CI & quality gate improvements

[don-petry]

Summary

The CI pipeline covers formatting and basic compilation but is missing several standard Rust quality gates. The release workflow ships binaries without running tests. Additionally, no static analysis, security scanning, or automated code review tooling is configured.

Items

1. Add cargo clippy to CI

The single biggest missing quality gate for a Rust project. Clippy catches correctness bugs, performance issues, and idiomatic violations that cargo check misses.

- run: cargo clippy --locked --all-targets -- -D warnings

2. Release workflow should run tests before building

release.yml builds and publishes binaries on tag push without running the test suite. If the tagged commit has a regression, broken binaries ship. Add a test job as a dependency of the build job.

3. Add cross-platform CI testing

Tests only run on ubuntu-24.04, but release builds target macOS and Windows. Platform-specific bugs (path handling, git subprocess behavior, write_atomic differences) ship undetected.

Suggested matrix:

• ubuntu-24.04
• macos-latest
• windows-latest

4. Add MSRV verification

README badge claims Rust 1.85+ but nothing enforces it. Add a CI job pinned to 1.85:

- uses: dtolnay/rust-toolchain@1.85

Also add a rust-toolchain.toml or rust-version = "1.85" to Cargo.toml.

5. Add Dependabot configuration

No .github/dependabot.yml exists. Both cargo and github-actions ecosystems should be covered:

version: 2
updates:
  - package-ecosystem: cargo
    directory: /
    schedule:
      interval: weekly
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

6. Add cargo audit or cargo deny

No dependency security scanning. Known CVEs in transitive deps go undetected. Given the GPL-3.0 license, cargo deny would also verify license compatibility of all dependencies.

7. Add --version flag

dgr --version currently does nothing. Add #[command(version)] to the Cli struct — one-line fix.

---

Static Analysis & Security Scanning

8. Enable GitHub CodeQL analysis

CodeQL provides semantic code analysis that goes beyond linting — it detects security vulnerabilities, data flow issues, and common bug patterns using GitHub's query language. For a Rust project that shells out to git and gh, CodeQL can catch:

• Command injection risks in Command::new("git").args(...) patterns
• Path traversal vulnerabilities in file operations
• Unsafe string interpolation in shell arguments

Setup: Add .github/workflows/codeql.yml:

name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC

permissions:
  security-events: write
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: actions

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

Notes:

• CodeQL's Rust support is currently in beta/limited — the primary value here is scanning the GitHub Actions YAML workflows and any future scripting. As Rust support matures, the coverage will expand automatically.
• Results appear in the repository's Security → Code scanning tab.
• No external account or token needed — CodeQL is free for public repositories.

9. Enable SonarCloud continuous inspection

SonarCloud provides continuous code quality and security analysis with a focus on maintainability metrics: code smells, cognitive complexity, duplications, and technical debt tracking over time. It complements CodeQL (which focuses on security) by covering code quality dimensions.

What it adds beyond clippy/CodeQL:

• Technical debt estimation — quantifies maintenance burden per file/module
• Cognitive complexity scoring — flags functions that are hard to understand (beyond cyclomatic complexity)
• Duplication detection — identifies copy-paste patterns across the codebase
• Quality gates — configurable pass/fail criteria on PRs (e.g., "no new bugs, coverage ≥ X%")
• Historical trends — tracks quality metrics over time on a dashboard

Setup:

1. Link the repository at sonarcloud.io → import oneirosoft/dagger from GitHub. This generates an organization key and project key.

2. Add repository secrets in GitHub Settings → Secrets:

   • SONAR_TOKEN — generated from SonarCloud project settings

3. Add sonar-project.properties to repo root:

sonar.projectKey=oneirosoft_dagger
sonar.organization=oneirosoft
sonar.sources=src
sonar.tests=tests
sonar.sourceEncoding=UTF-8
sonar.exclusions=**/test_support.rs,**/tests/**

4. Add .github/workflows/sonarcloud.yml:

name: SonarCloud

on:
  push:
    branches: [main]
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read

jobs:
  sonarcloud:
    name: SonarCloud Analysis
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v5
        with:
          fetch-depth: 0  # Full history needed for blame/diff

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Notes:

• Free for public/open-source repositories.
• PR decoration (inline comments on new issues) works automatically once connected.
• Quality gate results appear as GitHub check statuses on PRs.
• Rust analysis relies on SonarCloud's generic import capabilities — for deeper Rust-specific analysis, cargo clippy output can be imported as external issues.

10. Enable CodeRabbit.ai automated code review

CodeRabbit is an AI-powered code review tool that provides contextual, project-aware review comments on every PR. Unlike Copilot's basic review (which already runs on this repo), CodeRabbit offers:

• Incremental reviews — re-reviews only the changed lines on force-pushes, not the entire PR
• Sequence diagrams — auto-generates visual diagrams for complex control flow changes
• Cross-file impact analysis — detects when a change in one file breaks assumptions in another
• Learnable — accepts feedback ("good catch" / "not relevant") and adjusts future reviews
• Configurable review profile — can be tuned for Rust idioms, project conventions, and review strictness
• Issue/PR linking — automatically connects PR changes to referenced issues and validates completeness

Setup:

1. Install the CodeRabbit GitHub App at coderabbit.ai — authorize for the oneirosoft/dagger repository.

2. Add .coderabbit.yaml to repo root for project-specific configuration:

language: en
reviews:
  profile: chill          # Options: chill, assertive, followup
  auto_review:
    enabled: true
    drafts: false          # Skip draft PRs
  path_instructions:
    - path: "src/core/store/**"
      instructions: >
        Pay close attention to atomicity, error handling on I/O operations,
        and state consistency. These files manage persistent state that must
        survive crashes.
    - path: "src/core/git.rs"
      instructions: >
        Review for command injection risks in git subprocess invocations.
        Ensure all user-provided branch names are passed as separate args,
        never interpolated into shell strings.
    - path: "src/cli/**"
      instructions: >
        Verify CLI layer is a thin adapter — business logic should live in
        src/core/. Check that error messages are user-friendly.
  tools:
    clippy:
      enabled: true
    shellcheck:
      enabled: true
chat:
  auto_reply: true

Notes:

• Free for public/open-source repositories (unlimited reviews).
• Provides summaries and walkthrough comments on every PR automatically.
• Can be interacted with via PR comments (@coderabbitai review, @coderabbitai resolve).
• Respects AGENTS.md and CODEOWNERS conventions if present.
• Reviews are significantly more detailed than GitHub Copilot's automated reviews — it understands project context, cross-file dependencies, and can be taught project-specific conventions.

---

Priority Order

Item	Effort	Impact	Dependencies
1. cargo clippy	5 min	High	None
7. --version flag	1 min	High	None
5. Dependabot	5 min	Medium	None
10. CodeRabbit.ai	15 min	High	GitHub App install
8. CodeQL	15 min	Medium	None
2. Release test gate	15 min	High	None
6. cargo audit	15 min	Medium	None
4. MSRV verification	15 min	Medium	None
3. Cross-platform CI	30 min	Medium	None
9. SonarCloud	30 min	Medium	Account setup + secret