Skip to content

ci: cover landing and release scripts, harden workflows#66

Merged
Aayam Bansal (aayambansal) merged 2 commits into
mainfrom
ci/coverage-and-hardening
Jul 5, 2026
Merged

ci: cover landing and release scripts, harden workflows#66
Aayam Bansal (aayambansal) merged 2 commits into
mainfrom
ci/coverage-and-hardening

Conversation

@aayambansal

Copy link
Copy Markdown
Member

Fixes #25. Fixes #30. Fixes #32. Fixes #34.

CI coverage and workflow hardening in one pass:

Coverage (#30)

  • New Build (landing) job: frontend/landing is standalone (own bun.lock, not a workspace member), so the root typecheck/build jobs never touched it — a PR that only changed landing ran no relevant CI. The job does bun install --frozen-lockfile, tsc -b, and vite build. All three rehearsed locally and pass.
  • New Smoke job for code that otherwise first executes on release day: node --check on the launcher and the npm bin wrapper, bash -n on both install-script copies plus a diff -q to keep them in sync, and bun build of the release scripts.

e2e (#25): the workflow was workflow_dispatch-only and had never run once in repo history. It now runs nightly (kept off PRs until it has a green track record, since a never-run suite is likely to surface rot) and has a job timeout. I'll dispatch it once after merge and file whatever falls out.

Secret scan (#32): the gitleaks binary download is now checksum-verified against the release's checksums.txt, and a gitleaks git history scan runs next to the working-tree scan — dir alone let a committed-then-deleted secret pass forever.

Supply chain and hygiene (#34)

  • Every third-party action across all seven workflows (and the setup-bun composite) is pinned to a commit SHA, with the version kept as a trailing comment. The publish chain holds id-token: write and NPM_TOKEN, so that path matters most.
  • .github/dependabot.yml (github-actions ecosystem, weekly, grouped) keeps the pins fresh; the inert renovate.json is removed — the Renovate app was never installed, so the config was decoration.
  • timeout-minutes on every job in every workflow (hangs used to burn the 6-hour default), and concurrency groups for CodeQL and the secret scan.

The five open Dependabot action-bump PRs (#1#5) are superseded by the SHA pins + dependabot config; closing them separately.

All workflow files pass YAML validation; actionlint runs in CI on this PR itself.

- new Build (landing) job: frontend/landing is standalone (own
  lockfile), so the root typecheck/build never touched it — PRs that
  only changed landing ran no relevant CI at all
- new Smoke job: node --check the launcher and npm bin wrapper, bash -n
  both install script copies plus a sync check, and bundle the release
  scripts — code that otherwise first executes on release day
- e2e: nightly schedule (the workflow was dispatch-only and had never
  run once), job-level timeout
- gitleaks: verify the downloaded binary against its release checksum,
  scan git history in addition to the working tree, concurrency group
- every third-party action pinned to a commit SHA (the publish chain
  holds id-token: write and NPM_TOKEN), dependabot keeps the pins fresh,
  inert renovate.json removed (the app was never installed)
- job-level timeout-minutes everywhere; codeql gets a concurrency group
@vercel

vercel Bot commented Jul 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
openscience Ready Ready Preview, Comment Jul 5, 2026 11:26am

Request Review

@aayambansal Aayam Bansal (aayambansal) merged commit 591a5c8 into main Jul 5, 2026
11 checks passed
@aayambansal Aayam Bansal (aayambansal) deleted the ci/coverage-and-hardening branch July 5, 2026 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant