chore: Add comprehensive quality gates (RSR)

Jonathan D.A. Jewell · Jonathan D.A. Jewell · commit b9da2743e057 · 2025-12-12T18:12:19.000Z
- CodeQL + SAST security scanning
- OSSF Scorecard supply chain
- Comprehensive quality (10 dimensions)
- Technology-specific testing
- Well-known enforcement
- Dependabot updates
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
+  
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+  
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,35 @@
+name: CodeQL Security Analysis
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript', 'python', 'go', 'java', 'ruby']
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+        continue-on-error: true
+      
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+        continue-on-error: true
+      
+      - name: Perform Analysis
+        uses: github/codeql-action/analyze@v3
+        continue-on-error: true
diff --git a/.github/workflows/comprehensive-quality.yml b/.github/workflows/comprehensive-quality.yml
@@ -0,0 +1,191 @@
+name: Comprehensive Quality Gates
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+  schedule:
+    - cron: '0 5 * * 0'
+
+jobs:
+  # DEPENDABILITY - Stability and reliability
+  dependability:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check test coverage
+        run: |
+          echo "Checking for test files..."
+          TESTS=$(find . -name "*_test.*" -o -name "test_*" -o -name "*_spec.*" -o -name "*.test.*" | wc -l)
+          echo "Found $TESTS test files"
+          if [ "$TESTS" -lt 1 ]; then
+            echo "::warning::No test files detected"
+          fi
+      - name: Check error handling
+        run: |
+          # Check for proper error handling patterns
+          PANICS=$(grep -rE "panic!|unwrap\(\)|expect\(" --include="*.rs" . 2>/dev/null | wc -l || echo "0")
+          echo "Rust panics/unwraps: $PANICS"
+
+  # SECURITY - Multi-layer security scanning
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Secret scanning
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+      - name: Dependency vulnerabilities
+        run: |
+          if [ -f "Cargo.toml" ]; then
+            cargo install cargo-audit && cargo audit || true
+          fi
+          if [ -f "requirements.txt" ]; then
+            pip install safety && safety check -r requirements.txt || true
+          fi
+      - name: SAST scan
+        uses: returntocorp/semgrep-action@v1
+        continue-on-error: true
+
+  # INTEROPERABILITY - API and format compatibility
+  interoperability:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check API specs
+        run: |
+          if [ -f "openapi.yaml" ] || [ -f "openapi.json" ]; then
+            echo "&#9989; OpenAPI spec found"
+          fi
+          if [ -f "schema.graphql" ]; then
+            echo "&#9989; GraphQL schema found"
+          fi
+      - name: Validate JSON/YAML schemas
+        run: |
+          find . -name "*.json" -exec python3 -m json.tool {} \; 2>/dev/null | head -5 || true
+
+  # VALIDATION - Input/output validation
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check for validation patterns
+        run: |
+          VALIDATION=$(grep -rE "validate|sanitize|Schema|Validator" --include="*.rs" --include="*.res" --include="*.ex" . 2>/dev/null | wc -l || echo "0")
+          echo "Validation patterns found: $VALIDATION"
+
+  # ATTESTATION - Supply chain integrity (SLSA)
+  attestation:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Generate SBOM
+        run: |
+          echo "SBOM generation would run here"
+          # For Rust: cargo-sbom
+          # For Node: npm sbom
+      - name: Check signatures
+        run: |
+          if [ -f "CHECKSUMS.txt" ] || [ -f "SHA256SUMS" ]; then
+            echo "&#9989; Checksums file present"
+          fi
+
+  # VERIFICATION - Formal methods where applicable
+  verification:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check SPARK proofs
+        run: |
+          if find . -name "*.ads" | grep -q .; then
+            echo "Ada/SPARK files found - formal verification applicable"
+          fi
+      - name: Type coverage
+        run: |
+          if [ -f "rescript.json" ]; then
+            echo "ReScript provides 100% type coverage"
+          fi
+
+  # FUNCTIONALITY - Feature completeness
+  functionality:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check TODOs and FIXMEs
+        run: |
+          echo "=== Incomplete items ==="
+          grep -rn "TODO\|FIXME\|UNIMPLEMENTED\|unimplemented!" . 2>/dev/null | head -20 || echo "None"
+      - name: Check deprecated usage
+        run: |
+          grep -rn "deprecated\|DEPRECATED" . 2>/dev/null | head -10 || echo "No deprecations"
+
+  # PERFORMANCE - Benchmarks and profiling
+  performance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check for benchmarks
+        run: |
+          BENCHES=$(find . -name "*bench*" -o -name "*perf*" | wc -l)
+          echo "Benchmark files: $BENCHES"
+      - name: Binary size check (Rust)
+        run: |
+          if [ -f "Cargo.toml" ]; then
+            cargo build --release 2>/dev/null || true
+            find target/release -maxdepth 1 -type f -executable -exec ls -lh {} \; 2>/dev/null || true
+          fi
+
+  # ACCESSIBILITY - A11y compliance
+  accessibility:
+    runs-on: ubuntu-latest
+    if: hashFiles('**/*.html') != ''
+    steps:
+      - uses: actions/checkout@v4
+      - name: HTML accessibility check
+        run: |
+          echo "Checking for a11y attributes..."
+          A11Y=$(grep -rE 'aria-|role=|alt=' --include="*.html" . 2>/dev/null | wc -l || echo "0")
+          echo "A11y attributes found: $A11Y"
+      - name: Lighthouse (if web project)
+        run: |
+          echo "Lighthouse would run on deployed URL"
+
+  # LICENSE COMPLIANCE
+  license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check license files
+        run: |
+          if [ -f "LICENSE" ] || [ -f "LICENSE.txt" ] || [ -f "LICENSE.md" ]; then
+            echo "&#9989; License file present"
+            head -5 LICENSE* 2>/dev/null
+          else
+            echo "::warning::No LICENSE file"
+          fi
+      - name: Check SPDX headers
+        run: |
+          SPDX=$(grep -rE "SPDX-License-Identifier" . 2>/dev/null | wc -l || echo "0")
+          echo "Files with SPDX headers: $SPDX"
+
+  # DOCUMENTATION QUALITY
+  documentation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check docs completeness
+        run: |
+          DOCS=""
+          [ -f "README.md" ] || [ -f "README.adoc" ] && DOCS="$DOCS README"
+          [ -f "CONTRIBUTING.md" ] || [ -f "CONTRIBUTING.adoc" ] && DOCS="$DOCS CONTRIBUTING"
+          [ -f "CHANGELOG.md" ] && DOCS="$DOCS CHANGELOG"
+          [ -f "SECURITY.md" ] && DOCS="$DOCS SECURITY"
+          [ -d "docs" ] && DOCS="$DOCS docs/"
+          echo "Documentation:$DOCS"
+      - name: Check code comments
+        run: |
+          COMMENTS=$(grep -rE "^[[:space:]]*(//|#|/\*)" --include="*.rs" --include="*.res" --include="*.py" . 2>/dev/null | wc -l || echo "0")
+          echo "Comment lines: $COMMENTS"
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -0,0 +1,50 @@
+name: Code Quality
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Check file permissions
+        run: |
+          find . -type f -perm /111 -name "*.sh" | head -10 || true
+      
+      - name: Check for secrets
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.pull_request.base.sha || github.event.before }}
+          head: ${{ github.sha }}
+        continue-on-error: true
+      
+      - name: Check TODO/FIXME
+        run: |
+          echo "=== TODOs ==="
+          grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.rs" --include="*.res" --include="*.py" --include="*.ex" . | head -20 || echo "None found"
+      
+      - name: Check for large files
+        run: |
+          find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
+      
+      - name: EditorConfig check
+        uses: editorconfig-checker/action-editorconfig-checker@main
+        continue-on-error: true
+
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check documentation
+        run: |
+          MISSING=""
+          [ ! -f "README.md" ] && [ ! -f "README.adoc" ] && MISSING="$MISSING README"
+          [ ! -f "LICENSE" ] && [ ! -f "LICENSE.txt" ] && [ ! -f "LICENSE.md" ] && MISSING="$MISSING LICENSE"
+          [ ! -f "CONTRIBUTING.md" ] && [ ! -f "CONTRIBUTING.adoc" ] && MISSING="$MISSING CONTRIBUTING"
+          
+          if [ -n "$MISSING" ]; then
+            echo "::warning::Missing docs:$MISSING"
+          else
+            echo "&#9989; Core documentation present"
+          fi
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,30 @@
+name: OSSF Scorecard
+on:
+  push:
+    branches: [main, master]
+  schedule:
+    - cron: '0 4 * * 0'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+      
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
