ci: cover landing and release scripts, harden workflows#66
Merged
Conversation
- new Build (landing) job: frontend/landing is standalone (own lockfile), so the root typecheck/build never touched it — PRs that only changed landing ran no relevant CI at all - new Smoke job: node --check the launcher and npm bin wrapper, bash -n both install script copies plus a sync check, and bundle the release scripts — code that otherwise first executes on release day - e2e: nightly schedule (the workflow was dispatch-only and had never run once), job-level timeout - gitleaks: verify the downloaded binary against its release checksum, scan git history in addition to the working tree, concurrency group - every third-party action pinned to a commit SHA (the publish chain holds id-token: write and NPM_TOKEN), dependabot keeps the pins fresh, inert renovate.json removed (the app was never installed) - job-level timeout-minutes everywhere; codeql gets a concurrency group
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #25. Fixes #30. Fixes #32. Fixes #34.
CI coverage and workflow hardening in one pass:
Coverage (#30)
Build (landing)job:frontend/landingis standalone (ownbun.lock, not a workspace member), so the root typecheck/build jobs never touched it — a PR that only changed landing ran no relevant CI. The job doesbun install --frozen-lockfile,tsc -b, andvite build. All three rehearsed locally and pass.Smokejob for code that otherwise first executes on release day:node --checkon the launcher and the npm bin wrapper,bash -non both install-script copies plus adiff -qto keep them in sync, andbun buildof the release scripts.e2e (#25): the workflow was
workflow_dispatch-only and had never run once in repo history. It now runs nightly (kept off PRs until it has a green track record, since a never-run suite is likely to surface rot) and has a job timeout. I'll dispatch it once after merge and file whatever falls out.Secret scan (#32): the gitleaks binary download is now checksum-verified against the release's checksums.txt, and a
gitleaks githistory scan runs next to the working-tree scan —diralone let a committed-then-deleted secret pass forever.Supply chain and hygiene (#34)
id-token: writeandNPM_TOKEN, so that path matters most..github/dependabot.yml(github-actions ecosystem, weekly, grouped) keeps the pins fresh; the inertrenovate.jsonis removed — the Renovate app was never installed, so the config was decoration.timeout-minuteson every job in every workflow (hangs used to burn the 6-hour default), and concurrency groups for CodeQL and the secret scan.The five open Dependabot action-bump PRs (#1–#5) are superseded by the SHA pins + dependabot config; closing them separately.
All workflow files pass YAML validation; actionlint runs in CI on this PR itself.