chore: Improve project health with test coverage and OSS compliance

[pradithya]

Summary

• Add comprehensive unit tests across all packages, boosting combined coverage from 32.9% to 84.5% (unit + e2e)
• Add SECURITY.md and CONTRIBUTING.md for OpenSSF Best Practices compliance
• Update CI pipeline to collect and upload coverage from both unit and e2e test runs to Codecov
• Add make test-coverage, make test-e2e-coverage, and make test-coverage-all Makefile targets

Per-package unit test coverage improvements

Package	Before	After
config	43%	96.2%
gitlab	6.1%	92.6%
queue	15.6%	90.6%
webhook	67.5%	89.4%
diff	88.6%	88.6%
argocd	56.1%	87.7%
auth	5.8%	83.8%
lock	5.7%	82.9%
server	8.6%	80.3%
github	1.7%	77.3%
models	100%	100%

Test plan

• make test — all unit tests pass
• make lint — 0 issues
• make fmt — no formatting changes
• make test-e2e — e2e tests pass (with fresh ArgoCD token)
• CI pipeline passes on GitHub Actions

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Improves project health by significantly increasing test coverage across packages, adding OSS compliance docs, and enhancing CI/Makefile workflows to generate and upload unit + e2e coverage to Codecov.

Changes:

• Added extensive unit tests across multiple internal packages (queue, auth, gitlab, argocd, config).
• Updated GitHub client internals to allow installation-client injection for testing.
• Added SECURITY/CONTRIBUTING docs plus Makefile/CI updates for multi-run coverage reporting.

Reviewed changes

Copilot reviewed 38 out of 41 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
internal/queue/worker_test.go	Adds unit coverage for worker construction/handler registration/shutdown.
internal/queue/tasks_test.go	Expands task/payload coverage for webhook task creation and JSON roundtrips.
internal/queue/metrics_test.go	Adds collector tests using miniredis to validate Prometheus collector behavior.
internal/queue/logger_test.go	Adds tests for slog adapter behavior and log filtering.
internal/queue/handler_test.go	Adds tests for executor selection and more ProcessTask event paths.
internal/queue/client_test.go	Adds queue client tests using miniredis for enqueueing/close flows.
internal/gitlab/files_test.go	Adds tests for GitLab changed-files and file-content behaviors.
internal/gitlab/comments_test.go	Adds tests for GitLab comment posting/updating/invalidation/reactions.
internal/gitlab/client_test.go	Adds tests for GitLab client PR/approval/merge/branch operations.
internal/github/files.go	Routes installation client creation through injectable helper for testability.
internal/github/comments.go	Same as above for comment/reaction/invalidations API calls.
internal/github/client.go	Introduces injectable installationClientFunc + helper method.
internal/config/loader_test.go	Adds broad config loader tests (merge, env override, validation, defaults).
internal/config/config_test.go	Adds tests for config helper predicates (HasGitHub/HasGitLab/HasGitLabOAuth).
internal/auth/session_test.go	Adds comprehensive Redis session store tests using miniredis.
internal/auth/rbac_test.go	Adds RBAC resolution tests including persistent overrides via Redis store.
internal/auth/oidc_test.go	Extends OIDC provider tests (URLs, display name, buildUser edge cases).
internal/auth/oidc_helpers_test.go	Adds OIDC mock server + end-to-end-ish exchange tests.
internal/auth/middleware_test.go	Adds middleware tests for auth/role/permission flows and cookies.
internal/auth/middleware_helpers_test.go	Adds middleware Authenticate/Create/Destroy session tests with Redis backing.
internal/auth/gitlab_test.go	Adds GitLab OAuth provider tests (userinfo, groups, scopes, exchange failures).
internal/auth/github_test.go	Adds GitHub OAuth provider tests; some coverage via helpers.
internal/auth/github_helpers_test.go	Adds transport redirector enabling tests for hardcoded GitHub API URLs.
internal/auth/basic_test.go	Adds tests for basic auth provider behavior and enumeration-safe errors.
internal/auth/auth_test.go	Adds tests for context/request helpers and permission checks.
internal/argocd/applicationsets_test.go	Adds tests for ApplicationSet CRUD/generate/list/get and app association logic.
go.mod	Adds test dependency on miniredis and its transitive deps.
SECURITY.md	Adds security policy and reporting guidance for OpenSSF alignment.
Makefile	Adds coverage targets (unit/e2e/merged) and updates clean target.
CONTRIBUTING.md	Adds contributor guidelines and local dev/test instructions.
.github/workflows/ci.yaml	Updates CI to run coverage targets and upload separate unit/e2e reports to Codecov.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@2454d72). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
internal/github/client.go	88.88%	1 Missing ⚠️
internal/github/files.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #59   +/-   ##
=======================================
  Coverage        ?   71.28%           
=======================================
  Files           ?       57           
  Lines           ?     7227           
  Branches        ?        0           
=======================================
  Hits            ?     5152           
  Misses          ?     1843           
  Partials        ?      232           

Flag	Coverage Δ
unit	71.28% <88.88%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.