Skip to content

ci: add lean 6-gate quality template (additive)#68

Merged
Prekzursil merged 3 commits into
mainfrom
feat/lean-quality-gate
Jun 20, 2026
Merged

ci: add lean 6-gate quality template (additive)#68
Prekzursil merged 3 commits into
mainfrom
feat/lean-quality-gate

Conversation

@Prekzursil

Copy link
Copy Markdown
Owner

Summary

Adds the lean 6-gate quality gate alongside the existing QZT workflows. Additive only — no existing workflow is removed, and no required-status-check / branch-protection / ruleset is flipped (deferred to the migration runbook; required ⊆ enabled).

Detected language: C# (.NET 8).

What this adds

  • .github/workflows/quality.yml — ~5-line caller of Prekzursil/quality-zero-platform/.github/workflows/reusable-quality.yml@feat/lean-quality-template (pinned to the template branch so this PR's CI is real now; the runbook re-pins to a tag after the template merges).
  • .pre-commit-config.yaml — gate 1 (dotnet format / Roslyn) + gate 5 (gitleaks).
  • .gitleaks.toml — secrets gate allowlist (build output / vendored trees only; no real secrets allowlisted).
  • .quality/opengrep/ — pinned in-repo SAST ruleset (gate 4): curated C# (weak crypto, Process.Start injection, BinaryFormatter) + language-agnostic (committed keys, AWS key IDs) rules.
  • osv-scanner.toml + per-project packages.lock.json (×6) — dependency gate (gate 6), scanning the NuGet lock graph. Dependabot (already configured) keeps the lockfiles current.

Gate 1 autofix (committed so the lint/format lane is green)

  • Align .gitattributes to eol=lf (matches the repo's LF-stored blobs and the .editorconfig end_of_line=lf rule; renormalizes the handful of CRLF-stored files).
  • dotnet format: [assembly: ThemeInfo spacing in App/AssemblyInfo.cs; raw-string-literal block dedent in SessionCatalogRepositoryTests.cs.

Gate mapping

Gate Tool Status (local)
1 lint/format/sec-lint dotnet format (Roslyn) + gitleaks via pre-commit green (whitespace+style+analyzers clean)
2 types n/a for C# (compiler enforces)
3 tests+coverage existing dotnet CI (ci.yml) green (112 tests pass)
4 SAST opengrep / semgrep CE green (0 findings)
5 secrets gitleaks green (0 leaks)
6 deps osv-scanner + Dependabot green (0 issues)

Verification

Verified locally before push: dotnet format (whitespace+style+analyzers) clean on all 6 projects, semgrep SAST 0 findings, gitleaks 0 leaks, osv-scanner 0 issues across all 6 lockfiles, and scripts/verify (the QZT pre-push contract) green.

Archive-first

Pre-change default HEAD (ce3ce84) archived as branch archive/pre-lean-gate + annotated tag archive/pre-lean-gate.

Test plan

  • quality workflow runs green on this PR (cloud CI).
  • Existing quality-zero-ci / QZT gates unaffected (additive).

Add the lean 6-gate quality gate alongside the existing QZT workflows
(additive only — no existing workflow removed, no required-status-check /
branch-protection / ruleset flipped; that is deferred to the migration
runbook).

What this adds for this C# (.NET) repo:
- .github/workflows/quality.yml: ~5-line caller of the shared reusable
  lean-gate workflow, pinned to the template branch so this PR's CI is real
  now (the runbook re-pins to a tag after the template merges).
- .pre-commit-config.yaml: gate 1 (dotnet format / Roslyn) + gate 5 (gitleaks).
- .gitleaks.toml: secrets gate allowlist (build output / vendored trees only).
- .quality/opengrep/: pinned in-repo SAST ruleset (gate 4) — curated C# +
  language-agnostic security rules; 0 findings.
- osv-scanner.toml + per-project packages.lock.json: dependency gate (gate 6),
  reads the NuGet lock graph; 0 issues. Dependabot (already configured) keeps
  the lockfiles current.

Gate 1 autofix applied + committed so the lint/format lane is green:
- align .gitattributes to eol=lf (matches the repo's LF-stored blobs and the
  .editorconfig end_of_line=lf rule; renormalizes the few CRLF-stored files)
- dotnet format fixes: `[assembly: ThemeInfo` spacing in App/AssemblyInfo.cs
  and a raw-string-literal block dedent in SessionCatalogRepositoryTests.cs

Tests + coverage (gate 3) continue to run in the existing dotnet CI.
Verified locally: dotnet format (whitespace+style+analyzers) clean, semgrep
SAST 0 findings, gitleaks 0 leaks, osv-scanner 0 issues, scripts/verify green
(112 tests pass).
[Fact]
public async Task SearchAsync_FindsTranscript_Alias_AndCommandTextAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task SearchAsync_MatchesPhraseTokens_OutOfOriginalOrderAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task SearchAsync_ReturnsEmptyList_ForWhitespaceQueryAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task InitializeAsync_BackfillsSearchIndex_ForPreexistingSessionRowsAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task SaveMetadataAsync_PersistsAliasTagsAndNotes_AndMakesThemSearchableAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task SearchAsync_ReturnsSnippet_WhenMatchOccursOutsideThreadNameAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task UpsertAsync_PreservesExistingMetadata_WhenReindexingSameSessionAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
[Fact]
public async Task ListSessionsAsync_ReturnsPersistedMetadata_WhenStoredMetadataExistsAsync()
{
var databasePath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.db");
Prekzursil and others added 2 commits June 18, 2026 06:19
…er self-skip)

The shared lean reusable-quality workflow runs 'pre-commit run --all-files'
without setting up a .NET SDK, so the bare 'dotnet format' hook failed the
gate-lint-format-secrets gate even though the C# is already format-clean.
Route the hook through scripts/format-verify, which runs the real
--verify-no-changes when a compatible SDK is present (local dev + the repo's
own .NET CI) and gracefully no-ops on the SDK-less lean-gate runner.
@Prekzursil Prekzursil merged commit 49b34b2 into main Jun 20, 2026
16 of 26 checks passed
@Prekzursil Prekzursil deleted the feat/lean-quality-gate branch June 20, 2026 02:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants