chore: adopt quality-zero-platform wrappers

[Prekzursil]

Summary

• replace repo-local strict-zero quality workflows with quality-zero-platform wrapper workflows
• remove queue-era intake and quality workflow files that are now owned by the control-plane repo
• update AGENTS.md to point contributors at the canonical local verify command

Notes

• public quality check names are preserved through the shared platform workflows
• live ruleset changes are intentionally deferred until the new contexts are observed on a real PR

[devloai]

Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔
Please upgrade your plan or buy additional credits from the subscription page.

[coderabbitai]

Warning

Rate limit exceeded

@Prekzursil has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 507a16df-9d29-4078-9058-5dd3a8e5e45a

📥 Commits

Reviewing files that changed from the base of the PR and between 0b96e50 and 5716427.

📒 Files selected for processing (25)

• .github/workflows/agent-label-sync.yml
• .github/workflows/agent-task-queue.yml
• .github/workflows/applitools-visual.yml
• .github/workflows/chromatic-playwright.yml
• .github/workflows/codacy-zero.yml
• .github/workflows/codecov-analytics.yml
• .github/workflows/coverage-100.yml
• .github/workflows/deepscan-zero.yml
• .github/workflows/kpi-weekly-digest.yml
• .github/workflows/quality-zero-backlog.yml
• .github/workflows/quality-zero-gate.yml
• .github/workflows/quality-zero-platform.yml
• .github/workflows/quality-zero-remediation.yml
• .github/workflows/semgrep-zero.yml
• .github/workflows/sentry-zero.yml
• .github/workflows/sonar-zero.yml
• AGENTS.md
• frontend/webcoder_ui/package.json
• frontend/webcoder_ui/playwright.config.cjs
• frontend/webcoder_ui/src/visual/publicVisualRoutes.test.ts
• frontend/webcoder_ui/tests/visual/helpers.mjs
• frontend/webcoder_ui/tests/visual/public-routes.applitools.spec.mjs
• frontend/webcoder_ui/tests/visual/public-routes.chromatic.spec.mjs
• frontend/webcoder_ui/tests/visual/public-routes.playwright.spec.mjs
• frontend/webcoder_ui/visual/publicVisualRoutes.cjs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/quality-zero-platform-rollout

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

• In general, the fix is to explicitly set permissions for the workflow/job so that GITHUB_TOKEN has only the minimum scopes needed. Since this job primarily appears to orchestrate a reusable workflow and passes only inputs/secrets, a safe starting point is contents: read.
• The best minimal-impact fix is to add a permissions block at the workflow (top) level so it applies to all jobs that don’t override it. Based on the snippet, there’s only one job, so this will cover it. Use permissions: contents: read as a conservative default; if the reusable workflow later needs additional permissions, they can be added explicitly there or here.
• Concretely, in .github/workflows/quality-zero-backlog.yml, insert a permissions: section after the on: block (after line 12) and before jobs: (line 13). This keeps the YAML structure clear and standard.
• No imports or external methods are needed; just the YAML permissions mapping added at the root level.

In general, the fix is to add an explicit permissions: block that grants only the minimum required GITHUB_TOKEN scopes, either at the top level (applies to all jobs) or on the specific job. Since this workflow only defines a single job, adding permissions: under that job is clear and localized.

The best minimal fix here is:

• Add a permissions: block under jobs.aggregate-gate that grants read access to contents and packages. This mirrors GitHub’s “read-only” default and satisfies the CodeQL rule.
• If the reusable workflow needs additional write scopes (e.g., to set commit statuses or PR checks), those would be added there, but we cannot infer them safely from the snippet. So we will stick to a conservative minimal starting point recommended by the rule: contents: read and packages: read.

Concretely, in .github/workflows/quality-zero-gate.yml, between the aggregate-gate: line and the uses: line, add:

    permissions:
      contents: read
      packages: read

No imports or other definitions are needed; this is purely a YAML configuration change.

In general, the fix is to add an explicit permissions block that grants only the minimal required scopes for GITHUB_TOKEN. When you don’t know specific write requirements, a safe baseline is read‑only access to repository contents (and optionally packages), e.g. contents: read. This should be added either at the root of the workflow (applying to all jobs) or to the individual job.

For this workflow, the simplest change that doesn’t alter existing behavior beyond restricting excessive default permissions is to add a root‑level permissions block after the on: section and before jobs:. Because this workflow only dispatches a reusable workflow and does not itself perform write operations, contents: read is an appropriate minimal starting point. If the reusable workflow requires additional permissions, they should be defined in that reusable workflow, not here. Concretely, in .github/workflows/quality-zero-platform.yml, insert:

permissions:
  contents: read

between the existing on: block and the jobs: block. No imports or other definitions are needed.

To fix the problem, explicitly set permissions for the workflow so the GITHUB_TOKEN is limited to the minimal scope needed. Since this workflow only orchestrates a reusable workflow and doesn’t perform any writes itself, we can safely default to read-only repository access (contents: read) at the workflow root, which applies to all jobs that don’t override it.

The best fix without changing existing functionality is to add a permissions block at the top level of .github/workflows/quality-zero-remediation.yml, alongside name and on. This will ensure that the remediate job, and any other jobs added later (unless they override permissions), will use a read-only token by default. Concretely, insert:

permissions:
  contents: read

between the name: and on: keys. No additional imports, methods, or other definitions are needed; this is purely a YAML configuration change within the shown file.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe8a39e195

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin reusable workflow refs to immutable commits

Using @main for an external reusable workflow makes the quality gate non-deterministic, because upstream branch updates can change or break this repository’s CI behavior without any local code change; it also increases supply-chain risk since this job inherits secrets. The same mutable-ref pattern is used across the new wrapper workflows, so each uses: should be pinned to a commit SHA and only bumped intentionally.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 New issue
9 Security Hotspots

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5716427ccf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use archive path relative to the configured working directory

This job sets defaults.run.working-directory to frontend/webcoder_ui (line 19), but then passes CHROMATIC_ARCHIVE_LOCATION: frontend/webcoder_ui/test-results to the Chromatic CLI. Because the final run step also executes from frontend/webcoder_ui, that env var points to a nested path (frontend/webcoder_ui/frontend/webcoder_ui/test-results) instead of the archive generated by npm run visual:chromatic:archive, so the upload step can fail even when Playwright archiving succeeded.

Useful? React with 👍 / 👎.