Merge branch 'main' into dependabot/github_actions/actions/setup-node-6.3.0

Author: rajbos

.github/workflows/actionlint.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/build.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 

.github/workflows/check-models.yml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -99,7 +99,7 @@ jobs:
           echo ""
           echo "=== Copilot CLI Output ==="
 
-          cd ${GITHUB_WORKSPACE}
+          cd "${GITHUB_WORKSPACE}"
           
           # Run copilot with the prompt using non-interactive mode
           COPILOT_PROMPT_TEXT=$(cat /tmp/copilot-prompt.md)
@@ -113,29 +113,29 @@ jobs:
         run: |
           if git diff --quiet src/tokenEstimators.json src/modelPricing.json; then
             echo "No changes detected in model data files"
-            echo "changed=false" >> $GITHUB_OUTPUT
+            echo "changed=false" >> "$GITHUB_OUTPUT"
           else
             # Check if the only change is the lastUpdated date in modelPricing.json
             DIFF_OUTPUT=$(git diff src/modelPricing.json)
             
             # Count the number of changed lines (lines starting with +/- but not +++ or ---)
-            CHANGED_LINES=$(echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | wc -l)
+            CHANGED_LINES=$(echo "$DIFF_OUTPUT" | grep -cE '^[+-][^+-]' || true)
             
             # Check if only 2 lines changed (one deletion, one addition) and both contain "lastUpdated"
             if [ "$CHANGED_LINES" -eq 2 ]; then
               # Check if all changed lines contain "lastUpdated"
-              if echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | grep -v '"lastUpdated"' | wc -l | grep -q '^0$'; then
+              if ! echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | grep -qv '"lastUpdated"'; then
                 # Verify no changes to tokenEstimators.json
                 if git diff --quiet src/tokenEstimators.json; then
                   echo "Only lastUpdated date changed - skipping PR creation"
-                  echo "changed=false" >> $GITHUB_OUTPUT
+                  echo "changed=false" >> "$GITHUB_OUTPUT"
                   exit 0
                 fi
               fi
             fi
             
             echo "Changes detected in model data files"
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Create Pull Request

.github/workflows/check-toolnames.yml

@@ -18,7 +18,7 @@ jobs:
       contents: read
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 
@@ -81,7 +81,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 

.github/workflows/cli-build.yml

@@ -17,30 +17,51 @@ on:
       - 'src/toolNames.json'
   pull_request:
     branches: [main]
-    paths:
-      - 'cli/**'
-      - 'src/sessionDiscovery.ts'
-      - 'src/sessionParser.ts'
-      - 'src/tokenEstimation.ts'
-      - 'src/maturityScoring.ts'
-      - 'src/usageAnalysis.ts'
-      - 'src/opencode.ts'
-      - 'src/types.ts'
-      - 'src/tokenEstimators.json'
-      - 'src/modelPricing.json'
-      - 'src/toolNames.json'
 
 permissions:
   contents: read
 
 jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      cli-relevant: ${{ github.event_name == 'push' || steps.filter.outputs.cli-relevant == 'true' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check for CLI-relevant file changes
+        if: github.event_name == 'pull_request'
+        uses: dorny/paths-filter@de90cc6b5708d14e015ca8c3acee5b86b31db2a8 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            cli-relevant:
+              - 'cli/**'
+              - 'src/sessionDiscovery.ts'
+              - 'src/sessionParser.ts'
+              - 'src/tokenEstimation.ts'
+              - 'src/maturityScoring.ts'
+              - 'src/usageAnalysis.ts'
+              - 'src/opencode.ts'
+              - 'src/types.ts'
+              - 'src/tokenEstimators.json'
+              - 'src/modelPricing.json'
+              - 'src/toolNames.json'
+
   build-and-validate:
+    needs: check-changes
+    if: needs.check-changes.outputs.cli-relevant == 'true'
     runs-on: ubuntu-latest
     env:
         node-version: 22
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/cli-publish.yml

@@ -40,7 +40,7 @@ jobs:
         working-directory: cli
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -100,14 +100,16 @@ jobs:
 
       - name: Summary
         run: |
-          echo "## CLI Package Published 📦" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Version:** v${{ steps.version.outputs.version }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Bump:** ${{ inputs.version_bump }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Dry run:** ${{ inputs.dry_run }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          if [ "${{ inputs.dry_run }}" = "false" ]; then
-            echo "Install with: \`npx @rajbos/ai-engineering-fluency\`" >> "$GITHUB_STEP_SUMMARY"
-            echo "" >> "$GITHUB_STEP_SUMMARY"
-            echo "A PR has been opened to merge the version bump back to main." >> "$GITHUB_STEP_SUMMARY"
-          fi
+          {
+            echo "## CLI Package Published 📦"
+            echo ""
+            echo "- **Version:** v${{ steps.version.outputs.version }}"
+            echo "- **Bump:** ${{ inputs.version_bump }}"
+            echo "- **Dry run:** ${{ inputs.dry_run }}"
+            echo ""
+            if [ "${{ inputs.dry_run }}" = "false" ]; then
+              echo "Install with: \`npx @rajbos/ai-engineering-fluency\`"
+              echo ""
+              echo "A PR has been opened to merge the version bump back to main."
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/copilot-setup-steps.yml

@@ -31,7 +31,7 @@ jobs:
     # If you do not check out your code, Copilot will do this for you.
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -154,19 +154,19 @@ jobs:
           echo "Date range: $START_DATE to $END_DATE"
 
           # Build command arguments
-          ARGS="--storageAccount $AZURE_STORAGE_ACCOUNT"
-          ARGS="$ARGS --tableName $AZURE_TABLE_NAME"
-          ARGS="$ARGS --datasetId $AZURE_DATASET_ID"
-          ARGS="$ARGS --startDate $START_DATE"
-          ARGS="$ARGS --endDate $END_DATE"
-          ARGS="$ARGS --output ./usage-data/usage-agg-daily.json"
+          ARGS=(--storageAccount "$AZURE_STORAGE_ACCOUNT")
+          ARGS+=(--tableName "$AZURE_TABLE_NAME")
+          ARGS+=(--datasetId "$AZURE_DATASET_ID")
+          ARGS+=(--startDate "$START_DATE")
+          ARGS+=(--endDate "$END_DATE")
+          ARGS+=(--output ./usage-data/usage-agg-daily.json)
 
           # Use shared key if available, otherwise rely on Entra ID (DefaultAzureCredential)
           if [ -n "$AZURE_STORAGE_KEY" ]; then
-            ARGS="$ARGS --sharedKey $AZURE_STORAGE_KEY"
+            ARGS+=(--sharedKey "$AZURE_STORAGE_KEY")
           fi
 
-          node .github/skills/azure-storage-loader/load-table-data.js $ARGS || {
+          node .github/skills/azure-storage-loader/load-table-data.js "${ARGS[@]}" || {
             echo "⚠️ Failed to download aggregated usage data, continuing without it"
             exit 0
           }

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit