Register Quality Tiger Team plugin with quality analysis skills

[antowaddle]

Summary

• Registers the quality-tiger-team plugin (antowaddle/Red-Hat-Quality-Tiger-Team) in the skills registry
• Adds 3 user-invocable skills for RHOAI component quality improvement
• Updates registry.yaml, marketplace.json, and catalog.md

Skills

Skill	Description
quality-repo-analysis	Automated analysis tool that evaluates CI/CD, testing, security, and best practices against gold standards
konflux-build-simulator	Generate GitHub Actions workflows that simulate Konflux builds at PR time to catch failures before merge
test-rules-generator	Extract test patterns from existing tests and generate .claude/rules/ documentation for consistency

Install

/plugin install quality-tiger-team@opendatahub-skills

Summary by CodeRabbit

• New Features

  • Added the quality-tooling plugin (v1.0.0) with three evaluation commands:
    • /quality-repo-analysis — analyze repository quality
    • /konflux-build-simulator — simulate build processes
    • /test-rules-generator — generate testing rules

• Documentation

  • Added catalog and registry entries describing the new plugin, commands, tags, version, source, and install instructions for users.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a new plugin entry named quality-tooling (v1.0.0) in .claude-plugin/marketplace.json, registers the same plugin in registry.yaml, and documents a new skill quality-tooling in catalog.md. The plugin is categorized as evaluation, sources from the GitHub repository antowaddle/Red-Hat-Quality-Tiger-Team (ref: main), and declares three user-invocable commands: /quality-repo-analysis, /konflux-build-simulator, and /test-rules-generator.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Issues

• Supply chain integrity (CWE-426): external source.ref uses main instead of a pinned commit or signed release. Action: require a specific commit SHA or signed release tag before merge.
• Remote code execution / command injection (CWE-94, CWE-78): declared skills likely execute code from the external repository. Action: review each skill implementation for unsafe eval/exec/system calls and enforce sandboxing and least-privilege execution.
• Deserialization / dependency risks (CWE-502) and vulnerable libraries (CVE-*): external repo may introduce insecure deserialization or vulnerable dependencies. Action: generate SBOM, run SCA, pin dependency versions, and block merge on high/critical CVEs.
• Path/manifest consistency: catalog/registry list skills /quality-repo-analysis, /konflux-build-simulator, /test-rules-generator — verify repository layout and that skill entrypoints exactly match these names. Action: validate repo tree and entrypoint mappings.
• Metadata integrity: manifests reference an external repo without integrity hashes or signed manifest. Action: include SHA256 checksums or signed manifests for external artifacts and verify on install.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: registering a quality analysis plugin (quality-tooling) with its associated skills in the registry.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@registry.yaml`:
- Around line 142-146: The registry.yaml currently references the plugin repo by
mutable branch name (ref: main) which is a supply-chain risk; change the source
ref in registry.yaml from the branch name to an immutable identifier (a commit
SHA or a signed tag) for the repository specified under source.repo
(antowaddle/Red-Hat-Quality-Tiger-Team) and ensure any tooling that generates
.claude-plugin/marketplace.json also records the same immutable ref (not the
branch) so installs always fetch the pinned revision; update codepaths that read
source.ref to accept and validate SHA/tag formats if needed and re-run
generation so marketplace.json contains the pinned revision as well.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a27ea2b3-b359-4f85-a94c-6a35155bdb16

📥 Commits

Reviewing files that changed from the base of the PR and between 687047f and a449506.

📒 Files selected for processing (3)

• .claude-plugin/marketplace.json
• catalog.md
• registry.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pin plugin source to an immutable revision (CWE-494, CWE-829).

Severity: High. Exploit scenario: if antowaddle/Red-Hat-Quality-Tiger-Team branch main is force-pushed or compromised, future installs can pull attacker-controlled plugin code.

Remediation

     source:
       type: github
       repo: antowaddle/Red-Hat-Quality-Tiger-Team
-      ref: main
+      ref: <pinned-commit-sha> # 40-char commit hash for the reviewed release

This root-cause fix also removes the same risk in generated .claude-plugin/marketplace.json.

As per coding guidelines, "**: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	source:
	type: github
	repo: antowaddle/Red-Hat-Quality-Tiger-Team
	ref: main
	skills_dir: .claude/skills
	source:
	type: github
	repo: antowaddle/Red-Hat-Quality-Tiger-Team
	ref: <pinned-commit-sha> # 40-char commit hash for the reviewed release
	skills_dir: .claude/skills

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@registry.yaml` around lines 142 - 146, The registry.yaml currently references
the plugin repo by mutable branch name (ref: main) which is a supply-chain risk;
change the source ref in registry.yaml from the branch name to an immutable
identifier (a commit SHA or a signed tag) for the repository specified under
source.repo (antowaddle/Red-Hat-Quality-Tiger-Team) and ensure any tooling that
generates .claude-plugin/marketplace.json also records the same immutable ref
(not the branch) so installs always fetch the pinned revision; update codepaths
that read source.ref to accept and validate SHA/tag formats if needed and re-run
generation so marketplace.json contains the pinned revision as well.

[antowaddle]

/cc @astefanutti

[astefanutti]

What would be a more functionally descriptive name for the plugin? Maybe something like qe-tools or quality-tooling?

[antowaddle]

Resolved in e2f678d

[astefanutti]

skills_dir can be removed as it's the default.

[antowaddle]

Resolved in e2f678d

[astefanutti]

nit: this can be removed

[antowaddle]

Resolved in e2f678d

[astefanutti]

Not sure if you want to expose the workflow-diagram-generator skill?

[antowaddle]

Not yet, this was something we were initially just using to chart the progress.

[astefanutti]

Sounds good, thanks for confirming.

[coderabbitai]

♻️ Duplicate comments (1)

registry.yaml (1)

227-230: ⚠️ Potential issue | 🔴 Critical

Pin plugin source to an immutable revision (CWE-494, CWE-829) — Severity: High

Line 230 uses ref: main, which is mutable. Exploit scenario: if antowaddle/Red-Hat-Quality-Tiger-Team main is force-pushed or compromised, future installs can pull attacker-controlled plugin code.

Remediation diff

     source:
       type: github
       repo: antowaddle/Red-Hat-Quality-Tiger-Team
-      ref: main
+      sha: <40-char-reviewed-commit-sha>

As per coding guidelines, "**: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@registry.yaml` around lines 227 - 230, The registry source currently uses a
mutable ref ("ref: main") for source.type=github and
repo=antowaddle/Red-Hat-Quality-Tiger-Team; replace that mutable ref with an
immutable identifier (a specific commit SHA or a versioned tag/release) so the
plugin is pinned to an exact revision—update the ref value under the source
block (where repo and type are defined) to a commit SHA or annotated tag instead
of "main" and document the chosen immutable ref.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@registry.yaml`:
- Around line 227-230: The registry source currently uses a mutable ref ("ref:
main") for source.type=github and repo=antowaddle/Red-Hat-Quality-Tiger-Team;
replace that mutable ref with an immutable identifier (a specific commit SHA or
a versioned tag/release) so the plugin is pinned to an exact revision—update the
ref value under the source block (where repo and type are defined) to a commit
SHA or annotated tag instead of "main" and document the chosen immutable ref.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 60a566c3-9309-43de-90fc-fb56a5d98e05

📥 Commits

Reviewing files that changed from the base of the PR and between a805e27 and e2f678d.

📒 Files selected for processing (3)

• .claude-plugin/marketplace.json
• catalog.md
• registry.yaml

✅ Files skipped from review due to trivial changes (1)

• catalog.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .claude-plugin/marketplace.json

[astefanutti]

Thanks @antowaddle!

[astefanutti]

Sounds good, thanks for confirming.