Skip to content

chore(standards): add canonical ci.yml + sonarcloud.yml inline workflow templates (#966)#564

Merged
don-petry merged 4 commits into
mainfrom
chore/add-ci-sonarcloud-inline-standards-966
Jun 30, 2026
Merged

chore(standards): add canonical ci.yml + sonarcloud.yml inline workflow templates (#966)#564
don-petry merged 4 commits into
mainfrom
chore/add-ci-sonarcloud-inline-standards-966

Conversation

@don-petry

@don-petry don-petry commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Adds two canonical inline workflow templates to standards/workflows/:

  • ci.yml — stack-agnostic, customize-per-stack CI stub (job build-and-test, passes out of the box so a fresh repo is green on day 0; documented placeholder to replace with the stack's lint/format/typecheck/test/coverage steps).
  • sonarcloud.yml — standard SonarCloud Analysis workflow (job name SonarCloud, continue-on-error first attempt + single retry, guarded on SONAR_TOKEN).

Both follow the existing inline-standard conventions (the copilot-setup-steps.yml banner style), permissions: {} + least-privilege per job, triggers on push/PR to main, and SHA-pinned actions verified via the API (actions/checkout@de0fac2e… # v6.0.2, SonarSource/sonarqube-scan-action@713881670… # v8.2.0).

Why

scripts/seed-repo-template.sh in .github-private (epic #964, story #966) classifies ci/sonarcloud as kind=inline and fetches them from standards/workflows/ to ship verbatim into repo-template. Those two files never existed here, so a live seed run 404'd and could not populate the template. The seeder's bats tests mocked the fetch, so they missed it. This adds the missing canonical sources (the chosen fix: keep inline workflows in standards/, not embedded in the script).

A companion PR in .github-private fixes a second seeder defect (Dependabot stack path/default) and closes the test gap.

Validation

  • yamllint passes under the exact config this repo's CI uses (line-length: 200, document-start: disable, truthy.check-keys: false).
  • End-to-end: the fixed seeder, pointed at a mirror of the live standards/ + these two files, emits all 10 workflow stubs + 10 baseline files with zero fetch errors; inline files ship byte-identically.

Refs #966, epic #964.

Summary by CodeRabbit

  • New Features

    • Added automated CI checks for pushes and pull requests to the main branch.
    • Added code quality analysis with a SonarCloud workflow, including a retry if the first scan fails.
  • Security

    • Tightened workflow permissions to follow least-privilege access.
    • Improved supply-chain safety by using pinned action versions.
  • Chores

    • Enabled cancellation of older in-progress workflow runs when newer changes are pushed.

@don-petry don-petry requested a review from a team as a code owner June 30, 2026 22:02
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds two GitHub Actions workflow files: standards/workflows/ci.yml, which defines a build-and-test job triggered on push/pull_request to main with least-privilege permissions and SHA-pinned checkout, and standards/workflows/sonarcloud.yml, which runs a SonarCloud scan conditionally on SONAR_TOKEN with a retry on failure.

Changes

CI/CD Workflow Setup

Layer / File(s) Summary
CI workflow definition
standards/workflows/ci.yml
Defines triggers, top-level empty permissions, concurrency cancellation, and a build-and-test job with SHA-pinned checkout and a placeholder step pending real build/test commands.
SonarCloud analysis workflow
standards/workflows/sonarcloud.yml
Defines triggers, least-privilege permissions, full-history checkout, conditional SonarCloud scan execution based on SONAR_TOKEN, and a retry attempt if the first scan fails.

