fix(ci): map org QLTY_TOKEN to the qlty coverage upload#35
Conversation
The reusable workflow expects QLTY_COVERAGE_TOKEN; the org stores the Qlty Cloud coverage token as QLTY_TOKEN (org-level, all repos). Without the mapping the upload step skipped gracefully and no coverage reached the Qlty dashboard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
WalkthroughThe PR updates the QLTY GitHub Actions workflow to use the organization-level ChangesWorkflow Secret Configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
This PR fixes the Qlty coverage upload in CI by mapping the organization-level QLTY_TOKEN secret into the reusable workflow’s expected QLTY_COVERAGE_TOKEN secret, so coverage reports reach the Qlty dashboard.
Changes:
- Remap
QLTY_COVERAGE_TOKENto use the org-levelQLTY_TOKENin the Qlty caller workflow. - Add an inline comment explaining the org-level secret mapping.
| # Org-level secret QLTY_TOKEN holds the Qlty Cloud coverage token | ||
| QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_TOKEN }} |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/qlty.yml (1)
9-9:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUse minimal top-level permissions.
The
permissions: read-allgrants read access to all scopes, which is broader than necessary. Since the job already defines minimal permissions at lines 19-21 (contents: read,actions: read), consider either removing the top-level permissions or restricting them to only what's needed.🔒 Proposed fix
-permissions: read-all +permissions: + contents: read + actions: readOr simply remove the top-level permissions since the job already specifies them.
As per coding guidelines: "Security best practices (minimal permissions, pinned actions)" for
.github/workflows/**files.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/qlty.yml at line 9, Replace the overly-broad top-level "permissions: read-all" setting with minimal permissions or remove it entirely so the job-specific scope controls apply; target the top-level permissions key in the workflow and either delete the "permissions: read-all" entry or change it to only the minimal scopes required (or leave permissions unset to allow the job-level "contents: read" and "actions: read" to take effect).Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/qlty.yml:
- Line 9: Replace the overly-broad top-level "permissions: read-all" setting
with minimal permissions or remove it entirely so the job-specific scope
controls apply; target the top-level permissions key in the workflow and either
delete the "permissions: read-all" entry or change it to only the minimal scopes
required (or leave permissions unset to allow the job-level "contents: read" and
"actions: read" to take effect).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0ee03d47-5042-4b1b-9a91-f768a209064f
📒 Files selected for processing (1)
.github/workflows/qlty.yml
The reusable workflow expects QLTY_COVERAGE_TOKEN; the org stores the
Qlty Cloud coverage token as QLTY_TOKEN (org-level, all repos).
Without the mapping the upload step skipped gracefully and no
coverage reached the Qlty dashboard.
Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
Summary by CodeRabbit