fix(governance): deutsches pr-regelwerk und merge-gate fuer code-scanning-0#50
Merged
tomtastisch merged 6 commits intomainfrom Feb 14, 2026
Merged
Conversation
tomtastisch
force-pushed
the
codex/fix-de-pr-regeln-und-security-null
branch
from
363b01f to
bf96d31
Compare
github-actions
bot
added
version:minor
github-actions
bot
added
area:docs
area:tooling
impl:security
area:tests
and removed
area:docs
area:tooling
impl:security
area:tests
labels
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements comprehensive German-language governance rules and fail-closed merge gates for branch/PR naming conventions and code scanning alerts. It establishes mandatory PR structure requirements and introduces automated validation to enforce these policies in the CI pipeline.
Changes:
- Added fail-closed CI checks for PR governance (branch naming, PR title format, PR body structure) and code scanning alerts (must be zero to merge)
- Introduced mandatory German-language PR template with structured sections, checklists, and Definition of Done matrices
- Updated AGENTS.md to formalize German workflow requirements and iterative development model
- Version bumped to 5.1.3 with full convergence across all version fields
- Added FsCheck-based fuzzing smoke test and updated Scorecard workflow to use PAT-based authentication
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/ci/check-pr-governance.sh | New fail-closed validation script for branch names, PR titles, and PR body structure per German governance policy |
| tools/ci/check-code-scanning-tools-zero.sh | New fail-closed check that blocks merge if any open code scanning alerts exist |
| tools/ci/bin/run.sh | Integrated both new governance checks into preflight stage as blocking checks |
| .github/workflows/ci.yml | Added security-events and pull-requests read permissions; set GH_TOKEN for preflight job |
| .github/workflows/scorecard.yml | Updated to use SECURITY_CLAIMS_TOKEN PAT for more robust governance evaluation |
| tests/FileTypeDetectionLib.Tests/Unit/Fuzzing/FsCheckSmokeTests.cs | New smoke test validating FsCheck generator functionality |
| tests/FileTypeDetectionLib.Tests/FileTypeDetectionLib.Tests.csproj | Added FsCheck package reference |
| tests/FileTypeDetectionLib.Tests/packages.lock.json | Locked FsCheck 3.2.0 and FSharp.Core 5.0.2 dependencies |
| Directory.Packages.props | Added centrally managed FsCheck version 3.2.0 |
| Directory.Build.props | Version bumped to 5.1.3 |
| src/FileTypeDetection/FileTypeDetectionLib.vbproj | Version and PackageVersion updated to 5.1.3 |
| docs/versioning/003_CHANGELOG_RELEASES.MD | Documented governance hardening changes under [Unreleased] and added 5.1.2 and 5.1.1 release entries |
| docs/versioning/002_HISTORY_VERSIONS.MD | Added version 5.1.3 entry with TBD commit reference |
| docs/governance/007_POLICY_BRANCH_PR_NAMING_DE.MD | New policy document defining mandatory branch/PR naming conventions with enforcement rules |
| docs/governance/003_INDEX_GOVERNANCE.MD | Added reference to new branch/PR naming policy |
| docs/audit/013_SCORECARD_GOVERNANCE_ALERT_MAPPING.MD | Added merge gate requirement and dismissal protocol for non-remediable heuristic alerts |
| .github/pull_request_template.md | New mandatory German PR template with structured sections and checklists |
| AGENTS.md | Translated to German and expanded with detailed PR requirements, merge gates, and code scanning zero-alert policy |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
area:docs
area:tooling
impl:security
area:tests
and removed
area:docs
area:tooling
impl:security
area:tests
labels
Owner
Author
|
Abarbeitung der offenen Copilot-Threads (iterativ, fail-closed):
Alle Required Checks sind nach dem Fix-Push grün. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ziel & Scope
AGENTS.md, PR-Template, CI-Preflight-Gates, Governance-Policy, Scorecard-Tokenhaertung, FsCheck-basierter Fuzzing-Signaltest, Versionierung auf5.1.3.SECURITY.md.Umgesetzte Aufgaben (abhaken)
AGENTS.mdauf iteratives, deutsches, fail-closed Arbeitsmodell erweitert.preflighterweitert: PR-Governance-Check +security/code-scanning/tools-Null-Check als Blocker.SECURITY_CLAIMS_TOKENfuer robustere Governance-Auswertung umgestellt.5.1.3nachgezogen (RepoVersion/Version/PackageVersion/History/Changelog).Nachbesserungen aus Review (iterativ)
resolved(inkl. outdated)Security- und Merge-Gates
security/code-scanning/tools: 0 offene AlertsEvidence (auditierbar)
dotnet test tests/FileTypeDetectionLib.Tests/FileTypeDetectionLib.Tests.csproj -c Release -v minimalbash tools/ci/bin/run.sh naming-sntpython3 tools/check-doc-consistency.pybash -n tools/ci/check-pr-governance.shbash -n tools/ci/check-code-scanning-tools-zero.shDoD (mindestens 2 pro Punkt)
preflightruft Null-Alert-Check auffail5.1.3Risiken / Open Items
Details
MaintainedID,CIIBestPracticesID,CodeReviewID) sind teilweise nicht rein code-seitig remediierbar und muessen ggf. mit begruendetem Dismissal plus Evidence-Logik geschlossen werden.