Skip to content

docs+ci: inline S7635 NOSONAR marker for idea-pipeline caller stubs#567

Merged
don-petry merged 3 commits into
mainfrom
chore/sonarcloud-s7635-inline-marker-idea-pipeline
Jul 1, 2026
Merged

docs+ci: inline S7635 NOSONAR marker for idea-pipeline caller stubs#567
don-petry merged 3 commits into
mainfrom
chore/sonarcloud-s7635-inline-marker-idea-pipeline

Conversation

@don-petry

@don-petry don-petry commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Closes the SonarCloud S7635 gap surfaced by the ring1 idea→initiative enrollment (petry-projects/.github-private#978, gate #515). Companion to the ring1 PRs (TalkTerm #331, bmad #342).

Problem

githubactions:S7635 ("only pass required secrets to this workflow") fires on the secrets: inherit line of first-party caller stubs. secrets: inherit is intentional — the central reusable is first-party/trusted and needs every inherited secret (GH_PAT_WORKFLOWS, CLAUDE_CODE_OAUTH_TOKEN, …); enumerating per-caller re-breaks on every reusable change. Existing deployments pass as non-"new code", so the rule only bites the first time a stub is added to a SonarCloud-gated repo — exactly what ring1 hit. The templates only carried the S7637 marker, so the auto-fix bot tried to "fix" S7635 by mangling the stubs.

Fix (canonical mechanism)

Per the existing S7637 exemption, the canonical suppression is an inline # NOSONAR marker that travels with the verbatim stub — zero per-repo sonar-project.properties entries. This adds that for S7635:

  • standards/workflows/initiative-planner.yml, idea-triage.yml, idea-enhancer.yml — the three idea-pipeline templates that use secrets: inherit — get secrets: inherit # NOSONAR(githubactions:S7635) first-party trusted reusable.
  • This repo's own dogfooded .github/workflows/initiative-planner.yml stub gets the same.
  • New "First-Party secrets: inherit S7635" subsection in ci-standards (S7637 anchor preserved so existing links keep working); §10 adoption step 1 points at it and notes verbatim copy needs no sonar edits.

Blast radius

Deployed stub consumers of these 3 templates on main: only this repo's own initiative-planner.yml (updated here). .github-private uses the full host workflow (not a stub). So no external stub-drift — the open ring1 PRs will be re-synced to match.

Deferred (tracked follow-up)

dev-lead.yml, auto-rebase.yml, dependabot-automerge.yml, pr-review-mention.yml also use secrets: inherit and share the latent gap, but are deployed fleet-wide — marking them fans out a broad re-sync. Until then a new adoption of one of those four needs the legacy per-file S7635 exemption (documented).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation

    • Added clearer guidance for setting up initiative-planning workflows, including which templates to copy and how compliance markers should appear.
    • Documented the approved inline exemption format for trusted reusable workflow calls.
  • Chores

    • Updated several workflow templates to consistently include the required inline compliance marker while preserving existing behavior.

SonarCloud's githubactions:S7635 ("only pass required secrets") fires on the
`secrets: inherit` line of first-party caller stubs. secrets: inherit is
intentional — the central reusable is first-party/trusted and needs every
inherited secret; enumerating per-caller re-breaks on each reusable change.
This is the same trust boundary that exempts the channel ref from S7637.

Apply the canonical mechanism (inline NOSONAR travelling with the verbatim
stub, per the existing S7637 pattern) to the three idea-pipeline templates
that use secrets: inherit — initiative-planner.yml, idea-triage.yml,
idea-enhancer.yml — plus this repo's own dogfooded initiative-planner stub.
Verbatim adopters (e.g. the ring1/stable enrollments) now inherit S7635
coverage with zero per-repo sonar-project.properties entries.

Document a sibling "First-Party `secrets: inherit` S7635" subsection under the
existing S7637 exemption (anchor preserved) and point §10 adoption step 1 at it.

Deferred: dev-lead.yml, auto-rebase.yml, dependabot-automerge.yml, and
pr-review-mention.yml also use secrets: inherit but are deployed fleet-wide;
adding the marker there fans out a broad stub re-sync, tracked separately.

Refs petry-projects/.github-private#978, #515.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H
@don-petry don-petry requested a review from a team as a code owner July 1, 2026 12:28
Copilot AI review requested due to automatic review settings July 1, 2026 12:28
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 458e795c-bdfe-4553-b0fe-4f62ed08d23b

📥 Commits

Reviewing files that changed from the base of the PR and between cfd513a and 41e2340.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • standards/ci-standards.md
📝 Walkthrough

Walkthrough

This PR adds inline NOSONAR suppression comments to secrets: inherit lines in four reusable workflow caller stubs and documents a new SonarCloud exemption rule in ci-standards.md, along with updated adoption instructions requiring verbatim template copies.

