Merge pull request #105 from script-development/armorer/oidc-gate-mutation-reporter

ci: gate OIDC publish mint surface + durable mutation-score reporter

Author: Goosterhof

.github/workflows/ci.yml

@@ -23,3 +23,16 @@ jobs:
             - run: npm run lint:pkg
             - run: npm run test:coverage
             - run: npm run test:mutation
+            # Durable mutation-score artifact: each package's Stryker run writes
+            # JSON + HTML to packages/<pkg>/reports/mutation/. Retain them as a
+            # downloadable run artifact so the per-package score is retrievable
+            # after the run, not just ephemeral stdout. if: always() captures the
+            # report even when the break:90 gate fails (the score is the evidence).
+            - name: Upload mutation reports
+              if: always()
+              uses: actions/upload-artifact@v7
+              with:
+                  name: mutation-reports
+                  path: packages/*/reports/mutation/
+                  retention-days: 30
+                  if-no-files-found: warn

.github/workflows/publish.yml

@@ -3,8 +3,12 @@ name: Publish
 on:
     push:
         branches: [main]
+        # Narrowed from '**/package.json' to package manifests only: a real
+        # release signal is a version edit under packages/<pkg>/package.json.
+        # Root/devDep manifest churn (dependabot, tooling) must NOT start the
+        # OIDC-minting publish job. (Sapper M2 H1 / STALE-4.)
         paths:
-            - '**/package.json'
+            - 'packages/*/package.json'
 
 jobs:
     build:
@@ -28,6 +32,11 @@ jobs:
     publish:
         needs: build
         runs-on: ubuntu-latest
+        # Environment gate: the OIDC mint (id-token: write) is fronted by the
+        # 'npm-publish' deployment environment, whose protection rule (required
+        # reviewer / wait timer) gates the token mint behind a human/policy
+        # checkpoint. (Sapper M2 H1 / STALE-4.)
+        environment: npm-publish
         permissions:
             contents: write
             id-token: write

packages/adapter-store/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/cached-adapter-store/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/dialog/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/helpers/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/http/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/loading/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/router/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',

packages/storage/stryker.config.mjs

@@ -4,7 +4,9 @@ export default {
     vitest: {configFile: 'vitest.config.ts'},
     mutate: ['src/**/*.ts', '!src/**/types.ts'],
     thresholds: {high: 95, low: 90, break: 90},
-    reporters: ['clear-text', 'progress'],
+    reporters: ['clear-text', 'progress', 'json', 'html'],
+    jsonReporter: {fileName: 'reports/mutation/mutation.json'},
+    htmlReporter: {fileName: 'reports/mutation/mutation.html'},
     incremental: true,
     incrementalFile: '.stryker-incremental.json',
     cleanTempDir: 'always',