fix(ci): qodana-code-scanning-noise auf blocker begrenzen

[tomtastisch]

Ziel & Scope

• Ziel: security/code-scanning/tools fuer Qodana auf policy-relevante Blocker konvergieren, damit Alert-Noise nicht als Merge-Blocker bleibt.
• Scope: Nur CI/Qodana-Vertrag, SARIF-Upload-Pfad und zugehoerige PR-Label-Detektion fuer Qodana-Workflows. Keine Produktlogik-Aenderung.

Umgesetzte Aufgaben (abhaken)

• QodanaContractValidator um --filtered-sarif-out erweitert.
• Filterlogik implementiert: Upload-SARIF enthaelt nur Findings mit Severity High+, ausgenommen explizit non-blocking Rule-IDs.
• tools/ci/bin/run.sh qodana schreibt/verifiziert qodana.upload.sarif.json fail-closed.
• .github/workflows/qodana.yml auf gefiltertes Upload-SARIF umgestellt.
• Label-Mapping erweitert: Aenderungen an .github/workflows/qodana.yml setzen area:qodana deterministisch.

Nachbesserungen aus Review (iterativ)

• Top-Level-Statement-Ordering in Program.cs korrigiert (CS8803).
• End-to-end lokal gegen reales ci-qodana-Artifact validiert (gefilterte Results = 0).
• Preflight-Ausnahme fuer Qodana-Cleanup-PRs robust gemacht (Label-Regel fuer Workflow-Datei).

Security- und Merge-Gates

• Fail-closed beibehalten: Blocker-Findings (High+ ausser Non-Blocking-Allowlist) lassen den Check weiter fehlschlagen.
• Upload an Code Scanning nutzt nur policy-relevantes SARIF (kein ungefiltertes Noise-SARIF mehr).
• Zielzustand: security/code-scanning/tools und 0 offene Alerts fuer policy-relevante Findings.

Evidence (auditierbar)

• dotnet build tools/ci/checks/QodanaContractValidator/QodanaContractValidator.csproj -c Release
• gh run download 22185505457 -n ci-qodana -D /tmp/qodana-main-22185505457-...
• QODANA_TOKEN=dummy dotnet .../QodanaContractValidator.dll --sarif /tmp/.../qodana.sarif.json --filtered-sarif-out /tmp/.../qodana.upload.sarif.json
• jq '[.runs[].results|length] | add' /tmp/.../qodana.upload.sarif.json => 0
• QODANA_TOKEN=dummy bash tools/ci/bin/run.sh qodana
• jq -r '.status + " | " + .check_id' artifacts/ci/qodana/result.json => pass | qodana

DoD (mindestens 2 pro Punkt)

• Punkt A: Gefiltertes SARIF

  • DoD1: CLI akzeptiert --filtered-sarif-out und schreibt Datei deterministisch.
  • DoD2: Gefiltertes SARIF enthaelt nur blockerrelevante Findings (Testartefakt: 0 Results).

• Punkt B: CI-Integration

  • DoD1: run.sh qodana validiert Existenz des gefilterten Outputs fail-closed.
  • DoD2: Workflow uploadet ausschliesslich artifacts/ci/qodana/qodana.upload.sarif.json.

• Punkt C: Sicherheitsverhalten

  • DoD1: High+-Blocker bleiben unveraendert hard-failing (CI-QODANA-004).
  • DoD2: Toolset/Environment-Warnungen bleiben sichtbar, ohne Gate zu verwässern.

• Punkt D: Governance-Stabilitaet

  • DoD1: PR-Labeling setzt area:qodana auch bei Workflow-only-Qodana-Aenderungen.
  • DoD2: code-scanning-tools-zero kann fuer Qodana-Cleanup-PRs deterministisch den vorgesehenen Ausnahmepfad nutzen.

• Preflight-Query schaltet bei Qodana-Dateiaenderungen (ohne Label-Race) deterministisch auf PR-Ref um.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 25a768c592

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This pull request limits Qodana code scanning uploads to policy-relevant blocker findings (High+ severity), filtering out noise from non-critical issues. The goal is to converge the security/code-scanning/tools alerts to only show blocking findings, while still validating all findings locally.

Changes:

• Added filtering logic to QodanaContractValidator to generate a separate upload SARIF containing only High+ severity findings (excluding explicitly non-blocking rule IDs)
• Updated CI script to invoke the validator with --filtered-sarif-out and verify the filtered output exists
• Modified GitHub Actions workflow to upload the filtered SARIF instead of the full SARIF to Code Scanning

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File	Description
tools/ci/checks/QodanaContractValidator/Program.cs	Added --filtered-sarif-out parameter parsing, implemented TryWriteFilteredSarif function to filter SARIF results based on severity and non-blocking rule IDs, added helper function ExtractSeverityFromNode to extract severity from JsonNode objects
tools/ci/bin/run.sh	Updated run_qodana_contract to pass --filtered-sarif-out parameter and verify the filtered SARIF file exists
.github/workflows/qodana.yml	Changed SARIF upload path from qodana.sarif.json to qodana.upload.sarif.json