed the gate-lint-format-secrets gate even though the C# is already format-clean. Route the hook through scripts/format-verify, which runs the real --verify-no-changes when a compatible SDK is present (local dev + the repo's own .NET CI) and gracefully no-ops on the SDK-less lean-gate runner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the lean 6-gate quality gate alongside the existing QZT workflows. Additive only — no existing workflow is removed, and no required-status-check / branch-protection / ruleset is flipped (deferred to the migration runbook; required ⊆ enabled).
Detected language: C# (.NET 8).
What this adds
.github/workflows/quality.yml— ~5-line caller ofPrekzursil/quality-zero-platform/.github/workflows/reusable-quality.yml@feat/lean-quality-template(pinned to the template branch so this PR's CI is real now; the runbook re-pins to a tag after the template merges)..pre-commit-config.yaml— gate 1 (dotnet format/ Roslyn) + gate 5 (gitleaks)..gitleaks.toml— secrets gate allowlist (build output / vendored trees only; no real secrets allowlisted)..quality/opengrep/— pinned in-repo SAST ruleset (gate 4): curated C# (weak crypto,Process.Startinjection,BinaryFormatter) + language-agnostic (committed keys, AWS key IDs) rules.osv-scanner.toml+ per-projectpackages.lock.json(×6) — dependency gate (gate 6), scanning the NuGet lock graph. Dependabot (already configured) keeps the lockfiles current.Gate 1 autofix (committed so the lint/format lane is green)
.gitattributestoeol=lf(matches the repo's LF-stored blobs and the.editorconfigend_of_line=lfrule; renormalizes the handful of CRLF-stored files).dotnet format:[assembly: ThemeInfospacing inApp/AssemblyInfo.cs; raw-string-literal block dedent inSessionCatalogRepositoryTests.cs.Gate mapping
ci.yml)Verification
Verified locally before push:
dotnet format(whitespace+style+analyzers) clean on all 6 projects, semgrep SAST 0 findings, gitleaks 0 leaks, osv-scanner 0 issues across all 6 lockfiles, andscripts/verify(the QZT pre-push contract) green.Archive-first
Pre-change default HEAD (
ce3ce84) archived as brancharchive/pre-lean-gate+ annotated tagarchive/pre-lean-gate.Test plan
qualityworkflow runs green on this PR (cloud CI).quality-zero-ci/ QZT gates unaffected (additive).