ci: add CodeQL and desloppify quality gate (#28)

samtuckerdavis · open-paws-bot · web-flow · commit a0dd2a268778 · 2026-04-19T02:18:56.000+10:00
* ci: add CodeQL workflow (Python, security-extended)

* ci: add desloppify quality gate (threshold 70, scan path .)

* ci: add coderabbit.yaml for desloppify

Add Tier 3 data pre-merge check and update tone instructions to include movement terminology. Aligns with org-wide coderabbit config standards.

---------

Co-authored-by: open-paws-bot &lt;bot@openpaws.ai&gt;
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -2,7 +2,7 @@
 # desloppify — Multi-language code quality scanner with advocacy extensions.
 # Meta: the quality scanner is reviewed by the quality scanner.
 language: en-US
-tone_instructions: "Direct and concise. Apply extra rigor — DRY violations and shallow abstractions here are especially ironic."
+tone_instructions: "Direct and concise. Flag actionable issues only. DRY violations here are especially ironic — apply extra rigor. Use movement terminology: campaign, investigation, coalition, farmed animal, slaughterhouse."
 
 reviews:
   profile: assertive
@@ -54,6 +54,9 @@ reviews:
       - name: "No speciesist idioms"
         mode: "error"
         instructions: "Fail on: 'livestock', 'master/slave', 'whitelist/blacklist', 'cattle vs pets', 'kill two birds', 'guinea pig' as test subject, 'farm' as industry euphemism."
+      - name: "No Tier 3 data committed"
+        mode: "error"
+        instructions: "Fail if files contain activist or whistleblower identities, legal strategy or privileged attorney communications, operational security protocols with specific implementation details, investigative footage or chain of custody records, activist PII combining name and contact info and advocacy role, NGO internal financials or strategy docs from partner organizations, or critical credentials."
 
   finishing_touches:
     unit_tests:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "17 4 * * 1"
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  packages: read
+  actions: read
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/desloppify.yml b/.github/workflows/desloppify.yml
@@ -0,0 +1,72 @@
+name: Desloppify Quality Gate
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  quality:
+    name: Code Quality Gate (score >= 70)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Cache desloppify install
+        id: cache-desloppify
+        uses: actions/cache@v4
+        with:
+          path: /tmp/desloppify
+          key: desloppify-${{ runner.os }}-${{ hashFiles('.github/workflows/desloppify.yml') }}
+
+      - name: Clone desloppify
+        if: steps.cache-desloppify.outputs.cache-hit != 'true'
+        run: |
+          git clone --no-recurse-submodules https://github.com/Open-Paws/desloppify.git /tmp/desloppify
+
+      - name: Install desloppify
+        run: pip install "/tmp/desloppify[full]"
+
+      - name: Run quality gate
+        run: |
+          SCAN_PATH="."
+          THRESHOLD=70
+          SCAN_OUTPUT=$(desloppify scan --path "${SCAN_PATH}" --profile ci --no-badge 2>&1)
+          echo "${SCAN_OUTPUT}"
+          SCORE=$(echo "${SCAN_OUTPUT}" | grep -oP 'objective \K[\d.]+(?=/100)')
+          if [ -z "${SCORE}" ]; then
+            echo "ERROR: could not extract objective score from desloppify output"
+            exit 1
+          fi
+          echo "Objective score: ${SCORE}/100"
+          python3 -c "
+          score = float('${SCORE}')
+          threshold = ${THRESHOLD}
+          if score < threshold:
+              print(f'FAIL: objective score {score} is below the minimum {threshold}')
+              raise SystemExit(1)
+          print(f'PASS: objective score {score} >= {threshold}')
+          "
+          echo "## Desloppify Quality Gate" >> "${GITHUB_STEP_SUMMARY}"
+          echo "" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| | |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|---|---|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Objective score | **${SCORE}/100** |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Threshold | ${THRESHOLD} |" >> "${GITHUB_STEP_SUMMARY}"
+          echo "| Scan path | \`${SCAN_PATH}\` |" >> "${GITHUB_STEP_SUMMARY}"
+          python3 -c "
+          score = float('${SCORE}')
+          result = 'PASS' if score >= ${THRESHOLD} else 'FAIL'
+          print(f'| Result | **{result}** |')
+          " >> "${GITHUB_STEP_SUMMARY}"
