From 3ac2458fef610ce2e607c71c64274531ec70704c Mon Sep 17 00:00:00 2001
From: Byron Williams <byronawilliams@gmail.com>
Date: Tue, 2 Jun 2026 19:24:10 -0700
Subject: [PATCH] feat(ci): add qlty gate and weekly health scan

Wires up the new python-qlty-gate reusable workflow for two purposes:

  PR gate (qlty-gate job): runs qlty check in diff mode on pull requests,
  blocking merges that introduce medium+ severity issues. The check name
  "qlty-gate / Qlty Gate" is added to the org baseline required checks.

  Weekly health scan (qlty-health job): runs qlty check --all on a Monday
  morning schedule to surface the full backlog. Exits 0 (no-fail: true)
  until the existing 100-issue debt is resolved, at which point no-fail
  should be removed to create a regression alarm.

Existing coverage-upload job (qlty) is guarded to push-to-main only.

Refs: ByronWilliamsCPA/.github#188

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/qlty.yml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/qlty.yml b/.github/workflows/qlty.yml
index 86172a9..6262dbc 100644
--- a/.github/workflows/qlty.yml
+++ b/.github/workflows/qlty.yml
@@ -5,15 +5,21 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  schedule:
+    # Weekly full-codebase health scan: Monday 07:00 UTC
+    - cron: '0 7 * * 1'
+  workflow_dispatch:
 
 permissions: read-all
 
 concurrency:
-  group: qlty-coverage-${{ github.ref }}
+  group: qlty-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  # Coverage upload after merges to main only.
   qlty:
+    if: github.event_name == 'push'
     uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63  # main
     permissions:
       contents: read
@@ -24,3 +30,27 @@ jobs:
       coverage-format: cobertura
     secrets:
       QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_COVERAGE_TOKEN }}
+
+  # PR gate: diff mode, block merges that introduce medium+ severity issues.
+  # Check name: "qlty-gate / Qlty Gate" -- required by org baseline ruleset.
+  qlty-gate:
+    if: github.event_name == 'pull_request'
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-gate.yml@040026ab682aa4b9ef491750d62cdd1592cdb659
+    permissions:
+      contents: read
+    with:
+      fail-level: medium
+      upstream: origin/${{ github.base_ref }}
+
+  # Weekly health scan: full codebase, informational only.
+  # Reports accumulated debt without blocking workflows.
+  # Remove no-fail once the existing 100-issue backlog is resolved.
+  qlty-health:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-gate.yml@040026ab682aa4b9ef491750d62cdd1592cdb659
+    permissions:
+      contents: read
+    with:
+      fail-level: high
+      check-all: true
+      no-fail: true