bstein/lesavka
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lesavka/docs/quality-gate.md

2.6 KiB
Raw Blame History

Lesavka quality gate

Lesavka follows the Atlas gate order, with one extra lane for media reliability because the product is latency-sensitive and hardware-facing.

Strict order:

  1. style/docs via scripts/ci/hygiene_gate.sh
  2. LOC/naming via scripts/ci/hygiene_gate.sh
  3. coverage via scripts/ci/quality_gate.sh
  4. tests via scripts/ci/test_gate.sh
  5. media_reliability via scripts/ci/media_reliability_gate.sh
  6. gate_glue via scripts/ci/gate_glue_gate.sh
  7. sonarqube via scripts/ci/sonarqube_gate.sh
  8. supply_chain and artifact security via scripts/ci/supply_chain_gate.sh

The Jenkinsfile runs those checks in that order. Gate artifacts are archived under target/*-gate/ and release artifacts under dist/.

Repository Hygiene

The hygiene gate fails if generated output is committed, Cargo.lock is missing from git, workspace members drift away from common, client, server, and testing, direct-run shell scripts are not executable, manual scripts are not marked manual, or new LESAVKA_* variables are missing from docs/operational-env.md.

Manual probes live under scripts/manual/. They are useful field tools, but they are not CI dependencies unless converted into deterministic tests.

Media Reliability

media_reliability is not just a test alias. It protects the pieces that keep video moving without accumulating latency:

  • bounded appsrc/appsink queues
  • stale-frame dropping over latency buildup
  • local monotonic sink timestamps
  • IDR/keyframe recovery after drops
  • HDMI/UVC sink construction
  • preview telemetry for FPS, drops, queue depth, and inter-frame gaps

Real hardware evidence still matters. Put manual soak evidence in target/media-reliability-gate/manual-soak.json when validating Zoom/Teams/Slack-class consumers or the Theia HDMI -> UGREEN -> Tethys USB path.

Supply Chain And Artifacts

scripts/ci/supply_chain_gate.sh always generates dependency metadata, a dependency tree, secret-scan evidence, and artifact checksums when dist/*.tar.gz exists. It runs cargo-audit and cargo-deny when those tools are installed. Set LESAVKA_SUPPLY_CHAIN_ENFORCE_TOOLS=1 to hard-fail when either tool is unavailable.

build-dist.sh writes dist/SHA256SUMS and a provenance JSON file with version, branch, commit, build URL, toolchain, target, and timestamp.

SonarQube

scripts/ci/sonarqube_gate.sh emits explicit not_applicable metrics when scanner configuration is absent. Set LESAVKA_SONAR_ENFORCE=1 in CI once SonarQube credentials and sonar-scanner are installed to hard-fail missing or failed Sonar analysis.