mosaic/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update quality rails docs for gitleaks migration #6

Merged
jason.woltje merged 1 commits from docs/gitleaks-doc-updates into main 2026-02-24 21:33:26 +00:00
Conversation 0 Commits 1 Files Changed 3 +15 -10
3 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/quality/README.md
View File

@@ -43,7 +43,7 @@ npx husky install
**TypeScript strict mode** - All type checks enabled **TypeScript strict mode** - All type checks enabled
**ESLint blocking `any` types** - no-explicit-any: error **ESLint blocking `any` types** - no-explicit-any: error
**Pre-commit hooks** - Type check + lint + format before commit **Pre-commit hooks** - Type check + lint + format before commit
**Secret scanning** - Block hardcoded passwords/API keys **Secret scanning (gitleaks)** - Block hardcoded passwords/API keys (pre-commit + CI)
**CI/CD templates** - Woodpecker, GitHub Actions, GitLab **CI/CD templates** - Woodpecker, GitHub Actions, GitLab
**Test coverage enforcement** - 80% threshold **Test coverage enforcement** - 80% threshold
**Security scanning** - npm audit, OWASP checks **Security scanning** - npm audit, OWASP checks
@@ -96,11 +96,12 @@ git commit -m "Add feature"
### CI/CD (Remote Enforcement) ### CI/CD (Remote Enforcement)
```yaml ```yaml
# Woodpecker pipeline runs: # Woodpecker pipeline runs:
✓ gitleaks (secret scanning — parallel, no deps)
✓ npm audit (dependency security) ✓ npm audit (dependency security)
✓ eslint (code quality) ✓ eslint (code quality)
✓ tsc --noEmit (type checking) ✓ tsc --noEmit (type checking)
✓ jest --coverage (tests + coverage) ✓ jest --coverage (tests + coverage)
✓ npm run build (compilation) ✓ npm run build (compilation — gates on all above)
# If any step fails, merge is blocked # If any step fails, merge is blocked
``` ```

13
tools/quality/docs/CI-SETUP.md
View File

@@ -8,12 +8,13 @@ Quality Rails includes `.woodpecker.yml` template.
### Pipeline Stages ### Pipeline Stages
1. **Install** - Dependencies 1. **Secret Scan** - gitleaks scans latest commit for hardcoded secrets (runs in parallel, no deps)
2. **Security Audit** - npm audit for CVEs 2. **Install** - Dependencies
3. **Lint** - ESLint checks 3. **Security Audit** - npm audit for CVEs
4. **Type Check** - TypeScript compilation 4. **Lint** - ESLint checks
5. **Test** - Jest with coverage thresholds 5. **Type Check** - TypeScript compilation
6. **Build** - Production build 6. **Test** - Jest with coverage thresholds
7. **Build** - Production build (gates on all above)
### Configuration ### Configuration

7
tools/quality/docs/TYPESCRIPT-SETUP.md
View File

@@ -24,11 +24,12 @@ git clone git@git.mosaicstack.dev:mosaic/quality-rails.git
``` ```
This copies: This copies:
- `.husky/pre-commit` - Git hooks - `.husky/pre-commit` - Git hooks (lint-staged + gitleaks)
- `.lintstagedrc.js` - Pre-commit checks - `.lintstagedrc.js` - Pre-commit checks
- `.eslintrc.js` - Strict ESLint rules - `.eslintrc.js` - Strict ESLint rules
- `tsconfig.json` - TypeScript strict mode - `tsconfig.json` - TypeScript strict mode
- `.woodpecker.yml` - CI pipeline - `.woodpecker.yml` - CI pipeline
- `.gitleaks.toml` - Secret scanning config
### 3. Install Dependencies ### 3. Install Dependencies
@@ -75,6 +76,8 @@ Should output:
``` ```
✅ PASS: Type errors blocked ✅ PASS: Type errors blocked
✅ PASS: 'any' types blocked ✅ PASS: 'any' types blocked
✅ PASS: gitleaks found (8.24.0)
✅ PASS: gitleaks detected planted secret
✅ PASS: Lint errors blocked ✅ PASS: Lint errors blocked
``` ```
@@ -125,7 +128,7 @@ On every `git commit`, runs:
1. ESLint with --max-warnings=0 1. ESLint with --max-warnings=0
2. TypeScript type check 2. TypeScript type check
3. Prettier formatting 3. Prettier formatting
4. Secret scanning (if git-secrets installed) 4. Secret scanning via gitleaks (required)
If any fail → **commit blocked**. If any fail → **commit blocked**.