Skip to content

ci: integrate garnet-org/action for supply-chain monitoring#11626

Merged
zkochan merged 1 commit into
mainfrom
garnet
May 14, 2026
Merged

ci: integrate garnet-org/action for supply-chain monitoring#11626
zkochan merged 1 commit into
mainfrom
garnet

Conversation

@zkochan

@zkochan zkochan commented May 14, 2026

Copy link
Copy Markdown
Member

Summary

Wires the Garnet network-monitoring action into the workflows that touch publish/tag credentials or run a representative install/test:

  • ci.yml — runs on the test-smoke job only. The full cross-platform/Node-version test matrix is intentionally excluded so the per-job overhead doesn't multiply across the matrix; the smoke job already exercises a representative install/test path.
  • test.yml — gains an optional garnet boolean input (defaults to false) and an optional GARNET_API_TOKEN secret in the workflow_call: interface, so callers opt in explicitly. Secrets are passed explicitly from ci.yml rather than via secrets: inherit.
  • release.yml — runs on the release job, which performs the npm publishes (both trusted-publishing OIDC steps and the static-token step).
  • update-latest.yml — runs on the tag-in-registry job, which mutates npm dist-tags. The post-* notification jobs (winget/reddit/mastodon) are not instrumented.

The action is pinned by SHA with a # v2 comment, matching the repo's existing pinning convention.

Test plan

  • After merge, confirm a CI run on main shows the garnet step running on test-smoke and skipped on the rest of the test matrix
  • On the next release, confirm the garnet step runs in release.yml without blocking publish
  • On the next dist-tag update, confirm the garnet step runs in the tag-in-registry job

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

  • Chores
    • Integrated Garnet service into CI/CD workflows.

Review Change Stack

Adds the Garnet network-monitoring action to the smoke test job, the
release workflow, and the npm tag workflow. The full CI test matrix is
left untouched to keep per-job overhead off the broad cross-platform
runs; the smoke test still exercises a representative install/test flow.
Copilot AI review requested due to automatic review settings May 14, 2026 06:17
@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

GitHub Actions workflows across the repository are updated to integrate Garnet CI/CD functionality. The reusable test workflow declares a new garnet boolean input and GARNET_API_TOKEN secret with a conditional step, the CI test-smoke job enables garnet, and release/tag workflows directly invoke garnet-org/action with the token secret.

Changes

Garnet Integration Across CI/CD Workflows

Layer / File(s) Summary
Reusable workflow contract definition
.github/workflows/test.yml
The reusable Test workflow expands its public interface with garnet: boolean input (default false) and GARNET_API_TOKEN secret, and introduces a conditional step that runs garnet-org/action@v2 when inputs.garnet is enabled.
CI test-smoke job enablement
.github/workflows/ci.yml
The test-smoke job calls the reusable test workflow with garnet: true and forwards secrets.GARNET_API_TOKEN.
Direct Garnet integration in release and tag workflows
.github/workflows/release.yml, .github/workflows/update-latest.yml
The release job and tag-in-registry job each add a new step that invokes garnet-org/action and supplies secrets.GARNET_API_TOKEN directly without using the reusable workflow interface.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Oh, what a garden we grow!
Garnet steps sewn row by row,
Secrets passed with gentle care,
From test to release, everywhere—
CI pipelines bloom anew! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: integrating garnet-org/action into CI workflows for supply-chain monitoring.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch garnet

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/update-latest.yml (1)

21-23: ⚡ Quick win

Consider fail-open for monitoring to avoid blocking release tagging.

garnet-org/action is a runtime monitoring/profiling tool that runs before the npm dist-tag operations. A transient monitoring outage shouldn't block critical release operations or the downstream publish-to-winget, post-to-reddit, and post-to-mastodon jobs. Adding continue-on-error: true decouples monitoring from release flow.

Proposed change
     - uses: garnet-org/action@9e819143e63d6dda04bca2e90ac85e3cf0e5289d # v2
+      continue-on-error: true
       with:
         api_token: ${{ secrets.GARNET_API_TOKEN }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-latest.yml around lines 21 - 23, The
garnet-org/action step (the line starting with "uses:
garnet-org/action@9e819143e63d6dda04bca2e90ac85e3cf0e5289d") can block release
tagging on transient failures; update that job step to be fail-open by adding
continue-on-error: true to the step definition (keep the existing with:
api_token: ${{ secrets.GARNET_API_TOKEN }} block intact) so monitoring failures
don't prevent downstream publish-to-winget, post-to-reddit, and post-to-mastodon
jobs from running.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/update-latest.yml:
- Around line 21-23: The garnet-org/action step (the line starting with "uses:
garnet-org/action@9e819143e63d6dda04bca2e90ac85e3cf0e5289d") can block release
tagging on transient failures; update that job step to be fail-open by adding
continue-on-error: true to the step definition (keep the existing with:
api_token: ${{ secrets.GARNET_API_TOKEN }} block intact) so monitoring failures
don't prevent downstream publish-to-winget, post-to-reddit, and post-to-mastodon
jobs from running.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7aa238ab-4e5b-41e9-8df1-ed6f5d734abb

📥 Commits

Reviewing files that changed from the base of the PR and between 94240bc and 83b24b7.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • .github/workflows/update-latest.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: copilot-pull-request-reviewer
  • GitHub Check: Analyze (javascript)
  • GitHub Check: Compile & Lint
🔇 Additional comments (3)
.github/workflows/test.yml (1)

12-18: LGTM!

Also applies to: 42-45

.github/workflows/ci.yml (1)

45-47: ⚡ Quick win

[Your rewritten review comment text here]
[Exactly ONE classification tag]

.github/workflows/release.yml (1)

27-29: ⚡ Quick win

Review comment is inaccurate. The garnet-org/action v2 already implements fail-open behavior and cannot block release execution. The action's main.js wraps the run() function in a try-catch that logs a warning on any error and continues execution without calling core.setFailed(). Adding continue-on-error: true is unnecessary.

			> Likely an incorrect or invalid review comment.

@zkochan zkochan merged commit 9844cdf into main May 14, 2026
15 of 16 checks passed
@zkochan zkochan deleted the garnet branch May 14, 2026 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants