fix: add code-quality repository ruleset (closes #51)#77
Conversation
📝 WalkthroughWalkthroughAdds a new Bash script that idempotently creates or updates a GitHub "code-quality" repository ruleset with required status checks for SonarCloud, Analyze (actions), and claude-code/claude on the default branch using the GitHub CLI and jq. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
@don-petry — the |
There was a problem hiding this comment.
Pull request overview
Adds a repo-local, idempotent maintenance script to create/update the GitHub “code-quality” repository ruleset for petry-projects/markets, aligning the repo with the org compliance requirement for required status checks on the default branch.
Changes:
- Added a Bash script that uses
gh api+jqto upsert thecode-qualityruleset. - Encoded the required status check contexts (
SonarCloud,Analyze (actions),claude-code / claude) with strict “branch up-to-date” enforcement.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "ERROR: GH_TOKEN is required with administration:write scope" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
There was a problem hiding this comment.
Consider validating required CLI dependencies up front (e.g., gh and jq) and emitting a clear error if missing. Right now the script will fail later with less actionable messages like command not found, which makes recovery usage harder.
| MISSING_DEPENDENCY=0 | |
| for cmd in gh jq; do | |
| if ! command -v "$cmd" >/dev/null 2>&1; then | |
| echo "ERROR: Required CLI dependency '$cmd' is not installed or not on PATH" >&2 | |
| MISSING_DEPENDENCY=1 | |
| fi | |
| done | |
| if [ "$MISSING_DEPENDENCY" -ne 0 ]; then | |
| exit 1 | |
| fi |
| # Fetch existing rulesets | ||
| EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ | ||
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true) |
There was a problem hiding this comment.
gh api repos/$REPO/rulesets errors are currently suppressed (2>/dev/null || true). This can mask real failures (bad auth, missing permissions, API changes) and cause the script to behave as if no ruleset exists. Prefer surfacing errors, or explicitly handle only the expected “not found/empty list” cases.
| # Fetch existing rulesets | |
| EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ | |
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true) | |
| # Fetch existing rulesets. If no ruleset matches, --jq returns no output and | |
| # EXISTING_ID remains empty; unexpected gh/api failures should surface. | |
| EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ | |
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id") |
| EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ | ||
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true) | ||
|
|
There was a problem hiding this comment.
EXISTING_ID can contain multiple IDs if more than one ruleset shares the same name (the jq filter can emit multiple lines). That would make the subsequent PUT URL invalid. Consider selecting a single ID deterministically (e.g., first match) and/or failing if multiple matches are found.
| EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ | |
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true) | |
| mapfile -t EXISTING_IDS < <( | |
| gh api "repos/$REPO/rulesets" \ | |
| --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true | |
| ) | |
| if [ "${#EXISTING_IDS[@]}" -gt 1 ]; then | |
| echo "ERROR: Multiple rulesets named $RULESET_NAME found for $REPO: ${EXISTING_IDS[*]}" >&2 | |
| exit 1 | |
| fi | |
| EXISTING_ID="${EXISTING_IDS[0]:-}" |
| PAYLOAD=$(jq -n '{ | ||
| name: "code-quality", |
There was a problem hiding this comment.
The ruleset name is defined in RULESET_NAME but the payload hardcodes name: "code-quality". This duplication can lead to drift if the variable is ever updated. Prefer building the payload from RULESET_NAME to keep the script truly idempotent/maintainable.
| PAYLOAD=$(jq -n '{ | |
| name: "code-quality", | |
| PAYLOAD=$(jq -n --arg ruleset_name "$RULESET_NAME" '{ | |
| name: $ruleset_name, |
Adds .github/scripts/apply-code-quality-ruleset.sh — an idempotent script that creates or updates the required `code-quality` repository ruleset for petry-projects/markets. The ruleset itself has already been created directly via the GitHub API (ruleset id 14805963) and is now active on the default branch, enforcing these required status checks: - SonarCloud - Analyze (actions) (CodeQL, actions ecosystem) - claude-code / claude The script serves as a repo-local reference and allows re-creation if the ruleset is ever accidentally deleted or needs updating. Closes #51 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
don-petry
force-pushed
the
claude/issue-51-20260408-0149
branch
from
e9f5ddc to
4943fa8
Compare
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/scripts/apply-code-quality-ruleset.sh (1)
35-36: Consider preserving error details for debugging.Suppressing stderr with
2>/dev/nullhides auth or network errors. For a maintenance script, capturing errors while still allowing the script to continue would improve troubleshooting.🔧 Optional improvement to log errors
-EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ - --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" 2>/dev/null || true) +EXISTING_ID=$(gh api "repos/$REPO/rulesets" \ + --jq ".[] | select(.name == \"$RULESET_NAME\") | .id" || true)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/apply-code-quality-ruleset.sh around lines 35 - 36, The current gh API call that sets EXISTING_ID hides stderr with 2>/dev/null; change it to capture stderr into a variable and preserve the existing || true so the script continues—run the gh api command for EXISTING_ID (using REPO and RULESET_NAME), redirect or capture stderr into a separate variable (e.g., ERR), keep the jq extraction, and after the call log or echo the ERR content to stderr if non-empty so authentication/network errors are visible for debugging while still allowing the script to proceed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/scripts/apply-code-quality-ruleset.sh:
- Around line 35-36: The current gh API call that sets EXISTING_ID hides stderr
with 2>/dev/null; change it to capture stderr into a variable and preserve the
existing || true so the script continues—run the gh api command for EXISTING_ID
(using REPO and RULESET_NAME), redirect or capture stderr into a separate
variable (e.g., ERR), keep the jq extraction, and after the call log or echo the
ERR content to stderr if non-empty so authentication/network errors are visible
for debugging while still allowing the script to proceed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 22ce9980-e42f-42e9-a81a-6cb99a920958
📒 Files selected for processing (1)
.github/scripts/apply-code-quality-ruleset.sh
Summary
code-qualityrepository ruleset directly via the GitHub API (already active as of this PR — ruleset id14805963).github/scripts/apply-code-quality-ruleset.shfor idempotent future maintenanceWhat was done
The
code-qualityruleset is now live onpetry-projects/marketsand enforces these required status checks on the default branch:SonarCloudsonarcloud.yml, jobsonarcloudAnalyze (actions)codeql.yml, matrix jobanalyze(actions ecosystem)claude-code / claudeclaude.yml, calling reusable workflow jobSettings:
strict_required_status_checks_policy: true(branch must be up to date before merging).Why a script in the repo?
The org-level
apply-rulesets.shis the canonical tool for bulk management. This repo-local script exists as a reference and recovery tool specifically for markets — useful if the ruleset is accidentally deleted.Closes #51
Generated with Claude Code
Summary by CodeRabbit