Baseline Rebuild

The quality-gate’s new-code delta compares PR findings against a fingerprint baseline stored for the default branch. After a big refactor, the baseline can drift — fingerprints of code that no longer exists sit there, and code that was moved/renamed shows up as “new.”

This page covers when to rebuild + how.

When to Rebuild

Rebuild the baseline when:

• Big refactor merged to main (e.g., module split, directory reshuffle, bulk rename)
• Framework migration (e.g., Vue 2 → 3, Python 2 → 3)
• Tooling change that shifts file contents (e.g., new formatter, codemod)
• After rating_min or new_coverage_min policy change — if prior scans didn’t compute the metric, baseline may be incomplete
• Diagnostic — if PR scans show many “new” findings that reviewers recognize as pre-existing

Do not rebuild for:

• Normal feature development (baseline drifts are expected; they settle over weeks)
• Single-file edits
• New repos (there’s no baseline yet — it’s built on the first default-branch scan)

How It Works

┌──────────────┐
│ Current      │  1. DELETE all QualityBaseline rows where
│ Baseline     │     (repo_id = X, branch = default_branch)
│ (fingerprints)│
└──────────────┘
       │
       ▼
┌──────────────┐  2. Next default-branch scan runs
│ Fresh scan   │
│ on main      │
└──────────────┘
       │
       ▼
┌──────────────┐  3. UPSERT fingerprints — baseline repopulated
│ New baseline │
└──────────────┘

Between step 1 and step 3, PR scans on that repo will flag every finding as is_new_in_pr = true (conservative fallback — if no baseline, treat everything as new). If you want to avoid this window, trigger a default-branch scan immediately after rebuilding.

Rebuild via UI

Rebuild via API

curl -X POST "https://codestax.co/api/quality/gates/rebuild-baseline/42" \
  -H "Authorization: Bearer $CODESTAX_JWT"

Response:

{
  "repo_id": 42,
  "branch": "main",
  "cleared_fingerprints": 847,
  "note": "Next scan on the default branch will re-establish the baseline."
}

Admin-only. Returns 403 for non-admins, 404 if repo isn’t in caller’s org.

Common Patterns

Automated rebuild after big merges

Hook into post-merge notifications when a specific label (rebuild-baseline) is applied to a merged PR:

# .github/workflows/rebuild-baseline.yml
on:
  pull_request:
    types: [closed]
jobs:
  rebuild:
    if: github.event.pull_request.merged == true &&
        contains(github.event.pull_request.labels.*.name, 'rebuild-baseline')
    steps:
      - name: Rebuild CodeStax baseline
        run: |
          curl -X POST \
            "https://codestax.co/api/quality/gates/rebuild-baseline/${{ secrets.CODESTAX_REPO_ID }}" \
            -H "Authorization: Bearer ${{ secrets.CODESTAX_JWT }}"
      - name: Trigger default-branch scan
        run: |
          curl -X POST \
            "https://codestax.co/api/scans/trigger/${{ secrets.CODESTAX_REPO_ID }}" \
            -H "Authorization: Bearer ${{ secrets.CODESTAX_JWT }}"

Scheduled rebuild (cron)

For repos with constant refactor churn, schedule a weekly rebuild:

# .github/workflows/weekly-baseline-refresh.yml
on:
  schedule:
    - cron: '0 6 * * 1'  # Monday 6 AM UTC

Related

• New-Code Delta — what the baseline is for
• Set Up Quality Gates
• Quality Gate API — endpoint reference