feat(ci): add qlty gate and weekly health scan

[williaby]

Summary

• PR gate (qlty-gate job): calls the new python-qlty-gate reusable workflow in diff mode on pull requests; blocks merges that introduce medium+ severity qlty issues in changed files
• Weekly health scan (qlty-health job): calls the same reusable workflow with --all on a Monday schedule; informational only (no-fail: true) until the existing 100-issue backlog is resolved
• Existing coverage-upload job is guarded to push events only

Why this approach

The qlty check status context posted by the qlty.sh GitHub App always reports SUCCESS regardless of issue count. It cannot block PRs. The only reliable enforcement path is a GitHub Actions CheckRun that calls the qlty CLI and exits non-zero.

The resulting check name qlty-gate / Qlty Gate is what gets added to required_status_checks in the org baseline ruleset (companion change, no PR needed -- done via API).

Dependencies

Depends on ByronWilliamsCPA/.github#188 merging first. References the branch commit SHA 040026ab682aa4b9ef491750d62cdd1592cdb659. After .github#188 squash-merges, Renovate will update this SHA automatically.

Test plan

• qlty-gate / Qlty Gate check appears on this PR after .github#188 merges
• Check blocks on a test PR that introduces a new high-severity bandit finding
• Scheduled health scan (Monday) completes with exit 0; reports issue count in job summary
• Remove no-fail: true from qlty-health once backlog reaches zero

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 53 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a489a2fc-f3dd-437e-bc0d-b523af7f4519

📥 Commits

Reviewing files that changed from the base of the PR and between 8980bff and 3ac2458.

📒 Files selected for processing (1)

• .github/workflows/qlty.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/qlty-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds Qlty enforcement and ongoing scanning to the repository’s CI so PRs can be blocked on newly introduced medium+ severity Qlty findings, while also running a weekly informational full-repo scan to track existing issue backlog. This fits the repo’s pattern of delegating CI/security quality checks to org-level reusable workflows with SHA pins.

Changes:

• Adds a PR “gate” job (qlty-gate) that calls the org reusable python-qlty-gate workflow in diff mode (intended to block merges on medium+ findings).
• Adds a scheduled and manually-invokable “health” job (qlty-health) that runs a full-codebase scan with no-fail: true.
• Restricts the existing Qlty coverage upload job to push events only, and updates workflow concurrency grouping.