Skip to content

fix(ci): map org QLTY_TOKEN to the qlty coverage upload#35

Open
williaby wants to merge 1 commit into
mainfrom
fix/qlty-token-mapping
Open

fix(ci): map org QLTY_TOKEN to the qlty coverage upload#35
williaby wants to merge 1 commit into
mainfrom
fix/qlty-token-mapping

Conversation

@williaby

@williaby williaby commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

The reusable workflow expects QLTY_COVERAGE_TOKEN; the org stores the
Qlty Cloud coverage token as QLTY_TOKEN (org-level, all repos).
Without the mapping the upload step skipped gracefully and no
coverage reached the Qlty dashboard.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Summary by CodeRabbit

  • Chores
    • Updated CI/CD configuration to use organization-level secrets for the build process.

The reusable workflow expects QLTY_COVERAGE_TOKEN; the org stores the
Qlty Cloud coverage token as QLTY_TOKEN (org-level, all repos).
Without the mapping the upload step skipped gracefully and no
coverage reached the Qlty dashboard.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 11, 2026 01:41
@williaby williaby enabled auto-merge June 11, 2026 01:41
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The PR updates the QLTY GitHub Actions workflow to use the organization-level QLTY_TOKEN secret instead of a project-specific QLTY_COVERAGE_TOKEN secret for the coverage token environment variable. No other workflow logic, job structure, or operational behavior was modified.

Changes

Workflow Secret Configuration

Layer / File(s) Summary
QLTY coverage token secret mapping
.github/workflows/qlty.yml
The QLTY_COVERAGE_TOKEN environment variable is updated to reference secrets.QLTY_TOKEN from the org-level secrets instead of the previous project-level secrets.QLTY_COVERAGE_TOKEN.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

ci, security

Poem

🐰 A secret renamed, org-wide and true,
From project-bound chains to the vault anew,
One line changed, one token now shared,
The pipeline flows freely, centrally paired! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: mapping the organization-level QLTY_TOKEN secret to QLTY_COVERAGE_TOKEN in the CI workflow to enable Qlty coverage uploads.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/qlty-token-mapping

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the Qlty coverage upload in CI by mapping the organization-level QLTY_TOKEN secret into the reusable workflow’s expected QLTY_COVERAGE_TOKEN secret, so coverage reports reach the Qlty dashboard.

Changes:

  • Remap QLTY_COVERAGE_TOKEN to use the org-level QLTY_TOKEN in the Qlty caller workflow.
  • Add an inline comment explaining the org-level secret mapping.

Comment on lines +28 to +29
# Org-level secret QLTY_TOKEN holds the Qlty Cloud coverage token
QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_TOKEN }}

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/qlty.yml (1)

9-9: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use minimal top-level permissions.

The permissions: read-all grants read access to all scopes, which is broader than necessary. Since the job already defines minimal permissions at lines 19-21 (contents: read, actions: read), consider either removing the top-level permissions or restricting them to only what's needed.

🔒 Proposed fix
-permissions: read-all
+permissions:
+  contents: read
+  actions: read

Or simply remove the top-level permissions since the job already specifies them.

As per coding guidelines: "Security best practices (minimal permissions, pinned actions)" for .github/workflows/** files.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/qlty.yml at line 9, Replace the overly-broad top-level
"permissions: read-all" setting with minimal permissions or remove it entirely
so the job-specific scope controls apply; target the top-level permissions key
in the workflow and either delete the "permissions: read-all" entry or change it
to only the minimal scopes required (or leave permissions unset to allow the
job-level "contents: read" and "actions: read" to take effect).

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/qlty.yml:
- Line 9: Replace the overly-broad top-level "permissions: read-all" setting
with minimal permissions or remove it entirely so the job-specific scope
controls apply; target the top-level permissions key in the workflow and either
delete the "permissions: read-all" entry or change it to only the minimal scopes
required (or leave permissions unset to allow the job-level "contents: read" and
"actions: read" to take effect).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ee03d47-5042-4b1b-9a91-f768a209064f

📥 Commits

Reviewing files that changed from the base of the PR and between 7c2c91e and 5de43b2.

📒 Files selected for processing (1)
  • .github/workflows/qlty.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants