chore(TestingKit): workflow hygiene — ubuntu-24.04, permissions

[KooshaPari]

User description

Summary

• Replace ubuntu-latest with ubuntu-24.04 across all workflow files
• Add minimal permissions: blocks to workflow files missing them

Test plan

• CI passes on this branch
• Merge after review

🤖 Generated with Claude Code

---

Note

Low Risk
Changes are limited to CI runner labels, GitHub Actions permission declarations, and optional local pre-commit hooks; no application or security logic is modified.

Overview
CI runner pinning: Every affected GitHub Actions job that used ubuntu-latest now runs on ubuntu-24.04 (cargo-deny, CodeQL, dependency-review, fr-coverage, journey-gate + stub-mode, quality-gate, scorecard, trufflehog).

Workflow permissions: Several workflows gain explicit top-level permissions — typically contents: read and pull-requests: read on CI, coverage, fr-coverage, journey-gate, quality-gate, and trufflehog — so default GITHUB_TOKEN scope is reduced where those files previously had no block.

Local hygiene: Adds .pre-commit-config.yaml with standard pre-commit-hooks (whitespace, EOF, YAML/JSON, large files, merge conflicts, private-key detection).

^{Reviewed by Cursor Bugbot for commit 8ea4b2b. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Standardize CI workflows and add local pre-commit checks

What Changed

• CI and security workflows now run on a fixed Ubuntu 24.04 runner instead of the floating default image.
• Several workflows now declare read-only GitHub token access, reducing the permissions used during CI and review jobs.
• A pre-commit config was added to catch common formatting and repository hygiene issues before changes are committed.

Impact

✅ More predictable CI runs
✅ Fewer permission-related workflow issues
✅ Earlier detection of formatting and secret mistakes

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@KooshaPari, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 14 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 86456139-aeaa-4c99-ab33-e50d908d6fec

📥 Commits

Reviewing files that changed from the base of the PR and between 36862e1 and 8ea4b2b.

📒 Files selected for processing (11)

• .github/workflows/cargo-deny.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/coverage.yml
• .github/workflows/dependency-review.yml
• .github/workflows/fr-coverage.yml
• .github/workflows/journey-gate.yml
• .github/workflows/quality-gate.yml
• .github/workflows/scorecard.yml
• .github/workflows/trufflehog.yml
• .pre-commit-config.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/workflow-hygiene-ubuntu-24

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/workflow-hygiene-ubuntu-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a .pre-commit-config.yaml file to configure pre-commit hooks for the repository. The reviewer suggested adding the check-toml hook to validate TOML syntax, given the presence of TOML configuration files in the repository.

[gemini-code-assist]

Since this repository contains TOML configuration files (such as deny.toml and potentially Cargo.toml in the Rust subdirectory), it is highly recommended to include the check-toml hook to validate TOML syntax during pre-commit checks.

      - id: check-json
      - id: check-toml

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

This PR makes minimal, low-risk changes to workflow infrastructure:

1. Runner version pinning: Replaces ubuntu-latest with ubuntu-24.04 for reproducible CI environments across 9 workflow files.
2. Explicit permissions: Adds contents: read and pull-requests: read permissions to workflows that previously relied on default token scopes, following the principle of least privilege.
3. Pre-commit hooks: Adds standard repository hygiene checks (whitespace, EOF, YAML/JSON, large files, merge conflicts, private key detection).

All changes are consistent, non-breaking, and improve CI reliability. The workflow files are syntactically valid and follow GitHub Actions best practices.

Files Reviewed (11 files)

• .github/workflows/cargo-deny.yml — ubuntu-24.04 change
• .github/workflows/ci.yml — permissions block added
• .github/workflows/codeql.yml — ubuntu-24.04 change
• .github/workflows/coverage.yml — permissions block added
• .github/workflows/dependency-review.yml — ubuntu-24.04 change
• .github/workflows/fr-coverage.yml — permissions + ubuntu-24.04 changes
• .github/workflows/journey-gate.yml — permissions + ubuntu-24.04 changes (2 jobs)
• .github/workflows/quality-gate.yml — permissions + ubuntu-24.04 changes
• .github/workflows/scorecard.yml — ubuntu-24.04 change
• .github/workflows/trufflehog.yml — permissions + ubuntu-24.04 changes
• .pre-commit-config.yaml — new file

---

_{Reviewed by laguna-m.1-20260312:free · 494,011 tokens}