Skip to content

Add CI quality gate: lint, unit+coverage, integration, security, benchmark#13

Merged
wesleysimplicio merged 2 commits into
masterfrom
fix/issue-10
Jul 14, 2026
Merged

Add CI quality gate: lint, unit+coverage, integration, security, benchmark#13
wesleysimplicio merged 2 commits into
masterfrom
fix/issue-10

Conversation

@wesleysimplicio

Copy link
Copy Markdown
Owner

Closes #10

Summary

This repo ships prebuilt release artifacts (binaries, npm/pypi/Homebrew wrapper packages, install scripts) rather than compiled application source, so this PR implements the foundation/first vertical slice of the quality gate scoped to what actually lives here today: the Python release-integrity tooling under scripts/, plus the packaging/version metadata it audits.

  • .github/workflows/quality-gate.yml: required jobs for lint (ruff), unit (pytest + coverage, OS × Python matrix: ubuntu/windows/macos × 3.11/3.12, with pytest-rerunfailures auto-retry for flaky tests), integration (runs the real scripts/verify_distribution_consistency.py audit), security (bandit + pip-audit + gitleaks secret scan), and benchmark (runtime vs. committed baseline with a configurable regression threshold). All fan into one required quality-gate status check.
  • Fixed the actual version.txt (3.0.2) vs. simplicio-update-manifest.json (3.5.2) drift the audit script already flagged as an ERROR but that nothing enforced — and added a regression test (test_version_txt_matches_update_manifest_regression) pinning the fix, plus full unit test coverage for the audit and new benchmark scripts (93% coverage on scripts/, ≥85% enforced in CI).
  • docs/ci-quality-gate.md: documents pipeline stages and expected total time budget (~3-6 min), coverage policy, the "every fixed bug needs a regression test" policy, flaky-test policy, the "no skipping tests without a registered justification" exception policy, and the manual branch-protection step a repo admin still needs to flip on (see below).

Acceptance criteria status

  • PR falha quando qualquer suíte obrigatória falhar — quality-gate job fans in lint/unit/integration/security/benchmark.
  • PR falha abaixo da cobertura mínima — --cov-fail-under=85 in the unit job.
  • Todo bug corrigido possui teste de regressão — demonstrated with the version-drift fix + its regression test.
  • Relatórios ficam disponíveis como artefatos — JUnit/coverage, audit output, security scans, and benchmark report all uploaded via actions/upload-artifact.
  • Branch principal exige checks verdes — workflow + aggregator check are in place, but enabling branch protection is a GitHub security setting, out of scope for a bot-authored PR. See "Manual step" in the docs.
  • Não é permitido ignorar testes sem justificativa registrada — documented policy in docs/ci-quality-gate.md.
  • Tempo total do pipeline e política de exceções estão documentados — same doc.

Out of scope / follow-ups (documented in docs/ci-quality-gate.md)

  • True E2E tests for the install scripts (install.sh/install.ps1) running in disposable containers/VMs — heavier scope, separate PR.
  • Auto-fixing the still-WARNing wrapper/package version lag (Formula/npm/pypi) and stale beta-until date/README copy — real release/product decisions, not CI-gate plumbing.
  • Actually flipping on branch protection in GitHub settings — requires a repo admin, see docs/ci-quality-gate.md.

Test plan

  • pytest tests/ --cov=scripts --cov-report=term-missing --cov-fail-under=85 passes locally (93% coverage, 13 tests).
  • ruff check . passes locally.
  • python scripts/verify_distribution_consistency.py exits 0 against this checkout.
  • python scripts/bench_verify_distribution_consistency.py passes against the committed baseline.
  • Workflow itself has not yet run in GitHub Actions (will run on this PR).

🤖 Generated with Claude Code

Simplicio, Wesley (ext) and others added 2 commits July 14, 2026 12:22
…hmark

Foundation for issue #10 mandatory quality gate. Adds .github/workflows/quality-gate.yml with required jobs: lint, unit tests with coverage + flaky-test auto-retry, distribution consistency audit as integration check, security scanning (bandit/pip-audit/gitleaks), and a benchmark with committed baseline + configurable regression threshold, fanned into one required quality-gate status check for branch protection.

Also fixes the version.txt/simplicio-update-manifest.json drift the audit script already flagged as ERROR but nothing enforced, plus a regression test pinning that fix and unit tests for the audit/benchmark scripts (93% coverage on scripts/).

docs/ci-quality-gate.md documents pipeline stages/time budget, coverage/regression-test/flaky-test/exception policies, the manual branch-protection step for a repo admin, and what is out of scope for this first slice.

Closes #10

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Brings in PR #12 (unit test suite, CONTRIBUTING.md, testing-strategy docs,
pyproject.toml, requirements-dev.txt, tests.yml workflow) alongside the
existing CI quality-gate workflow from this branch. .gitignore merged to
keep entries from both sides.
@wesleysimplicio
wesleysimplicio merged commit a0deef7 into master Jul 14, 2026
0 of 12 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2ddb00f5e6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- name: Run distribution consistency audit
run: |
mkdir -p reports
python scripts/verify_distribution_consistency.py | tee reports/consistency-audit.txt

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve audit failures through tee

When verify_distribution_consistency.py returns 1 (for example, a future /main/ install URL or version mismatch), this step still succeeds because the pipeline's exit status is tee's and the step does not enable pipefail; locally, bash -e -c 'false | tee file' exits 0. That makes the integration job, and therefore the required quality-gate, go green while the uploaded audit report contains errors. Add set -o pipefail or capture/report the output without masking the Python exit code.

Useful? React with 👍 / 👎.

def _load_audit_module():
spec = importlib.util.spec_from_file_location("verify_distribution_consistency", SCRIPT_PATH)
module = importlib.util.module_from_spec(spec)
assert spec.loader is not None

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove Bandit-triggering assert from scanned script

The new security job runs bandit -r scripts with the default profile, and Bandit documents that the profile defaults to executing all tests and that B101 checks uses of Python assert (CLI docs, B101 docs). Because this newly scanned production script contains the only assert under scripts/, the security job will fail on every run before the rest of the security gate can pass; replace this with an explicit exception or configure a justified Bandit skip.

Useful? React with 👍 / 👎.

with:
python-version: "3.12"
- name: Run benchmark against committed baseline
run: python scripts/bench_verify_distribution_consistency.py | tee benchmark-report.txt

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve benchmark failures through tee

When the benchmark script exits 1 (for example, a real regression beyond the committed baseline), this single-line step still returns tee's successful exit status because pipefail is not enabled. That means the mandatory benchmark suite can report green even though the benchmark printed REGRESSION and exited non-zero; use set -o pipefail or avoid piping the command directly to tee.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CI Quality Gate] Bloquear regressões e merges sem evidência de qualidade

1 participant