CI/CD Quality Gates for Ruff and Pyright

Block merges when code quality fails. Run comprehensive checks in CI that catch issues missed locally.

GitHub Actions

Basic Quality Check

Create .github/workflows/quality.yml:

name: Code Quality

on:
  pull_request:
  push:
    branches: [main]

jobs:
  quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          pip install ruff pyright
          pip install -r requirements.txt

      - name: Run ruff
        run: |
          ruff check .
          ruff format --check .

      - name: Run pyright
        run: pyright

Comprehensive Check with Caching

name: Code Quality

on:
  pull_request:
  push:
    branches: [main]

jobs:
  quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
          cache: 'pip'

      - name: Install dependencies
        run: |
          pip install ruff pyright
          pip install -r requirements.txt

      - name: Lint with ruff
        run: ruff check . --output-format=github

      - name: Check formatting
        run: ruff format --check . --diff

      - name: Type check with pyright
        run: pyright --outputjson > pyright-report.json

      - name: Upload pyright report
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: pyright-report
          path: pyright-report.json

GitLab CI

Create .gitlab-ci.yml:

code-quality:
  stage: test
  image: python:3.11
  before_script:
    - pip install ruff pyright
    - pip install -r requirements.txt
  script:
    - ruff check .
    - ruff format --check .
    - pyright
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Quality Metrics

Track Quality Over Time

- name: Generate quality report
  run: |
    ruff check . --output-format=json > ruff-report.json
    pyright --outputjson > pyright-report.json

- name: Comment PR with quality metrics
  uses: actions/github-script@v7
  with:
    script: |
      const fs = require('fs');
      const ruffReport = JSON.parse(fs.readFileSync('ruff-report.json'));
      const pyrightReport = JSON.parse(fs.readFileSync('pyright-report.json'));

      const comment = `## Code Quality Report

      **Ruff:** ${ruffReport.length} issues
      **Pyright:** ${pyrightReport.generalDiagnostics.length} issues
      `;

      github.rest.issues.createComment({
        issue_number: context.issue.number,
        owner: context.repo.owner,
        repo: context.repo.repo,
        body: comment
      });

Branch Protection Rules

GitHub

Settings → Branches → Branch protection rules:

Require status checks to pass before merging
Select "Code Quality" workflow
Require branches to be up to date before merging

GitLab

Settings → Repository → Protected branches:

Allowed to merge: Developers + Maintainers
Require approval from code owners
Pipelines must succeed

Best Practices

Fail fast - Run quality checks before tests
Cache dependencies - Speed up CI with pip caching
Parallel jobs - Run ruff and pyright in parallel
Quality trends - Track violations over time
Auto-fix in CI - Create PR with ruff fixes automatically

Auto-fix Bot Example

- name: Auto-fix with ruff
  run: ruff check --fix .

- name: Commit fixes
  run: |
    git config user.name "ruff-bot"
    git config user.email "bot@example.com"
    git add .
    git diff --staged --quiet || git commit -m "style: auto-fix ruff violations"
    git push

Troubleshooting

CI passes but pre-commit fails:

Ensure same ruff/pyright versions in CI and pre-commit
Check .pre-commit-config.yaml rev matches installed version

CI too slow:

Use pip caching
Run quality checks in parallel with tests
Consider skipping pyright on non-Python file changes

4.1 KiB Raw Blame History