Skip to content

Commit 11995a5

Browse files
authored
ci(batch-a): dependabot + scorecard + commit-msg hook + per-file coverage floor (#125)
Phase 3 Batch A OSS hygiene pack: - .github/dependabot.yml: weekly npm + github-actions updates, grouped (typescript-eslint, vitest, @types). - .github/workflows/scorecard.yml: OpenSSF Scorecard on push/PR to main and weekly cron, SARIF uploaded to code-scanning, SHA-pinned actions matching ci.yml discipline. - .husky/commit-msg: Conventional Commits subject enforcement with type list (feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert|deps|deps-dev), skips merge/revert/fixup/squash/amend commits. - vitest.config.ts: per-file coverage floor (70 percent lines/functions/branches/statements) for lib/**/*.ts and index.ts, kept below the 80 percent global average so legitimate low-coverage utility files do not block work.
1 parent 158c764 commit 11995a5

4 files changed

Lines changed: 155 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# Dependabot configuration
2+
# See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
3+
version: 2
4+
updates:
5+
# npm (root package.json): group noisy dev-tool ecosystems, keep security-sensitive
6+
# dependencies (runtime) as individual PRs so they are reviewed on their own.
7+
- package-ecosystem: "npm"
8+
directory: "/"
9+
schedule:
10+
interval: "weekly"
11+
day: "monday"
12+
time: "06:00"
13+
timezone: "Etc/UTC"
14+
open-pull-requests-limit: 10
15+
labels:
16+
- "dependencies"
17+
- "npm"
18+
groups:
19+
typescript-eslint:
20+
patterns:
21+
- "@typescript-eslint/*"
22+
- "eslint"
23+
- "eslint-*"
24+
vitest:
25+
patterns:
26+
- "vitest"
27+
- "@vitest/*"
28+
types:
29+
patterns:
30+
- "@types/*"
31+
commit-message:
32+
prefix: "deps"
33+
prefix-development: "deps-dev"
34+
include: "scope"
35+
36+
# GitHub Actions: keep pinned SHAs + version tags current (Scorecard / CI actions).
37+
- package-ecosystem: "github-actions"
38+
directory: "/"
39+
schedule:
40+
interval: "weekly"
41+
day: "monday"
42+
time: "06:00"
43+
timezone: "Etc/UTC"
44+
open-pull-requests-limit: 10
45+
labels:
46+
- "dependencies"
47+
- "github-actions"
48+
commit-message:
49+
prefix: "ci"
50+
include: "scope"

.github/workflows/scorecard.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# OpenSSF Scorecard supply-chain security analysis.
2+
# Results upload to the Code Scanning tab + the public OpenSSF REST API.
3+
# Action pins follow the same SHA-pinning discipline as .github/workflows/ci.yml.
4+
name: Scorecard supply-chain security
5+
6+
on:
7+
branch_protection_rule:
8+
schedule:
9+
# Weekly, Monday 01:30 UTC. Kept offset from other weekly jobs.
10+
- cron: "30 1 * * 1"
11+
push:
12+
branches: [main]
13+
pull_request:
14+
branches: [main]
15+
16+
# Declare default permissions as read-only for the workflow.
17+
permissions: read-all
18+
19+
jobs:
20+
analysis:
21+
name: Scorecard analysis
22+
runs-on: ubuntu-latest
23+
# Only publish scorecard results from the default branch; PRs and scheduled
24+
# runs still execute so regressions surface in Code Scanning.
25+
permissions:
26+
# Needed to upload the SARIF results to the code-scanning dashboard.
27+
security-events: write
28+
# Needed for keyless signing of results via sigstore / OpenSSF publish.
29+
id-token: write
30+
31+
steps:
32+
- name: Checkout code
33+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
34+
with:
35+
persist-credentials: false
36+
37+
- name: Run Scorecard analysis
38+
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
39+
with:
40+
results_file: results.sarif
41+
results_format: sarif
42+
# `publish_results` is only honored on the default branch; the action
43+
# silently downgrades to `false` for PRs and forks.
44+
publish_results: true
45+
46+
- name: Upload artifact
47+
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
48+
with:
49+
name: SARIF file
50+
path: results.sarif
51+
retention-days: 5
52+
53+
- name: Upload to code-scanning
54+
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
55+
with:
56+
sarif_file: results.sarif

.husky/commit-msg

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
#!/bin/sh
2+
. "$(dirname "$0")/_/husky.sh"
3+
4+
# Enforce Conventional Commits 1.0.0 subject line.
5+
# type(scope)!: description
6+
# Types align with common Conventional Commits usage and CONTRIBUTING.md.
7+
# Skips merge, revert, fixup!, and squash! commits so rebase / autosquash
8+
# flows keep working without `--no-verify`.
9+
10+
msg_file="$1"
11+
first_line=$(head -n 1 "$msg_file")
12+
13+
case "$first_line" in
14+
"Merge "*|"Revert "*|"fixup! "*|"squash! "*|"amend! "*)
15+
exit 0
16+
;;
17+
esac
18+
19+
pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert|deps|deps-dev)(\([a-z0-9._-]+\))?!?: .{1,100}$'
20+
21+
if ! printf '%s' "$first_line" | grep -qE "$pattern"; then
22+
printf '\nCommit message does not follow Conventional Commits.\n' >&2
23+
printf '\nExpected format:\n' >&2
24+
printf ' type(scope): short description\n' >&2
25+
printf ' type!: breaking change description\n' >&2
26+
printf '\nAllowed types:\n' >&2
27+
printf ' feat, fix, docs, style, refactor, perf, test, build,\n' >&2
28+
printf ' ci, chore, revert, deps, deps-dev\n' >&2
29+
printf '\nYour subject line was:\n' >&2
30+
printf ' %s\n\n' "$first_line" >&2
31+
exit 1
32+
fi

vitest.config.ts

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,27 @@ export default defineConfig({
2020
reporter: ['text', 'json', 'html'],
2121
exclude: ['node_modules/', 'dist/', 'test/'],
2222
thresholds: {
23+
// Global coverage floor.
2324
statements: 80,
2425
branches: 80,
2526
functions: 80,
2627
lines: 80,
28+
// Per-file coverage floor for the production source tree. Set below the
29+
// global average so legitimate low-coverage utility files do not block
30+
// work, while still catching regressions where a single file drops
31+
// sharply. Raise these once individual modules stabilise.
32+
'lib/**/*.ts': {
33+
statements: 70,
34+
branches: 70,
35+
functions: 70,
36+
lines: 70,
37+
},
38+
'index.ts': {
39+
statements: 70,
40+
branches: 70,
41+
functions: 70,
42+
lines: 70,
43+
},
2744
},
2845
},
2946
},

0 commit comments

Comments
 (0)