Git pr Quality Gate

# Git PR Quality Gate The "I should have caught this in code review" skill. Runs every PR through 40+ checks before a human ever looks at it. Catches the bugs that pass 4 reviewer pairs and break prod at 3am. ## What it does A single pass over a pull request (or branch diff) that checks: - **Diff size** — files changed, lines added/removed, complexity delta - **Test coverage** — new code covered? existing tests still pass? - **Security** — secrets in diff, dependency changes, dangerous APIs - **Code quality** — lint, type errors, complexity hotspots, dead code - **Commit hygiene** — conventional commits, signed commits, atomic commits - **Documentation** — README, CHANGELOG, API docs updated - **Breaking changes** — public API changes, migration notes, semver bump - **Reviewer routing** — CODEOWNERS, expertise matching, load balancing Returns a **PASS / HOLD / BLOCK** decision with concrete fix-list and copy-paste PR comments. ## When to use it - You're a tech lead drowning in PRs and need a first-pass filter - Your team merges PRs that "looked fine" but broke prod - You want to enforce team standards automatically - You need to justify "blocked" decisions to senior engineers - You're scaling code review and need consistent quality ## Why it's better than ad-hoc prompting Most "review this PR" prompts produce generic feedback. This skill is different: - **Quantified** — every check has a threshold, returns pass/fail - **Configurable** — per-team rules (max diff size, required reviewers) - **Actionable** — every failure has a copy-paste PR comment - **Tracks over time** — "your PRs are 30% bigger than team median" - **Routes correctly** — knows which team owns which path ## Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ Agent (Claude/Cursor) │ │ - Reads diff (git diff main..HEAD) │ │ - Calls audit script │ │ - Synthesizes gate decision │ └───────────────┬─────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ skills/git-pr-quality-gate/ │ │ scripts/ │ │ ├── audit_diff.py # File-level checks │ │ ├── audit_commits.py # Commit message rules │ │ ├── audit_security.py # Secrets + dangerous APIs │ │ ├── audit_tests.py # Coverage delta │ │ ├── gate.py # Combine → PASS/HOLD/BLOCK │ │ └── reviewer_routing.py # CODEOWNERS + load balance │ │ references/ │ │ ├── checklist.md # All 40+ checks │ │ ├── conventional-commits.md │ │ └── reviewer-routing.md │ │ data/ │ │ └── dangerous_apis.json # 200+ flagged APIs │ └─────────────────────────────────────────────────────────┘ ``` ## Quick start ```bash # 1. Install pip install gitpython # 2. Audit current branch vs main python scripts/audit_diff.py --base main --head HEAD # 3. Audit a specific PR (gh CLI integration) python scripts/audit_diff.py --pr 123 # 4. Check commit messages python scripts/audit_commits.py --base main --head HEAD # 5. Security scan python scripts/audit_security.py --base main --head HEAD # 6. Final gate decision python scripts/gate.py --pr 123 --format markdown > review.md # 7. Auto-route to reviewers python scripts/reviewer_routing.py --pr 123 ``` ## Sample gate output ``` ## PR #123: "Add user authentication" → 🟡 HOLD ### Blocking issues (must fix before merge) - ❌ **Secret in diff** — `config/database.yml:14` contains `password: ` - ❌ **No tests added** — 247 lines new code, 0 test changes ### Major issues (should fix) - ⚠️ **Diff too large** — 847 lines changed across 23 files (team limit: 400/15) - ⚠️ **Public API breaking change** — `User#authenticate` signature changed, no CHANGELOG entry - ⚠️ **Missing reviewer** — auth/ changes need @security-team approval (CODEOWNERS) ### Minor issues (nice to fix) - 💡 3 commits not following conventional-commits format - 💡 2 console.log left in src/auth.js - 💡 README not updated for new env var AUTH_SECRET ### Reviewer routing - @alice (auth expert, 2 PRs in queue) - @bob (security, 5 PRs in queue) ← over-loaded, consider @carol - @security-team (required by CODEOWNERS) ### Verdict: HOLD until blocking issues fixed. ``` ## The 40+ checks (categories) ### Diff size (6 checks) - Total lines changed < 400 (configurable) - Files changed < 15 - No single file changed > 200 lines - No binary files in source dirs - Lockfile changes intentional - No accidental formatting-only changes ### Tests (6 checks) - New code has corresponding tests - Existing tests still pass - Coverage delta >= 0 - Mutation testing score (optional) - E2E test for new user flows - No `.only()` / `.skip()` left in tests ### Security (8 checks) - No hardcoded secrets, tokens, API keys - No new dependencies with known CVEs - No use of `eval`, `exec`, `innerHTML`, `dangerouslySetInnerHTML` - No SQL string concatenation - No new CORS wildcard - Auth changes touch auth tests - No new env vars without docs - No PII in test fixtures ### Code quality (8 checks) - Lint passes (eslint/ruff/etc) - Type check passes (tsc/mypy) - No files > 500 lines - Cyclomatic complexity < 10 - No TODO/FIXME without ticket link - No commented-out code > 5 lines - No `console.log` in src/ - No `print()` debug statements ### Commit hygiene (6 checks) - Conventional commits format - Commits are atomic (one logical change each) - Commit messages < 72 chars subject - All commits signed (GPG/SSH) - No merge commits in feature branch - No "WIP" or "fix" commits before merge ### Documentation (4 checks) - README updated if public API changed - CHANGELOG entry for user-facing change - Inline doc comments for new public functions - OpenAPI/GraphQL schema updated ### Breaking changes (4 checks) - Public API signature change → MAJOR semver bump - Database migration reversible - Deprecation warnings on removed features - Migration guide in PR description ## Pricing Single-purchase, lifetime access. $8.00. Includes: - 6 Python audit scripts - 3 reference docs (checklist, commits, routing) - 200+ flagged dangerous APIs - Team config template - Future updates for the same major version ## Example usage > "Review PR #123. Tell me if it's mergeable and who should look at it." The skill will: 1. Fetch the diff via `gh pr diff` 2. Run all 40+ checks 3. Identify blocking vs nice-to-have issues 4. Generate copy-paste PR comments 5. Route to right reviewers via CODEOWNERS 6. Output a `review.md` you can attach to the PR ## Compatibility Works with any agent that supports the SKILL.md standard and can execute Python: Claude Code, OpenClaw, Codex CLI, Cursor, Gemini CLI, Cline, Windsurf, Aider. Works with GitHub, GitLab, Bitbucket (via `gh` / `glab` CLIs). Tested on Linux, macOS, Windows. ## Tags git, code-review, devops, ci-cd, quality, security, testing, pull-request, engineering