Merge branch 'main' into dependabot/npm_and_yarn/minor-and-patch-updates-c494b0f1a8

Author: rajbos

.github/workflows/actionlint.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/build.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 

.github/workflows/check-models.yml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -99,7 +99,7 @@ jobs:
           echo ""
           echo "=== Copilot CLI Output ==="
 
-          cd ${GITHUB_WORKSPACE}
+          cd "${GITHUB_WORKSPACE}"
           
           # Run copilot with the prompt using non-interactive mode
           COPILOT_PROMPT_TEXT=$(cat /tmp/copilot-prompt.md)
@@ -113,29 +113,29 @@ jobs:
         run: |
           if git diff --quiet src/tokenEstimators.json src/modelPricing.json; then
             echo "No changes detected in model data files"
-            echo "changed=false" >> $GITHUB_OUTPUT
+            echo "changed=false" >> "$GITHUB_OUTPUT"
           else
             # Check if the only change is the lastUpdated date in modelPricing.json
             DIFF_OUTPUT=$(git diff src/modelPricing.json)
             
             # Count the number of changed lines (lines starting with +/- but not +++ or ---)
-            CHANGED_LINES=$(echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | wc -l)
+            CHANGED_LINES=$(echo "$DIFF_OUTPUT" | grep -cE '^[+-][^+-]' || true)
             
             # Check if only 2 lines changed (one deletion, one addition) and both contain "lastUpdated"
             if [ "$CHANGED_LINES" -eq 2 ]; then
               # Check if all changed lines contain "lastUpdated"
-              if echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | grep -v '"lastUpdated"' | wc -l | grep -q '^0$'; then
+              if ! echo "$DIFF_OUTPUT" | grep -E '^[+-][^+-]' | grep -qv '"lastUpdated"'; then
                 # Verify no changes to tokenEstimators.json
                 if git diff --quiet src/tokenEstimators.json; then
                   echo "Only lastUpdated date changed - skipping PR creation"
-                  echo "changed=false" >> $GITHUB_OUTPUT
+                  echo "changed=false" >> "$GITHUB_OUTPUT"
                   exit 0
                 fi
               fi
             fi
             
             echo "Changes detected in model data files"
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Create Pull Request

.github/workflows/check-toolnames.yml

@@ -18,7 +18,7 @@ jobs:
       contents: read
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 
@@ -81,7 +81,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
       with:
         egress-policy: audit
 

.github/workflows/cli-build.yml

@@ -17,37 +17,58 @@ on:
       - 'src/toolNames.json'
   pull_request:
     branches: [main]
-    paths:
-      - 'cli/**'
-      - 'src/sessionDiscovery.ts'
-      - 'src/sessionParser.ts'
-      - 'src/tokenEstimation.ts'
-      - 'src/maturityScoring.ts'
-      - 'src/usageAnalysis.ts'
-      - 'src/opencode.ts'
-      - 'src/types.ts'
-      - 'src/tokenEstimators.json'
-      - 'src/modelPricing.json'
-      - 'src/toolNames.json'
 
 permissions:
   contents: read
 
 jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      cli-relevant: ${{ github.event_name == 'push' || steps.filter.outputs.cli-relevant == 'true' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check for CLI-relevant file changes
+        if: github.event_name == 'pull_request'
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter
+        with:
+          filters: |
+            cli-relevant:
+              - 'cli/**'
+              - 'src/sessionDiscovery.ts'
+              - 'src/sessionParser.ts'
+              - 'src/tokenEstimation.ts'
+              - 'src/maturityScoring.ts'
+              - 'src/usageAnalysis.ts'
+              - 'src/opencode.ts'
+              - 'src/types.ts'
+              - 'src/tokenEstimators.json'
+              - 'src/modelPricing.json'
+              - 'src/toolNames.json'
+
   build-and-validate:
+    needs: check-changes
+    if: needs.check-changes.outputs.cli-relevant == 'true'
     runs-on: ubuntu-latest
     env:
         node-version: 22
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js ${{ env.node-version }}
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.node-version }}
 

.github/workflows/cli-publish.yml

@@ -40,7 +40,7 @@ jobs:
         working-directory: cli
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -72,16 +72,30 @@ jobs:
         id: version
         run: echo "version=$(node -p 'require("./package.json").version')" >> "$GITHUB_OUTPUT"
 
