From 1d8411311d84e8e4abb80a1b2b102751782b3891 Mon Sep 17 00:00:00 2001 From: Sam Tucker-Davis <126325182+stuckvgn@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:17:56 +1000 Subject: [PATCH 1/3] ci: add CodeQL workflow (Python, security-extended) --- .github/workflows/codeql.yml | 42 ++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..dc302c12 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "17 4 * * 1" + workflow_dispatch: + +permissions: + security-events: write + packages: read + actions: read + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: ["python"] + + steps: + - uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" From cb9369d370df58b259feaad9143ba096495d6edf Mon Sep 17 00:00:00 2001 From: Sam Tucker-Davis <126325182+stuckvgn@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:18:09 +1000 Subject: [PATCH 2/3] ci: add desloppify quality gate (threshold 70, scan path .) --- .github/workflows/desloppify.yml | 72 ++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/desloppify.yml diff --git a/.github/workflows/desloppify.yml b/.github/workflows/desloppify.yml new file mode 100644 index 00000000..9344917f --- /dev/null +++ b/.github/workflows/desloppify.yml @@ -0,0 +1,72 @@ +name: Desloppify Quality Gate + +on: + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + quality: + name: Code Quality Gate (score >= 70) + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + with: + submodules: false + + - uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Cache desloppify install + id: cache-desloppify + uses: actions/cache@v4 + with: + path: /tmp/desloppify + key: desloppify-${{ runner.os }}-${{ hashFiles('.github/workflows/desloppify.yml') }} + + - name: Clone desloppify + if: steps.cache-desloppify.outputs.cache-hit != 'true' + run: | + git clone --no-recurse-submodules https://github.com/Open-Paws/desloppify.git /tmp/desloppify + + - name: Install desloppify + run: pip install "/tmp/desloppify[full]" + + - name: Run quality gate + run: | + SCAN_PATH="." + THRESHOLD=70 + SCAN_OUTPUT=$(desloppify scan --path "${SCAN_PATH}" --profile ci --no-badge 2>&1) + echo "${SCAN_OUTPUT}" + SCORE=$(echo "${SCAN_OUTPUT}" | grep -oP 'objective \K[\d.]+(?=/100)') + if [ -z "${SCORE}" ]; then + echo "ERROR: could not extract objective score from desloppify output" + exit 1 + fi + echo "Objective score: ${SCORE}/100" + python3 -c " + score = float('${SCORE}') + threshold = ${THRESHOLD} + if score < threshold: + print(f'FAIL: objective score {score} is below the minimum {threshold}') + raise SystemExit(1) + print(f'PASS: objective score {score} >= {threshold}') + " + echo "## Desloppify Quality Gate" >> "${GITHUB_STEP_SUMMARY}" + echo "" >> "${GITHUB_STEP_SUMMARY}" + echo "| | |" >> "${GITHUB_STEP_SUMMARY}" + echo "|---|---|" >> "${GITHUB_STEP_SUMMARY}" + echo "| Objective score | **${SCORE}/100** |" >> "${GITHUB_STEP_SUMMARY}" + echo "| Threshold | ${THRESHOLD} |" >> "${GITHUB_STEP_SUMMARY}" + echo "| Scan path | \`${SCAN_PATH}\` |" >> "${GITHUB_STEP_SUMMARY}" + python3 -c " + score = float('${SCORE}') + result = 'PASS' if score >= ${THRESHOLD} else 'FAIL' + print(f'| Result | **{result}** |') + " >> "${GITHUB_STEP_SUMMARY}" From 537c9a45405ccd99c52ee2579e174c8997411290 Mon Sep 17 00:00:00 2001 From: open-paws-bot Date: Sun, 19 Apr 2026 00:25:26 +1000 Subject: [PATCH 3/3] ci: add coderabbit.yaml for desloppify Add Tier 3 data pre-merge check and update tone instructions to include movement terminology. Aligns with org-wide coderabbit config standards. --- .coderabbit.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 8e95e319..4de38d5c 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -2,7 +2,7 @@ # desloppify — Multi-language code quality scanner with advocacy extensions. # Meta: the quality scanner is reviewed by the quality scanner. language: en-US -tone_instructions: "Direct and concise. Apply extra rigor — DRY violations and shallow abstractions here are especially ironic." +tone_instructions: "Direct and concise. Flag actionable issues only. DRY violations here are especially ironic — apply extra rigor. Use movement terminology: campaign, investigation, coalition, farmed animal, slaughterhouse." reviews: profile: assertive @@ -54,6 +54,9 @@ reviews: - name: "No speciesist idioms" mode: "error" instructions: "Fail on: 'livestock', 'master/slave', 'whitelist/blacklist', 'cattle vs pets', 'kill two birds', 'guinea pig' as test subject, 'farm' as industry euphemism." + - name: "No Tier 3 data committed" + mode: "error" + instructions: "Fail if files contain activist or whistleblower identities, legal strategy or privileged attorney communications, operational security protocols with specific implementation details, investigative footage or chain of custody records, activist PII combining name and contact info and advocacy role, NGO internal financials or strategy docs from partner organizations, or critical credentials." finishing_touches: unit_tests: