Hi Balazs,
I get what you're saying, but I think you're throwing the baby out with the bathwater.
So let's say I submit a PR and it does introduce a new issue, which is raised by PR analysis. The human reviewer sees it and brings it up to me. I either fix it, or explain why I think the issue needs to be merged into master anyway.
Let's take as an example something I've actually faced: the use of System.out.println.
There's a rule about not doing that, and for the vast majority of applications it's appropriate. But I happen to be working on a console application, so System.out.println should be acceptable. So... now my reviewer and I face a few choices:
* remove the rule from the profile - bad because most projects need this rule
* set up exclusions so this rule isn't applied to my file - this is an okay option but maybe overkill
* introduce a logging framework to write to do the the console output - this would work seems impractical
* let the issues be raised and mark them Won't Fix in the platform
What I actually did in this situation was choose the last option, but if I had somehow not been able to merge the PR, I'd have been forced to a less attractive option.
So the premise here is that sometimes you have to introduce issues, and either they're temporarily acceptable and you'll fix them soon (hopefully before release), or they're more permanently acceptable and you'll take some other measure.
None of this invalidates the concept of the Quality Gate. The project should still be passing at release - or there should be a very good reason why it's not, and probably a remediation plan in place.
And just as a side note, we don't advocate a 0-issues QG when it comes to Code Smells. Zero new bugs, sure. Same for vulnerabilities. But the default Quality Gate looks at the ratio of new Code Smells to acceptable code.
Ann