Sequence Diagram(s)

sequenceDiagram
  participant GitHub
  participant CIWorkflow
  participant SonarCloudWorkflow
  participant SonarScanAction

  GitHub->>CIWorkflow: push or pull_request to main
  CIWorkflow->>CIWorkflow: checkout repository, run build-and-test placeholder

  GitHub->>SonarCloudWorkflow: push or pull_request to main
  SonarCloudWorkflow->>SonarCloudWorkflow: checkout with full history
  SonarCloudWorkflow->>SonarScanAction: run scan if SONAR_TOKEN set
  SonarScanAction-->>SonarCloudWorkflow: outcome (success/failure)
  alt failure
    SonarCloudWorkflow->>SonarScanAction: retry scan
  end
Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the addition of the canonical CI and SonarCloud workflow templates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/add-ci-sonarcloud-inline-standards-966

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces two standard GitHub Actions workflow templates: a CI pipeline stub (ci.yml) and a SonarCloud analysis workflow (sonarcloud.yml). The review feedback suggests a minor improvement to remove redundant ${{ }} expression wrappers from the if conditionals in the SonarCloud workflow, which simplifies the syntax and aligns with standard GitHub Actions practices.

Comment thread standards/workflows/sonarcloud.yml Outdated
Comment thread standards/workflows/sonarcloud.yml Outdated
@don-petry don-petry disabled auto-merge June 30, 2026 22:04
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 30, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 30, 2026 22:08
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 30, 2026
… gap (#966) (#995)

* fix(seed-repo-template): correct dependabot stack path + default, close test gap (#966)

The #966 seeder could not run live. Two path defects, both hidden because the
bats tests mocked the standards fetch:

1. ci.yml / sonarcloud.yml are declared kind=inline and fetched from
   standards/workflows/, but those canonical files never existed there (added in
   petry-projects/.github#564).
2. The dependabot baseline fetched standards/dependabot/<stack>/dependabot.yml —
   a subdirectory layout that does not exist — with a default stack of `node`,
   which is not a real stack. The real layout is flat: standards/dependabot/<stack>.yml.

Changes:
- Fix the dependabot fetch path to standards/dependabot/<stack>.yml.
- Default DEPENDABOT_STACK node -> frontend (a real stack); fix the env doc and the
  generated BOOTSTRAP.md, which named non-existent `node`/`go` stacks and a <stack>/ subdir.
- Tests: move fixtures to the flat layout; add fail-loud regression guards so a missing
  inline workflow standard (the ci/sonarcloud class) or a missing dependabot stack file
  exits non-zero instead of shipping an empty file; add sonarcloud inline-emit coverage;
  add a network-free gh stub so fail-loud tests don't depend on live repo state.

Validated end-to-end against a mirror of the live standards/ plus the two new files:
all 10 workflow stubs + 10 baseline files emit with zero fetch errors; inline files
ship byte-identically; callers repin to @<name>/stable. shellcheck clean; 26/26 bats.

Companion to petry-projects/.github#564. Refs #966, epic #964.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(reviews): address review comments [skip ci-relay]

---------

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
@don-petry

Copy link
Copy Markdown
Contributor Author

@donpetry-bot please review — all required CI is green (Lint/yamllint, ShellCheck, SonarCloud, gitleaks, CodeRabbit all pass), no unresolved threads. This adds the canonical ci.yml + sonarcloud.yml inline standards that unblock the repo-template seeder (companion #995 already merged). Requesting the approving review.

@donpetry-bot

Copy link
Copy Markdown
Contributor

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: baeedd394c690590f77f272632d4b83dd21b2af8
Review mode: triage-approved (single reviewer)

Summary

Adds two new canonical inline workflow templates to standards/workflows/ — ci.yml (a stack-agnostic, customize-per-stack CI stub that is green on day 0) and sonarcloud.yml (standard SonarCloud Analysis with SONAR_TOKEN guard + single retry). +104/-0 across 2 added files. These are template source files under standards/ (not active workflows in this repo), shipped verbatim into repo-template by the seeder; the files never existed, so a live seed 404'd. Both follow org conventions: permissions: {} at top, least-privilege per job, push/PR-to-main triggers, and SHA-pinned actions.

Linked issue analysis

No closing reference; PR refs #966 (story) / epic #964. The change directly addresses the stated gap: seed-repo-template.sh classifies ci/sonarcloud as kind=inline and fetches them from standards/workflows/, which were missing. Adding the two canonical sources is the substantive fix and matches the issue intent.

Findings

No blocking findings.

  • Action SHA pins verified against upstream tags via the GitHub API: actions/checkout@de0fac2 == v6.0.2 (match); SonarSource/sonarqube-scan-action@7138816 == v8.2.0 (match).
  • GitHub Actions hygiene is clean: top-level permissions: {}, per-job least privilege (contents: read; sonar adds pull-requests: read), no pull_request_target, no untrusted-input interpolation / script-injection vectors, no inline secrets.
  • Prior gemini-code-assist suggestion (redundant ${{ }} wrappers in if: conditionals) is resolved — the final commit uses bare expressions (if: env.SONAR_TOKEN != '' …). Both review threads are resolved/outdated; no unanswered human-reviewer questions.
  • MCP run_secret_scanning tool not available in this environment; relied on the gitleaks CI check (passing). SonarCloud quality gate passed with 0 new issues.

CI status

All required checks green: CI Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud, AgentShield, Dependency audit, CodeRabbit. No failing or pending required checks. Note: mergeStateStatus is BEHIND main (MERGEABLE) — branch needs an update before merge, not a review blocker.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge June 30, 2026 22:51
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
- Quality Gate: PASSED (0 new issues, 0 security hotspots) — informational status only
- Redundant ${{ }} wrappers: already resolved in reviewed commit (per pr-review agent)
Files changed: none (no fixes needed)
Skipped (informational): 1 (SonarCloud quality gate report)
```

@don-petry don-petry enabled auto-merge (squash) June 30, 2026 22:52
@don-petry don-petry merged commit a969688 into main Jun 30, 2026
20 of 21 checks passed
@don-petry don-petry deleted the chore/add-ci-sonarcloud-inline-standards-966 branch June 30, 2026 22:52

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/workflows/ci.yml`:
- Line 17: The CI concurrency setup in the workflow is keyed with github.sha,
which makes every run unique and prevents cancel-in-progress from stopping stale
branch runs. Update the concurrency group in the CI workflow to use a stable key
based on the workflow and ref only, and make sure the same change is applied
everywhere this group is defined so consecutive pushes to the same branch share
the same cancellation group.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e4ca598-e087-4ccc-934f-dc0a05848a95

📥 Commits

Reviewing files that changed from the base of the PR and between bc13c11 and 9311ddc.

📒 Files selected for processing (2)
  • standards/workflows/ci.yml
  • standards/workflows/sonarcloud.yml

# CONVENTIONS (enforced by the standard):
# • permissions: {} at top, least-privilege per job (CI needs contents: read)
# • triggers: push + pull_request to main
# • concurrency keyed by ref+sha so a new push cancels the stale run

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Concurrency group keyed by sha defeats "cancel stale run" intent.

Including github.sha in the group key (ci-${{ github.ref }}-${{ github.sha }}) means every push gets a unique group, since sha differs per commit. This means cancel-in-progress: true can never actually cancel a previous in-flight run on the same branch — directly contradicting the doc comment at line 17 ("a new push to a branch cancels the stale run for the same ref"). The conventional pattern is to key only on workflow+ref so consecutive pushes to the same ref share a group.

🛠️ Proposed fix
 concurrency:
-  group: ci-${{ github.ref }}-${{ github.sha }}
+  group: ci-${{ github.ref }}
   cancel-in-progress: true

Also applies to: 30-32

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@standards/workflows/ci.yml` at line 17, The CI concurrency setup in the
workflow is keyed with github.sha, which makes every run unique and prevents
cancel-in-progress from stopping stale branch runs. Update the concurrency group
in the CI workflow to use a stable key based on the workflow and ref only, and
make sure the same change is applied everywhere this group is defined so
consecutive pushes to the same branch share the same cancellation group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants