fix: enforce fresh nightly promotion quality gates
Ensure promotion decisions are based on current nightly HEAD evidence instead of stale workflow history.
Add native CodeQL branch triggers so security analysis runs on nightly/main promotion paths.
Convert nightly and weekly automation to dispatch required checks only when missing for the exact HEAD commit, preventing duplicate/racing runs while guaranteeing check presence.
Harden weekly health verification with retry polling so transient scheduling delays do not produce false negatives.
This reduces false blocking and ensures nightly-to-main promotion uses current, deterministic CI state.
Refs: #712
- Implement tests for BackupService to handle database extraction from backup archives with SHM and WAL entries.
- Add tests for BackupService to validate behavior when creating backups for non-SQLite databases and handling oversized database entries.
- Introduce tests for CrowdSec startup to ensure proper error handling during configuration creation.
- Enhance LogService tests to cover scenarios for skipping dot and empty directories and handling read directory errors.
- Add tests for SecurityHeadersService to ensure proper error handling during preset creation and updates.
- Update ProxyHostForm tests to include HSTS subdomains toggle and validation for port input handling.
- Enhance DNSProviders tests to validate manual challenge completion and error handling when no providers are available.
- Extend UsersPage tests to ensure fallback mechanisms for clipboard operations when the clipboard API fails.
- Implemented tests for `extractAuthCookieToken` to ensure it returns an empty string when the request is nil and ignores non-auth cookies.
- Added tests for `isAdminSecurityControlPlaneRequest` to verify it correctly uses the decoded raw path.
- Enhanced `NewRateLimitMiddleware` tests to check fallback behavior for non-positive window values and to ensure it bypasses rate limiting for control plane bearer requests.
- Implemented a new script `local-patch-report.sh` to generate a local patch report.
- The report computes patch coverage based on changes from the current branch against `origin/main`.
- Integrated backend and frontend coverage inputs, producing both Markdown and JSON output artifacts.
- Updated existing frontend coverage script to validate the presence of LCOV coverage file.
- Added tests for coverage computation and parsing of unified diffs for changed lines.
- Enhanced error handling and validation for coverage inputs and baseline references.
