chore: add qlty configuration and CI checks

[jamesbhobbs]

chore: add qlty configuration and CI checks

Summary

This PR adds qlty code quality and security scanning to the jupyterlab-deepnote repository, mirroring the setup from deepnote/deepnote. The changes include:

• New CI workflow (.github/workflows/ci.yml) that runs qlty checks and code smell analysis
• Qlty configuration (.qlty/qlty.toml) with security plugins (actionlint, trufflehog, osv-scanner) and code smell thresholds
• Updated .gitignore to exclude qlty cache directories

The qlty tool will scan for:

• Security issues: secrets in code, vulnerabilities in dependencies
• GitHub Actions issues: workflow linting with actionlint
• Code smells: cognitive complexity, function length, nested control flow, etc.

Review & Testing Checklist for Human

• Trigger CI and verify qlty job runs successfully - The qlty configuration was copied from a Node.js project to this Python project, so it needs verification
• Review whether ci.yml should be integrated with existing build.yml instead of being a separate workflow
• Check if exclusion patterns in qlty.toml are appropriate for this project's directory structure
• Verify the code smell thresholds make sense for this codebase's conventions

Notes

• This mirrors the qlty setup from deepnote/deepnote repository as requested
• Unlike vscode-deepnote, this repo doesn't use husky pre-commit hooks, so qlty only runs in CI
• Action versions are pinned to specific SHA commits for security/reproducibility

Link to Devin run: https://app.devin.ai/sessions/7df2a76e10f2447faf46c3c41fd5cc8c
Requested by: James Hobbs (@jamesbhobbs)

Summary by CodeRabbit

• Chores
  • Added a CI workflow to run automated quality and security scans on pushes and pull requests, with controlled concurrency and short job timeouts.
  • Ignored tool-generated caches, logs, and output directories to keep repository clean.
  • Added a project-wide quality configuration enabling multiple scanners and code-smell detection with sensible exclusions and thresholds.
  • No user-facing functionality changes.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions CI workflow at .github/workflows/ci.yml that runs a single job "Qlty Check" on pushes to main and on pull requests. The workflow uses concurrency to cancel in-progress runs for non-main branches, limits permissions to read, and sets a 3-minute job timeout. Steps: checkout repository, install the qlty action, run qlty check, and run qlty code-smells. Adds .qlty/qlty.toml defining plugins, a default source, exclusion patterns, and code-smell detectors with thresholds. Updates .gitignore to ignore .qlty cache/output/log directories.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant Runner as Actions Runner
  participant Repo as Repository
  participant Qlty as qlty Action

  Dev->>GH: Push to main / Open PR
  GH-->>Runner: Trigger "Qlty Check" workflow
  note right of GH: concurrency: cancel in-progress (non-main)
  Runner->>Repo: actions/checkout
  Runner->>Qlty: Install qlty action
  Runner->>Qlty: Run "qlty check"
  Qlty-->>Runner: Check results
  Runner->>Qlty: Run "qlty code-smells"
  Qlty-->>Runner: Smell analysis results
  Runner-->>GH: Report job status (timeout 3m, permissions: read)

Loading

Possibly related PRs

• chore: qlty setup deepnote#5: Adds a Qlty CI job and matching .qlty configuration and .gitignore entries.
• chore(deps): update qltysh/qlty-action digest to a192421 deepnote#31: Modifies the qlty GitHub Actions usage (updates qlty action digest/version) in the same workflow path.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly and accurately describes the primary change—adding a Qlty configuration and CI checks—using a conventional commit style prefix for clarity and context. It directly reflects the main focus of the pull request without unnecessary detail or jargon.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45fb503 and 256267e.

📒 Files selected for processing (3)

• .github/workflows/ci.yml (1 hunks)
• .gitignore (1 hunks)
• .qlty/qlty.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build
• GitHub Check: Check Links
• GitHub Check: check_release

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45fb503 and 256267e.

📒 Files selected for processing (3)

• .github/workflows/ci.yml (1 hunks)
• .gitignore (1 hunks)
• .qlty/qlty.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: check_release

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 256267e and 3fa49f9.

📒 Files selected for processing (1)

• .qlty/qlty.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check_release
• GitHub Check: build

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3fa49f9 and ad38b20.

📒 Files selected for processing (1)

• .qlty/qlty.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: check_release

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3fa49f9 and ad38b20.

📒 Files selected for processing (1)

• .qlty/qlty.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: check_release