Problem
Several CI workflow parameters are configured to soft-fail (warnings only) on both PR and main workflows, allowing lint/scan violations to pass silently. Additionally, dependency-scan-main compares refs/heads/main to itself, making it a no-op.
Changes Required
pr-validation.yml (4 parameter changes + 1 version alignment)
shell-lint: soft-fail: true → soft-fail: falseterraform-lint: soft-fail: true → soft-fail: falsecode-quality-lint: soft-fail: true → soft-fail: falsesecurity-scan: grype-soft-fail: true → grype-soft-fail: falsedocs-check-terraform: terraformDocsVersion: 'v0.19.0' → 'v0.20.0'
main.yml (3 polarity fixes + 1 security param + 1 dependency scan rewrite)
rust-clippy-main: break-build: false → break-build: truedocs-check-terraform-main: break_build: false → break_build: truedocs-check-bicep-main: break_build: false → break_build: truesecurity-monitoring: add fail-on-critical: truedependency-scan-main: use commit-based refs instead of refs/heads/main self-comparison
Acceptance Criteria
Related
Problem
Several CI workflow parameters are configured to soft-fail (warnings only) on both PR and main workflows, allowing lint/scan violations to pass silently. Additionally,
dependency-scan-maincomparesrefs/heads/mainto itself, making it a no-op.Changes Required
pr-validation.yml (4 parameter changes + 1 version alignment)
shell-lint:soft-fail: true→soft-fail: falseterraform-lint:soft-fail: true→soft-fail: falsecode-quality-lint:soft-fail: true→soft-fail: falsesecurity-scan:grype-soft-fail: true→grype-soft-fail: falsedocs-check-terraform:terraformDocsVersion: 'v0.19.0'→'v0.20.0'main.yml (3 polarity fixes + 1 security param + 1 dependency scan rewrite)
rust-clippy-main:break-build: false→break-build: truedocs-check-terraform-main:break_build: false→break_build: truedocs-check-bicep-main:break_build: false→break_build: truesecurity-monitoring: addfail-on-critical: truedependency-scan-main: use commit-based refs instead ofrefs/heads/mainself-comparisonAcceptance Criteria
Related