Skip to content

feat: add Debian checkstyle official evidence#137

Merged
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-deb-checkstyle-official-evidence
Jul 10, 2026
Merged

feat: add Debian checkstyle official evidence#137
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-deb-checkstyle-official-evidence

Conversation

@SSobol77

Copy link
Copy Markdown
Owner

Summary

Add verified official-source distro evidence for the existing Debian checkstyle mapping.

This PR promotes exactly one additional existing mapping:

  • artifact: deb
  • source policy artifact: deb
  • distro family: debian
  • tool: checkstyle
  • package name: checkstyle
  • executable name: checkstyle

After this PR, exactly six generated Debian evidence records are verified-official-source:

  • deb/yamllint
  • deb/shellcheck
  • deb/clang-tidy
  • deb/cppcheck
  • deb/clang-format
  • deb/checkstyle

No Docker helper or non-Debian mapping is promoted.

What changed

  • Extended OFFICIAL_DISTRO_EVIDENCE_BY_POLICY with one new override:

    • ("deb", "checkstyle")
  • Generated evidence for deb/checkstyle now uses:

    • evidence_source_type = official-distro-metadata
    • evidence_status = verified-official-source
    • official_source_kind = distro-package-index
    • verification_scope = package-name-and-executable
    • official_source_url = https://packages.debian.org/checkstyle
    • evidence_record_id = official-distro-metadata:deb:checkstyle
    • external_verification_required_for_new_mappings = false
    • release_blocking = false

Official Debian evidence basis

The evidence note references:

  • Debian package metadata:
    • https://packages.debian.org/checkstyle
  • Debian source package metadata:
    • https://packages.debian.org/source/stable/checkstyle
  • Debian tracker metadata:
    • https://tracker.debian.org/pkg/checkstyle
  • Debian manpage metadata:
    • https://manpages.debian.org/testing/checkstyle/checkstyle.1.en.html

These sources are used only as evidence for the existing package/executable mapping. No versions are added as contract fields.

Promotion boundary

Existing official evidence is preserved:

  • deb/yamllint
  • deb/shellcheck
  • deb/clang-tidy
  • deb/cppcheck
  • deb/clang-format

Docker helper mappings are intentionally not promoted:

  • docker-deb-helper/yamllint remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/shellcheck remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/clang-tidy remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/cppcheck remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/clang-format remains repository-local-policy/current-policy-baseline
  • docker-deb-helper/checkstyle remains repository-local-policy/current-policy-baseline

RPM/openSUSE/Arch/Slackware mappings remain unchanged. Since all Debian approved package-manager mappings are now promoted, repository-local baseline regression coverage uses RPM yamllint as the non-promoted package-manager sentinel.

Scope controls

This PR does not:

  • add package names
  • change OS_PACKAGE_NAMES
  • change executable names
  • add package versions as contract fields
  • add checksums
  • run package managers
  • download anything
  • perform network operations
  • vendor binaries or archives
  • add generated artifacts
  • weaken the Full-required baseline
  • reclassify required tools as optional
  • touch UI/provider/parser/runtime/TextMate/theme code

Verifier behavior

The existing promotion gate remains enforced.

Added/updated tests verify rejection of tampered deb/checkstyle official evidence, including:

  • official source URL drift
  • official source kind drift
  • verification scope drift
  • verified package-name drift
  • verified executable-name drift
  • source type downgrade to repository-local-policy
  • missing verification note
  • evidence record ID downgrade to repository-local-policy:deb:checkstyle

Validation

Passed locally / by agent report:

uv run ruff check src tests scripts
uv run ruff format --check src tests scripts
uv run python scripts/check_runtime_imports.py
uv run pytest -q tests/packaging/test_f4_linter_linux_provisioning.py
uv run pytest -q tests/packaging
uv run pytest -q tests/extensions/linters
uv run pytest -q tests/docs

Observed results:

tests/packaging/test_f4_linter_linux_provisioning.py: 116 passed
tests/packaging: 489 passed
tests/extensions/linters: 226 passed
tests/docs: 18 passed

Safety:

No new package names.
No OS_PACKAGE_NAMES changes.
No executable-name changes.
No package versions as contract fields.
No checksums.
No package-manager calls.
No downloads.
No network operations.
No generated artifacts.
No vendored binaries.
No UI/provider/parser/runtime/TextMate/theme changes.

Next work

A follow-up PR should consolidate the official Debian evidence registry to reduce repeated literal metadata before promoting other distro families.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@SSobol77, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 98001d91-0e97-4e25-92d5-1a01560b2571

📥 Commits

Reviewing files that changed from the base of the PR and between 9a7b8c5 and 50679d4.

📒 Files selected for processing (2)
  • scripts/f4_linter_linux_provisioning.py
  • tests/packaging/test_f4_linter_linux_provisioning.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/f4-linux-deb-checkstyle-official-evidence

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@SSobol77 SSobol77 merged commit d771012 into main Jul 10, 2026
5 checks passed
@SSobol77 SSobol77 deleted the feature/f4-linux-deb-checkstyle-official-evidence branch July 10, 2026 00:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant