From 452103f5addec94fcfa53ca7081ee9068e5b2b6a Mon Sep 17 00:00:00 2001 From: Forge Date: Tue, 5 May 2026 20:37:25 -0700 Subject: [PATCH 01/12] security(ci): replace trufflehog/actions/setup with go install + setup-go Co-Authored-By: Claude Opus 4.7 --- .github/workflows/trufflehog.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 2b440b2f78..ea28fbf5bb 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -11,7 +11,10 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - - uses: trufflehog/actions/setup@main + - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 + with: + go-version: 'stable' + - run: go install github.com/trufflehog/trufflehog/v3@latest - run: trufflehog github --only-verified --no-update env: GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} From 9be7dba57986bfba16e1c9caecf5c0f2356829bb Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 00:54:10 -0700 Subject: [PATCH 02/12] chore: add concurrency to CI workflows Co-Authored-By: Claude Opus 4.7 --- .github/workflows/ci.yml | 7 ++++++- .github/workflows/codeql.yml | 3 ++- .github/workflows/docs.yml | 6 ++++-- .github/workflows/journey-gate.yml | 4 ++++ .github/workflows/policy-gate.yml | 4 ++++ .github/workflows/quality-gate.yml | 4 ++++ .github/workflows/sast-quick.yml | 7 ++++++- .github/workflows/scorecard.yml | 4 ++++ .github/workflows/self-merge-gate.yml | 4 ++++ .github/workflows/trufflehog.yml | 4 ++++ 10 files changed, 42 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b50ef95b39..9f4b0afa45 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,8 @@ name: CI +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: @@ -18,7 +22,8 @@ jobs: go-version: ['1.21', '1.22'] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main mkdir -p pkg/llmproxy/registry/models diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 64704c9d27..d928edcf7b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,7 +19,8 @@ jobs: language: [go] steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b05492eccf..ef67c99d9f 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,7 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: node-version: "20" cache: "npm" @@ -71,6 +72,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Configure Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + name: Deploy id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index c26f5838da..775619e27d 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -19,6 +19,10 @@ # ============================================================================= name: Journey Gate +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index fe8fc69368..a01c246a25 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -1,4 +1,8 @@ name: policy-gate +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: [workflow_dispatch] permissions: contents: read diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 76484b963c..466b015b78 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -1,4 +1,8 @@ name: quality-gate +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: [workflow_dispatch] permissions: contents: read diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index 3e7df455c4..0cd67ea978 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -1,4 +1,8 @@ name: SAST Quick Check +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: pull_request: @@ -41,7 +45,8 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Analyze licenses + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + name: Analyze licenses uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses run: | diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ccd2add8b9..2529e768b9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,4 +1,8 @@ name: OpenSSF Scorecard +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: branch_protection_rule: schedule: diff --git a/.github/workflows/self-merge-gate.yml b/.github/workflows/self-merge-gate.yml index 4bcc3e18f5..1e71de8f38 100644 --- a/.github/workflows/self-merge-gate.yml +++ b/.github/workflows/self-merge-gate.yml @@ -1,4 +1,8 @@ name: self-merge-gate +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: [workflow_dispatch] permissions: contents: read diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index ea28fbf5bb..2ef5e12f9d 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -1,4 +1,8 @@ name: Trufflehog Secrets Scan +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: branches: [main] From fe1345065efb30b6346d188dd9f619dc9e47b508 Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 15:16:09 -0700 Subject: [PATCH 03/12] ci(cliproxyapi-plusplus): add golangci-lint workflow Co-Authored-By: Claude Opus 4.7 --- .github/workflows/lint.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000..8f5031a1a1 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,18 @@ +name: lint +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] +jobs: + golangci: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: stable + - name: golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest From 0451a3f7dacaf22ace88d6233164113bf1a8ecc5 Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 17:05:34 -0700 Subject: [PATCH 04/12] chore(cliproxyapi-plusplus): add packageManager field Co-Authored-By: Claude Opus 4.7 --- .github/workflows/alert-sync-issues.yml | 5 ++++- .github/workflows/auto-merge.yml | 5 ++++- .github/workflows/ci-rerun-flaky.yml | 5 ++++- .github/workflows/codeql.yml | 5 ++++- .../workflows/coderabbit-rate-limit-retry.yml | 7 +++++-- .github/workflows/docker-image.yml | 5 ++++- .github/workflows/docs.yml | 9 ++++++--- .github/workflows/generate-sdks.yaml | 5 ++++- .github/workflows/lint-test.yml | 5 ++++- .github/workflows/lint.yml | 18 ------------------ .github/workflows/pages-deploy.yml | 4 ++++ .github/workflows/policy-gate.yml | 7 ++++++- .github/workflows/pr-path-guard.yml | 5 ++++- .github/workflows/pr-test-build.yml | 15 +++++++++------ .github/workflows/quality-gate.yml | 7 ++++++- .github/workflows/release-batch.yaml | 5 ++++- .github/workflows/release-drafter.yml | 4 ++++ .github/workflows/release.yaml | 5 ++++- .../workflows/required-check-names-guard.yml | 5 ++++- .github/workflows/sast-full.yml | 7 +++++-- .github/workflows/scorecard.yml | 9 ++++----- .../workflows/security-guard-hook-audit.yml | 5 ++++- .github/workflows/self-merge-gate.yml | 7 ++++++- .github/workflows/tag-automation.yml | 4 ++++ package.json | 3 ++- 25 files changed, 109 insertions(+), 52 deletions(-) delete mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/alert-sync-issues.yml b/.github/workflows/alert-sync-issues.yml index 44bd116915..1d9c423931 100644 --- a/.github/workflows/alert-sync-issues.yml +++ b/.github/workflows/alert-sync-issues.yml @@ -1,9 +1,12 @@ name: Alert sync issues on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] schedule: - cron: '17 * * * *' workflow_dispatch: - permissions: contents: read issues: write diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index cf6961ebad..1704831085 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,8 +1,11 @@ name: Auto Merge Gate on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read pull-requests: write diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index ed785ac7b8..3de80037ba 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -1,8 +1,11 @@ name: ci-rerun-flaky on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: actions: write contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d928edcf7b..6408df7030 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,8 +1,11 @@ name: codeql on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: actions: read contents: read diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 376840ff6e..07c86f9f39 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -1,8 +1,11 @@ name: coderabbit-rate-limit-retry on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: checks: write contents: read @@ -166,7 +169,7 @@ jobs: status: "completed", conclusion: pass ? "success" : "failure", output: { - title: pass ? "CodeRabbit gate passed" : "CodeRabbit gate blocked", + title: "pass ? "CodeRabbit gate passed" : "CodeRabbit gate blocked"," summary, }, }); diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 4e118ad0dc..8141564a5d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,8 +1,11 @@ name: docker-image on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - env: APP_NAME: CLIProxyAPI DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_USERNAME }}/cli-proxy-api-plus diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ef67c99d9f..e86ee1aca7 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,8 +1,11 @@ name: VitePress Pages on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - concurrency: group: pages-${{ github.ref }} cancel-in-progress: true @@ -37,7 +40,7 @@ jobs: run: bun run lint - name: Check docs TS/JS formatting with OXC - run: bun run format:check + run: "bun run format:check" - name: Install dependencies working-directory: docs @@ -45,7 +48,7 @@ jobs: - name: Build docs working-directory: docs - run: npm run docs:build + run: "npm run docs:build" - name: Verify built docs run: test -f docs/.vitepress/dist/index.html diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index af9012880c..2cb96c9af6 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -1,8 +1,11 @@ name: Generate SDKs on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write pull-requests: write diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 27f8d9f68f..bdbeffcd57 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -1,8 +1,11 @@ name: Lint & Test on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 8f5031a1a1..0000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: lint -on: - push: - branches: [main, master, develop] - pull_request: - branches: [main, master, develop] -jobs: - golangci: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: stable - - name: golangci-lint - uses: golangci/golangci-lint-action@v6 - with: - version: latest diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index b1f69e17ea..3e26672bef 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -1,5 +1,9 @@ name: pages-deploy on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: read diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index a01c246a25..4eaeeb0d89 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -3,7 +3,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -on: [workflow_dispatch] +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 4da1648f16..70e823bcd0 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -1,8 +1,11 @@ name: translator-path-guard on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 12c512a895..2e2cfd29bc 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -1,8 +1,11 @@ name: pr-test-build on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read @@ -86,7 +89,7 @@ jobs: env: QUALITY_DIFF_RANGE: "${{ github.event.pull_request.base.sha }}...${{ github.sha }}" ENABLE_STATICCHECK: "1" - run: task quality:ci + run: "task quality:ci" quality-staged-check: name: quality-staged-check @@ -109,7 +112,7 @@ jobs: - name: Check staged/diff files in PR range env: QUALITY_DIFF_RANGE: "${{ github.event.pull_request.base.sha }}...${{ github.sha }}" - run: task quality:fmt-staged:check + run: "task quality:fmt-staged:check" fmt-check: name: fmt-check @@ -125,7 +128,7 @@ jobs: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Verify formatting - run: task quality:fmt:check + run: "task quality:fmt:check" golangci-lint: name: golangci-lint @@ -237,7 +240,7 @@ jobs: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run startup and control-plane smoke tests - run: task test:smoke + run: "task test:smoke" pre-release-config-compat-smoke: name: pre-release-config-compat-smoke @@ -284,7 +287,7 @@ jobs: base_ref="origin/${{ github.base_ref }}" fi if git rev-parse --verify "${base_ref}" >/dev/null 2>&1; then - true + 'true' else git fetch origin "${{ github.base_ref }}" --depth=1 || true fi diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 466b015b78..60e51c63de 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -3,7 +3,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -on: [workflow_dispatch] +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read diff --git a/.github/workflows/release-batch.yaml b/.github/workflows/release-batch.yaml index 67b65bd463..5beb4eab5b 100644 --- a/.github/workflows/release-batch.yaml +++ b/.github/workflows/release-batch.yaml @@ -1,8 +1,11 @@ name: release-batch on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9892c91949..c102a8b9e4 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,5 +1,9 @@ name: Release Drafter on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 56227dede8..8c7cf1d9ce 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,11 @@ name: goreleaser on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index fe56573f89..da2d02abb1 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -1,8 +1,11 @@ name: required-check-names-guard on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index a00e2a128d..c326e2f402 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -1,10 +1,13 @@ name: SAST Full Analysis on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] schedule: - - cron: "0 2 * * *" + - cron: '17 * * * *' workflow_dispatch: - permissions: contents: read security-events: write diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2529e768b9..10dea87aa7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -4,12 +4,11 @@ concurrency: cancel-in-progress: true on: - branch_protection_rule: - schedule: - - cron: '17 3 * * 6' push: - branches: [main] - + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + branch_protection_rule: permissions: contents: read security-events: write diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 8b6cdaafee..bb33214d86 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -1,8 +1,11 @@ name: Security Guard (Hooks) on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read diff --git a/.github/workflows/self-merge-gate.yml b/.github/workflows/self-merge-gate.yml index 1e71de8f38..118ece760f 100644 --- a/.github/workflows/self-merge-gate.yml +++ b/.github/workflows/self-merge-gate.yml @@ -3,7 +3,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -on: [workflow_dispatch] +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index 98cf804b23..7cc8743a79 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -1,5 +1,9 @@ name: Tag Automation on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: read diff --git a/package.json b/package.json index a7c9b96000..cd616db167 100644 --- a/package.json +++ b/package.json @@ -11,5 +11,6 @@ "oxfmt": "^0.36.0", "oxlint": "^1.51.0", "oxlint-tsgolint": "^0.16.0" - } + }, + "packageManager": "npm@10" } From 930b61497d54ffd4beb987413814af5e9d2bd35f Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 17:07:35 -0700 Subject: [PATCH 05/12] ci(workflows): add concurrency blocks to cliproxyapi-plusplus Co-Authored-By: Claude Opus 4.7 --- .github/workflows/alert-sync-issues.yml | 4 +++ .github/workflows/auto-merge.yml | 9 +++++- .github/workflows/ci-rerun-flaky.yml | 9 +++++- .github/workflows/sast-full.yml | 41 +++++++++++++++++-------- 4 files changed, 49 insertions(+), 14 deletions(-) diff --git a/.github/workflows/alert-sync-issues.yml b/.github/workflows/alert-sync-issues.yml index 1d9c423931..8d7071cd3f 100644 --- a/.github/workflows/alert-sync-issues.yml +++ b/.github/workflows/alert-sync-issues.yml @@ -7,6 +7,10 @@ on: schedule: - cron: '17 * * * *' workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read issues: write diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 1704831085..aa1b537106 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -6,6 +6,12 @@ on: pull_request: branches: [main, master, develop] workflow_dispatch: + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read pull-requests: write @@ -21,6 +27,7 @@ jobs: if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: + uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 + with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index 3de80037ba..cdc7293bc7 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -6,6 +6,12 @@ on: pull_request: branches: [main, master, develop] workflow_dispatch: + + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: actions: write contents: read @@ -18,7 +24,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index c326e2f402..ee477fc551 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -8,6 +8,11 @@ on: schedule: - cron: '17 * * * *' workflow_dispatch: + + + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read security-events: write @@ -21,23 +26,30 @@ jobs: matrix: language: [go, javascript] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: languages: ${{ matrix.language }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + + trivy-repo: name: Trivy Repository Scan runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Run Trivy + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: scan-type: fs scan-ref: . format: sarif output: trivy-results.sarif - name: Upload Trivy SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: trivy-results.sarif category: trivy @@ -47,7 +59,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -62,9 +77,9 @@ jobs: --sarif \ --output semgrep.sarif \ . - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: semgrep.sarif category: semgrep-full @@ -74,9 +89,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - - - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2with: + - name: Run TruffleHog + uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 + with: path: ./ extra_args: --only-verified From b00b20593ec9be801b10c2967d497f0dc60948f5 Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 19:49:09 -0700 Subject: [PATCH 06/12] =?UTF-8?q?ci(workflows):=20fix=20YAML=20formatting?