Changes

NOSONAR exemption rollout

Layer / File(s) Summary
SonarCloud exemption rule and adoption docs
standards/ci-standards.md
Adds a new section defining the inline # NOSONAR(githubactions:S7635) requirement for first-party secrets: inherit caller stubs and updates the initiative pipeline adoption steps to require verbatim template copies with markers already included, avoiding sonar-project.properties edits.
Apply NOSONAR markers to workflow callers
.github/workflows/initiative-planner.yml, standards/workflows/idea-enhancer.yml, standards/workflows/idea-triage.yml, standards/workflows/initiative-planner.yml
Adds inline NOSONAR comments (S7635, S6375) to secrets: inherit lines in reusable workflow callers with no change to secret inheritance behavior.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • petry-projects/.github#11: Both PRs touch standards/ci-standards.md with SonarCloud-related guidance, building on the CI/CD standards doc.
  • petry-projects/.github#504: Both PRs modify the secrets: inherit line in standards/workflows/initiative-planner.yml.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding inline S7635 NOSONAR markers to idea-pipeline caller stubs and related docs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/sonarcloud-s7635-inline-marker-idea-pipeline

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the org-standard idea→initiative “caller stub” workflow templates (and this repo’s dogfooded stub) to inline-suppress SonarCloud rule githubactions:S7635 on intentional secrets: inherit usage, and documents the canonical suppression mechanism in ci-standards.md so adopters don’t need per-repo Sonar configuration.

Changes:

  • Add inline # NOSONAR(githubactions:S7635) comments on secrets: inherit for the three idea-pipeline caller stub templates.
  • Add the same inline marker to this repo’s .github/workflows/initiative-planner.yml stub.
  • Document the S7635 suppression standard in standards/ci-standards.md and update the “Adopting in a new repo” step to note verbatim-copy behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
standards/workflows/initiative-planner.yml Adds inline S7635 NOSONAR marker on secrets: inherit for the initiative planner caller stub template.
standards/workflows/idea-triage.yml Adds inline S7635 NOSONAR marker on secrets: inherit for the idea triage caller stub template.
standards/workflows/idea-enhancer.yml Adds inline S7635 NOSONAR marker on secrets: inherit for the idea enhancer caller stub template.
standards/ci-standards.md Documents the canonical inline NOSONAR suppression for S7635 and updates adoption guidance to reflect verbatim-copy behavior.
.github/workflows/initiative-planner.yml Adds inline S7635 NOSONAR marker on secrets: inherit for the in-repo dogfooded stub.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request documents and implements a standard inline SonarCloud exemption (# NOSONAR(githubactions:S7635)) for first-party caller stubs that use secrets: inherit. The documentation in standards/ci-standards.md has been updated to explain this exemption, and the marker has been added to several workflow templates. The review feedback suggests improving the documentation's consistency and navigation by linking workflow paths uniformly and using a direct anchor link for the newly added SonarCloud exemption section.

Comment thread standards/ci-standards.md Outdated
Comment thread standards/ci-standards.md Outdated
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) July 1, 2026 12:32

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/ci-standards.md`:
- Around line 1171-1177: The adoption steps are missing the `idea-enhancer.yml`
workflow, which is now part of the required verbatim template set. Update the
instructions near the `initiative-driver.yml`/`idea-triage.yml` references to
also mention copying `idea-enhancer.yml` into `.github/workflows/`, keeping the
guidance aligned with the S7635 caller-stub templates and the existing `#
NOSONAR` notes.
- Line 498: The markdown at the referenced documentation section has broken list
formatting because the “+ more)” fragment is being parsed like a list item and
conflicts with markdownlint rules. Update the surrounding prose in the CI
standards doc to remove that inline list-like fragment, or convert it into a
properly formatted dash list with blank lines using the nearby section text as
context. Locate the affected sentence by its “without each caller enumerating —
and re-enumerating on every reusable” wording and rewrite it as plain prose.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 261d41b4-2b34-46ee-afcd-30e8c18b547c

📥 Commits

Reviewing files that changed from the base of the PR and between a969688 and cfd513a.

📒 Files selected for processing (5)
  • .github/workflows/initiative-planner.yml
  • standards/ci-standards.md
  • standards/workflows/idea-enhancer.yml
  • standards/workflows/idea-triage.yml
  • standards/workflows/initiative-planner.yml

Comment thread standards/ci-standards.md Outdated
Comment thread standards/ci-standards.md Outdated
@don-petry don-petry disabled auto-merge July 1, 2026 12:32
…635 anchor

- Add idea-triage.yml + idea-enhancer.yml (optional) to §10 adoption step 1 so
  the caller-stub set matches the S7635 template list (CodeRabbit).
- Use full standards/workflows/ paths in the link text and link the S7635
  subsection by anchor instead of prose (Gemini).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H
@don-petry don-petry enabled auto-merge (squash) July 1, 2026 12:35
@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge July 1, 2026 12:35
@don-petry don-petry enabled auto-merge (squash) July 1, 2026 12:37
@don-petry don-petry disabled auto-merge July 1, 2026 12:45
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: fix-reviews)

PR: #567
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-01T13:17:38Z

@don-petry don-petry enabled auto-merge (squash) July 1, 2026 12:47

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 41e23407dfca143f26f7f552ebbc56708594e73b
Review mode: triage-approved (single reviewer)

Summary

Comment-only + docs change: adds inline # NOSONAR(githubactions:S7635) first-party trusted reusable markers to the secrets: inherit line of four first-party caller stubs (this repo's dogfooded initiative-planner.yml plus the initiative-planner/idea-triage/idea-enhancer standards templates) and documents the exemption as a sibling to the existing S7637 rule in ci-standards.md. No secret-inheritance behavior changes.

Linked issue analysis

No linked closing issues (PR references petry-projects/.github-private#978 and #515 with Refs, not Closes). Nothing to substantively verify against a closing issue; the stated goal (close the S7635 SonarCloud gap surfaced by ring1 enrollment via the canonical inline-marker mechanism) is fully realized by the diff.

Findings

  • No security-relevant behavior change: secrets: inherit was already present on every touched line; the PR only appends a NOSONAR comment. SonarCloud Quality Gate passed with 0 new issues; CodeQL, gitleaks, AgentShield, and the Agent Security Scan are all green.
  • The suppression is legitimate and documented, not covert: it mirrors the established first-party S7637 exemption, targets a trusted first-party reusable, and is captured in ci-standards.md with an explicit pending-list for the fleet-wide stubs not yet migrated.
  • Prior CodeRabbit CHANGES_REQUESTED (add idea-enhancer.yml to adoption step 1; anchor/link nits) was addressed by commit 41e2340; CodeRabbit re-reviewed and APPROVED at the head SHA. Copilot and Gemini generated no blocking comments.
  • Nit (non-blocking): CodeRabbit flagged the inline "( … + more)" fragment near ci-standards.md:498 as list-like markdown; it remains as prose but is cosmetic and CodeRabbit approved regardless.
  • GitHub secret-scanning MCP tool not exposed in this environment; relied on the passing gitleaks CI check. No secrets introduced (diff adds only comments and documentation).

CI status

All substantive gates green: SonarCloud (Quality Gate passed, 0 new issues), CodeQL, Secret scan (gitleaks), AgentShield, Agent Security Scan, Lint, ShellCheck, npm audit. CANCELLED entries are only superseded dev-lead automation-agent dispatch/ci-relay runs, not quality gates. mergeStateStatus: BLOCKED reflects the outstanding org-leads human-review requirement (branch protection), not a failing check.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit 4751514 into main Jul 1, 2026
26 of 36 checks passed
@don-petry don-petry deleted the chore/sonarcloud-s7635-inline-marker-idea-pipeline branch July 1, 2026 15:18
don-petry added a commit to petry-projects/TalkTerm that referenced this pull request Jul 1, 2026
…567) (#332)

chore: add inline S7635 NOSONAR marker to initiative-planner + idea-triage stubs

Re-sync to the updated canonical templates (petry-projects/.github#567), which
moved S7635 suppression to an inline `# NOSONAR(githubactions:S7635)` marker on
the `secrets: inherit` line (travels with the verbatim stub). Prevents Fleet
Monitor stub-drift once #567 is on main. The per-file S7635 multicriteria added
at enrollment is now redundant (marker covers it) but left in place for a
minimal diff — belt-and-suspenders, same as the repo's other channel-pinned stubs.


Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/bmad-bgreat-suite that referenced this pull request Jul 1, 2026
…567) (#343)

chore: add inline S7635 NOSONAR marker to initiative-planner + idea-triage stubs

Re-sync to the updated canonical templates (petry-projects/.github#567), which
moved S7635 suppression to an inline `# NOSONAR(githubactions:S7635)` marker on
the `secrets: inherit` line (travels with the verbatim stub). Prevents Fleet
Monitor stub-drift once #567 is on main. The per-file S7635 multicriteria added
at enrollment is now redundant (marker covers it) but left in place for a
minimal diff — belt-and-suspenders, same as the repo's other channel-pinned stubs.


Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants