chore(standards): add canonical ci.yml + sonarcloud.yml inline workflow templates (#966)#564
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
📝 WalkthroughWalkthroughThis PR adds two GitHub Actions workflow files: standards/workflows/ci.yml, which defines a build-and-test job triggered on push/pull_request to main with least-privilege permissions and SHA-pinned checkout, and standards/workflows/sonarcloud.yml, which runs a SonarCloud scan conditionally on SONAR_TOKEN with a retry on failure. ChangesCI/CD Workflow Setup
Sequence Diagram(s)sequenceDiagram
participant GitHub
participant CIWorkflow
participant SonarCloudWorkflow
participant SonarScanAction
GitHub->>CIWorkflow: push or pull_request to main
CIWorkflow->>CIWorkflow: checkout repository, run build-and-test placeholder
GitHub->>SonarCloudWorkflow: push or pull_request to main
SonarCloudWorkflow->>SonarCloudWorkflow: checkout with full history
SonarCloudWorkflow->>SonarScanAction: run scan if SONAR_TOKEN set
SonarScanAction-->>SonarCloudWorkflow: outcome (success/failure)
alt failure
SonarCloudWorkflow->>SonarScanAction: retry scan
end
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces two standard GitHub Actions workflow templates: a CI pipeline stub (ci.yml) and a SonarCloud analysis workflow (sonarcloud.yml). The review feedback suggests a minor improvement to remove redundant ${{ }} expression wrappers from the if conditionals in the SonarCloud workflow, which simplifies the syntax and aligns with standard GitHub Actions practices.
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
… gap (#966) (#995) * fix(seed-repo-template): correct dependabot stack path + default, close test gap (#966) The #966 seeder could not run live. Two path defects, both hidden because the bats tests mocked the standards fetch: 1. ci.yml / sonarcloud.yml are declared kind=inline and fetched from standards/workflows/, but those canonical files never existed there (added in petry-projects/.github#564). 2. The dependabot baseline fetched standards/dependabot/<stack>/dependabot.yml — a subdirectory layout that does not exist — with a default stack of `node`, which is not a real stack. The real layout is flat: standards/dependabot/<stack>.yml. Changes: - Fix the dependabot fetch path to standards/dependabot/<stack>.yml. - Default DEPENDABOT_STACK node -> frontend (a real stack); fix the env doc and the generated BOOTSTRAP.md, which named non-existent `node`/`go` stacks and a <stack>/ subdir. - Tests: move fixtures to the flat layout; add fail-loud regression guards so a missing inline workflow standard (the ci/sonarcloud class) or a missing dependabot stack file exits non-zero instead of shipping an empty file; add sonarcloud inline-emit coverage; add a network-free gh stub so fail-loud tests don't depend on live repo state. Validated end-to-end against a mirror of the live standards/ plus the two new files: all 10 workflow stubs + 10 baseline files emit with zero fetch errors; inline files ship byte-identically; callers repin to @<name>/stable. shellcheck clean; 26/26 bats. Companion to petry-projects/.github#564. Refs #966, epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
|
@donpetry-bot please review — all required CI is green (Lint/yamllint, ShellCheck, SonarCloud, gitleaks, CodeRabbit all pass), no unresolved threads. This adds the canonical ci.yml + sonarcloud.yml inline standards that unblock the repo-template seeder (companion #995 already merged). Requesting the approving review. |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: baeedd394c690590f77f272632d4b83dd21b2af8
Review mode: triage-approved (single reviewer)
Summary
Adds two new canonical inline workflow templates to standards/workflows/ — ci.yml (a stack-agnostic, customize-per-stack CI stub that is green on day 0) and sonarcloud.yml (standard SonarCloud Analysis with SONAR_TOKEN guard + single retry). +104/-0 across 2 added files. These are template source files under standards/ (not active workflows in this repo), shipped verbatim into repo-template by the seeder; the files never existed, so a live seed 404'd. Both follow org conventions: permissions: {} at top, least-privilege per job, push/PR-to-main triggers, and SHA-pinned actions.
Linked issue analysis
No closing reference; PR refs #966 (story) / epic #964. The change directly addresses the stated gap: seed-repo-template.sh classifies ci/sonarcloud as kind=inline and fetches them from standards/workflows/, which were missing. Adding the two canonical sources is the substantive fix and matches the issue intent.
Findings
No blocking findings.
- Action SHA pins verified against upstream tags via the GitHub API: actions/checkout@de0fac2 == v6.0.2 (match); SonarSource/sonarqube-scan-action@7138816 == v8.2.0 (match).
- GitHub Actions hygiene is clean: top-level permissions: {}, per-job least privilege (contents: read; sonar adds pull-requests: read), no pull_request_target, no untrusted-input interpolation / script-injection vectors, no inline secrets.
- Prior gemini-code-assist suggestion (redundant ${{ }} wrappers in if: conditionals) is resolved — the final commit uses bare expressions (if: env.SONAR_TOKEN != '' …). Both review threads are resolved/outdated; no unanswered human-reviewer questions.
- MCP run_secret_scanning tool not available in this environment; relied on the gitleaks CI check (passing). SonarCloud quality gate passed with 0 new issues.
CI status
All required checks green: CI Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud, AgentShield, Dependency audit, CodeRabbit. No failing or pending required checks. Note: mergeStateStatus is BEHIND main (MERGEABLE) — branch needs an update before merge, not a review blocker.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@standards/workflows/ci.yml`:
- Line 17: The CI concurrency setup in the workflow is keyed with github.sha,
which makes every run unique and prevents cancel-in-progress from stopping stale
branch runs. Update the concurrency group in the CI workflow to use a stable key
based on the workflow and ref only, and make sure the same change is applied
everywhere this group is defined so consecutive pushes to the same branch share
the same cancellation group.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3e4ca598-e087-4ccc-934f-dc0a05848a95
📒 Files selected for processing (2)
standards/workflows/ci.ymlstandards/workflows/sonarcloud.yml
| # CONVENTIONS (enforced by the standard): | ||
| # • permissions: {} at top, least-privilege per job (CI needs contents: read) | ||
| # • triggers: push + pull_request to main | ||
| # • concurrency keyed by ref+sha so a new push cancels the stale run |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Concurrency group keyed by sha defeats "cancel stale run" intent.
Including github.sha in the group key (ci-${{ github.ref }}-${{ github.sha }}) means every push gets a unique group, since sha differs per commit. This means cancel-in-progress: true can never actually cancel a previous in-flight run on the same branch — directly contradicting the doc comment at line 17 ("a new push to a branch cancels the stale run for the same ref"). The conventional pattern is to key only on workflow+ref so consecutive pushes to the same ref share a group.
🛠️ Proposed fix
concurrency:
- group: ci-${{ github.ref }}-${{ github.sha }}
+ group: ci-${{ github.ref }}
cancel-in-progress: trueAlso applies to: 30-32
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@standards/workflows/ci.yml` at line 17, The CI concurrency setup in the
workflow is keyed with github.sha, which makes every run unique and prevents
cancel-in-progress from stopping stale branch runs. Update the concurrency group
in the CI workflow to use a stable key based on the workflow and ref only, and
make sure the same change is applied everywhere this group is defined so
consecutive pushes to the same branch share the same cancellation group.



What
Adds two canonical inline workflow templates to
standards/workflows/:ci.yml— stack-agnostic, customize-per-stack CI stub (jobbuild-and-test, passes out of the box so a fresh repo is green on day 0; documented placeholder to replace with the stack's lint/format/typecheck/test/coverage steps).sonarcloud.yml— standard SonarCloud Analysis workflow (job nameSonarCloud,continue-on-errorfirst attempt + single retry, guarded onSONAR_TOKEN).Both follow the existing inline-standard conventions (the
copilot-setup-steps.ymlbanner style),permissions: {}+ least-privilege per job, triggers on push/PR tomain, and SHA-pinned actions verified via the API (actions/checkout@de0fac2e… # v6.0.2,SonarSource/sonarqube-scan-action@713881670… # v8.2.0).Why
scripts/seed-repo-template.shin.github-private(epic #964, story #966) classifiesci/sonarcloudaskind=inlineand fetches them fromstandards/workflows/to ship verbatim intorepo-template. Those two files never existed here, so a live seed run 404'd and could not populate the template. The seeder's bats tests mocked the fetch, so they missed it. This adds the missing canonical sources (the chosen fix: keep inline workflows instandards/, not embedded in the script).A companion PR in
.github-privatefixes a second seeder defect (Dependabot stack path/default) and closes the test gap.Validation
line-length: 200,document-start: disable,truthy.check-keys: false).standards/+ these two files, emits all 10 workflow stubs + 10 baseline files with zero fetch errors; inline files ship byte-identically.Refs #966, epic #964.
Summary by CodeRabbit
New Features
Security
Chores