+      - name: Check if version is already published
+        id: check_published
+        run: |
+          PACKAGE_NAME=$(node -p 'require("./package.json").name')
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "Checking npm registry for ${PACKAGE_NAME}@${VERSION}..."
+          if npm view "${PACKAGE_NAME}@${VERSION}" version 2>&1; then
+            echo "Version ${VERSION} is already published to npm. Skipping publish."
+            echo "already_published=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Version ${VERSION} is not yet published. Proceeding with publish."
+            echo "already_published=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Publish to npm
-        if: ${{ !inputs.dry_run }}
+        if: ${{ !inputs.dry_run && steps.check_published.outputs.already_published != 'true' }}
         run: NODE_AUTH_TOKEN="" npm publish
 
       - name: Dry run publish
         if: ${{ inputs.dry_run }}
         run: NODE_AUTH_TOKEN="" npm publish public --dry-run
 
       - name: Commit version bump and create PR
-        if: ${{ !inputs.dry_run }}
+        if: ${{ !inputs.dry_run && steps.check_published.outputs.already_published != 'true' }}
         run: |
           cd ..
           git config user.name "github-actions[bot]"
@@ -100,14 +114,22 @@ jobs:
 
       - name: Summary
         run: |
-          echo "## CLI Package Published 📦" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Version:** v${{ steps.version.outputs.version }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Bump:** ${{ inputs.version_bump }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "- **Dry run:** ${{ inputs.dry_run }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          if [ "${{ inputs.dry_run }}" = "false" ]; then
-            echo "Install with: \`npx @rajbos/ai-engineering-fluency\`" >> "$GITHUB_STEP_SUMMARY"
-            echo "" >> "$GITHUB_STEP_SUMMARY"
-            echo "A PR has been opened to merge the version bump back to main." >> "$GITHUB_STEP_SUMMARY"
-          fi
+          {
+            if [ "${{ steps.check_published.outputs.already_published }}" = "true" ]; then
+              echo "## CLI Package Publish Skipped ⏭️"
+              echo ""
+              echo "Version **v${{ steps.version.outputs.version }}** is already published to npm."
+            else
+              echo "## CLI Package Published 📦"
+              echo ""
+              echo "- **Version:** v${{ steps.version.outputs.version }}"
+              echo "- **Bump:** ${{ inputs.version_bump }}"
+              echo "- **Dry run:** ${{ inputs.dry_run }}"
+              echo ""
+              if [ "${{ inputs.dry_run }}" = "false" ]; then
+                echo "Install with: \`npx @rajbos/ai-engineering-fluency\`"
+                echo ""
+                echo "A PR has been opened to merge the version bump back to main."
+              fi
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/copilot-setup-steps.yml

@@ -31,7 +31,7 @@ jobs:
     # If you do not check out your code, Copilot will do this for you.
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -154,19 +154,19 @@ jobs:
           echo "Date range: $START_DATE to $END_DATE"
 
           # Build command arguments
-          ARGS="--storageAccount $AZURE_STORAGE_ACCOUNT"
-          ARGS="$ARGS --tableName $AZURE_TABLE_NAME"
-          ARGS="$ARGS --datasetId $AZURE_DATASET_ID"
-          ARGS="$ARGS --startDate $START_DATE"
-          ARGS="$ARGS --endDate $END_DATE"
-          ARGS="$ARGS --output ./usage-data/usage-agg-daily.json"
+          ARGS=(--storageAccount "$AZURE_STORAGE_ACCOUNT")
+          ARGS+=(--tableName "$AZURE_TABLE_NAME")
+          ARGS+=(--datasetId "$AZURE_DATASET_ID")
+          ARGS+=(--startDate "$START_DATE")
+          ARGS+=(--endDate "$END_DATE")
+          ARGS+=(--output ./usage-data/usage-agg-daily.json)
 
           # Use shared key if available, otherwise rely on Entra ID (DefaultAzureCredential)
           if [ -n "$AZURE_STORAGE_KEY" ]; then
-            ARGS="$ARGS --sharedKey $AZURE_STORAGE_KEY"
+            ARGS+=(--sharedKey "$AZURE_STORAGE_KEY")
           fi
 
-          node .github/skills/azure-storage-loader/load-table-data.js $ARGS || {
+          node .github/skills/azure-storage-loader/load-table-data.js "${ARGS[@]}" || {
             echo "⚠️ Failed to download aggregated usage data, continuing without it"
             exit 0
           }

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit