feat(ci): harden pre-merge workflows for dev gate#55
Merged
Conversation
Align ci.yml, desktop-smoke.yml, and e2e-artifacts.yml with the SHA pinning already used in codeql.yml and build.yml. Official GitHub actions previously referenced by version tag (actions/checkout@v6, setup-node@v6.3.0, cache@v5, upload-artifact@v7) now pin to the resolved commit SHA with a trailing readable comment. Refs #54
Separate workflow following the codeql.yml pattern: single-purpose PR-scoped supply-chain scan. Complements CodeQL (which scans source code) by inspecting the dependency graph for CVEs and license issues. Non-blocking during the initial rollout via the action's own `warn-only: true` input rather than a job-level continue-on-error, so action-level failures (auth, parser, network) still surface while policy findings (high-severity CVEs, license violations) only warn. Fork-PR guard mirrors the junit-publisher pattern in ci.yml: on fork PRs, GITHUB_TOKEN is read-only and the comment-summary-in-pr write would silently no-op under warn-only. GitHub's dependency graph supports bun.lock directly; the open question is whether the `catalog:` field and workspace resolution are parsed well enough to surface actionable findings. Once the first PR runs confirm that, drop warn-only, set fail-on-severity: high, and add this job to the dev ruleset. Refs #54
Adds weekly bun-ecosystem updates (Dependabot >= v1.2.5) so bun.lock and Bun-specific manifest features (the catalog: field and workspaces) are parsed by the correct updater. Named groups (electron, typescript-tooling, turbo-build, testing, opencode) keep transitive churn bundled so the PR queue stays reviewable; remaining production and development updates fall into catch-all minor-patch groups with explicit patterns: ["*"] for readability. open-pull-requests-limit capped at 5 to protect the PR gate's credibility during the first few weeks. Refs #54
Husky was installed via the "prepare" script but no user-level hooks (.husky/pre-commit etc.) existed; the formatter hook that used to live there was removed previously and nothing replaced it. Drop both the script and the devDependency so postinstall stops running a no-op. If a real pre-commit check is needed later, wire it up explicitly rather than reviving this ghost. Refs #54
- codeql.yml: document that this workflow is a required merge check on dev (ruleset entry: `codeql / analyze-js-ts`), and that the "separate file" pattern is intentional, not a claim that the gate is optional. Decision recorded in issue #54 (D1). - ci.yml, desktop-smoke.yml: warn future editors that new jobs must be added to check.needs, otherwise their failures silently do not block merge. Flag the threshold for switching to alls-green. - e2e-artifacts.yml: document that continue-on-error: true means this workflow must never be set as a required check; otherwise it would report success forever regardless of test outcome. Refs #54
18 tasks
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
The SHA-pin commit (d259de8) changed actions/checkout@v6 to actions/checkout@de0fac... and actions/upload-artifact@v7 to actions/upload-artifact@043fb46... in the PR-gating workflows. The self-referential workflow tests under packages/opencode/test/github/ and packages/opencode/test/config/ assert the exact `uses:` values, so they needed the same update. No logic change; only the expected SHA values are touched. Refs #54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the four PR-gating workflows and their supporting config so
devcan be made a real merge gate in a follow-up (non-PR) step. Closes the "branch protection is empty" gap from #54 on the code side; the ruleset flip is a repo setting applied viagh apiafter this PR merges and is intentionally not part of the PR.Refs #54.
Changes
Five commits, each a reversible milestone:
d259de8e4— SHA-pin first-party actions across PR-gating workflows. Alignsci.yml,desktop-smoke.yml,e2e-artifacts.ymlwith the SHA-pinning already used incodeql.ymlandbuild.yml. No behaviour change; supply-chain hygiene only.68d984a72— Adddependency-review-actionworkflow, non-blocking. New single-purpose workflow (dependency-review.yml) following the CodeQL pattern. Uses the action's ownwarn-only: true(not a job-levelcontinue-on-error) so action-level failures still surface while policy findings only warn. Fork-PR guard mirrors the junit-publisher inci.yml. Stays non-blocking untilcatalog:/workspace parsing is verified on a real PR run; then dropwarn-only, setfail-on-severity: high, and add to the ruleset.d6c209023— Expand Dependabot tobunecosystem with grouping. Usespackage-ecosystem: "bun"(Dependabot >= v1.2.5) rather than"npm"sobun.lockandcatalog:are parsed by the correct updater. Named groups (electron / typescript-tooling / turbo-build / testing / opencode) plus catch-all minor-patch groups keep transitive churn bundled.open-pull-requests-limit: 5per ecosystem.952c13f12— Remove dead husky wiring..husky/had no user-level hooks, the formatter hook was removed previously, and"prepare": "husky"was running a no-op on every install. Drop both the script and the devDependency.f7b63632e— Guard comments for ruleset + check-aggregator drift.codeql.yml: required merge check ondev; ruleset entry name iscodeql / analyze-js-ts. Decision recorded in [Feature] Harden CI as a real merge gate for dev #54 (D1).ci.yml,desktop-smoke.yml: every new job must be listed incheck.needsor its failure will silently not block merge. Threshold for switching toalls-greenflagged.e2e-artifacts.yml:continue-on-error: truemeans this workflow must never be set as a required check.What is intentionally NOT in this PR
gh apior web UI, not a file in a PR. It must be flipped on after this PR merges, so the new checks can prove green on this PR's own runs first.bun turbo lintCI job. Repo has no lint infrastructure today (no package defines a"lint"script,turbo.jsonhas nolinttask). Adding the CI job requires picking a linter and configuring each package first; that is a separate track.alls-greenaggregator. Deferred per [Feature] Harden CI as a real merge gate for dev #54; guard comments inci.yml/desktop-smoke.ymlflag the threshold for revisiting.Review trail
Two rounds of
/crosscheckreview (Claude Opus + Codex) ran against earlier commits on this branch. Findings are folded into the final 5 commits (not kept as separate "review fix" commits), and the decisions are written into the issue body under D1-D5 so future readers have context. Summary of what the reviewers caught and how it was addressed:package-ecosystemmust be"bun"not"npm"for Bun projects (P1, fixed in commit 3). Job-levelcontinue-on-errorwould hide action-level failures; use step-levelwarn-onlyinstead (P2, fixed in commit 2).GITHUB_TOKEN, socomment-summary-in-prwrites fail or silently no-op; add theif:guard mirroringci.yml(P2, fixed in commit 2). Guard comment incodeql.ymldid not spell out the ruleset entry name (P2, fixed in commit 5). Catch-all Dependabot groups benefit from explicitpatterns: ["*"]for readability (P3, fixed in commit 3).Findings deliberately not addressed in this PR (captured as follow-ups below).
Follow-ups
ci / check,desktop-smoke / check,codeql / analyze-js-tsas required status checks ondev; enable "require conversation resolution" and "require branches to be up-to-date." Do NOT enable "require linear history" (conflicts with the merge-commit-for-own-PRs convention; [Feature] Harden CI as a real merge gate for dev #54 D2).dependency-review-actionactually see the monorepo's deps? If yes, dropwarn-only, setfail-on-severity: high, add to ruleset.turbo linttask, add CI job.is_docs_path()inci.yml/desktop-smoke.ymlusespackages/*/README.mdwhich doesn't match the nested workspacepackages/sdk/js/README.md. Surfaced by crosscheck but pre-dates this PR.alls-greenaggregator whenneeds:list grows past ~5 entries.[Feature]/[Bug]prefix; commit-message Conventional-Commits lint ([Feature] Harden CI as a real merge gate for dev #54 P3).Test plan
ci / checkpasses greendesktop-smoke / checkpasses greencodeql / analyze-js-tscompletes successfullydependency-review / reviewruns and either posts a summary comment or clearly shows why not (fork guard only disables it on forks, which this PR is not)e2e-artifactsuploads artifacts (non-blocking as designed)dependency-review / reviewoutput to confirm GitHub's dep graph parsesbun.lockand workspaces; decide whether to dropwarn-onlyin a follow-up