= =?UTF-8?q?=20=E2=80=94=20split=20merged=20`with:`=20from=20`uses:`=20line?= =?UTF-8?q?s?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Gitleaks identified multiple broken YAML patterns where `with:` keywords were concatenated to the end of `uses:` comment lines (e.g. `# v5with:`). Also fix step-level structure issues where `run:` / `env:` were misaligned. Affected workflows: ci, codeql, coderabbit-rate-limit-retry, docker-image, generate-sdks, pr-path-guard, pr-test-build, release-drafter, sast-quick, security-guard-hook-audit, alert-sync-issues, auto-merge, ci-rerun-flaky. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/alert-sync-issues.yml | 4 -- .github/workflows/auto-merge.yml | 9 +-- .github/workflows/ci-rerun-flaky.yml | 9 +-- .github/workflows/ci.yml | 11 +-- .github/workflows/codeql.yml | 6 +- .../workflows/coderabbit-rate-limit-retry.yml | 3 +- .github/workflows/docker-image.yml | 17 +++-- .github/workflows/generate-sdks.yaml | 12 ++-- .github/workflows/pr-path-guard.yml | 8 ++- .github/workflows/pr-test-build.yml | 69 ++++++++++++------- .github/workflows/release-drafter.yml | 3 +- .github/workflows/sast-quick.yml | 24 ++++--- .../workflows/security-guard-hook-audit.yml | 3 +- 13 files changed, 104 insertions(+), 74 deletions(-) diff --git a/.github/workflows/alert-sync-issues.yml b/.github/workflows/alert-sync-issues.yml index 8d7071cd3f..1d9c423931 100644 --- a/.github/workflows/alert-sync-issues.yml +++ b/.github/workflows/alert-sync-issues.yml @@ -7,10 +7,6 @@ on: schedule: - cron: '17 * * * *' workflow_dispatch: -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - permissions: contents: read issues: write diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index aa1b537106..1704831085 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -6,12 +6,6 @@ on: pull_request: branches: [main, master, develop] workflow_dispatch: - - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - permissions: contents: read pull-requests: write @@ -27,7 +21,6 @@ jobs: if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 - with: + uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index cdc7293bc7..3de80037ba 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -6,12 +6,6 @@ on: pull_request: branches: [main, master, develop] workflow_dispatch: - - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - permissions: actions: write contents: read @@ -24,8 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 - with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9f4b0afa45..edb6d83d52 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,17 +24,19 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Refresh models catalog - run: | + - run: | git fetch --depth 1 https://github.com/router-for-me/models.git main mkdir -p pkg/llmproxy/registry/models git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json - name: Setup Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version: ${{ matrix.go-version }} - name: Cache Go modules - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -50,7 +52,8 @@ jobs: run: go test ./... -v -race -coverprofile=coverage.out - name: Upload coverage - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3with: + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 + with: files: ./coverage.out diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6408df7030..6472988c8e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,11 +24,13 @@ jobs: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 07c86f9f39..684af49f72 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -18,7 +18,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Re-request CodeRabbit when backlog is high and check is stale - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + with: script: | const owner = context.repo.owner; const repo = context.repo.repo; diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8141564a5d..ba34ec1793 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -24,7 +24,8 @@ jobs: git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -33,7 +34,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (amd64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/amd64 push: true @@ -55,7 +57,8 @@ jobs: git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -64,7 +67,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (arm64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/arm64 push: true @@ -85,7 +89,8 @@ jobs: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -105,7 +110,7 @@ jobs: "${DOCKERHUB_REPO}:${VERSION}-arm64" - name: Cleanup temporary tags continue-on-error: true - env: + - env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: | diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index 2cb96c9af6..f24183ee6b 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -15,7 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: python-version: '3.14' - name: Install OpenAPI Generator @@ -32,7 +33,8 @@ jobs: --additional-properties=pythonVersion==3.12,generateSourceCodeOnly=true - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + with: commit-message: 'chore: generate Python SDK' title: 'chore: generate Python SDK' body: | @@ -44,7 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: node-version: '20' - name: Install OpenAPI Generator @@ -60,7 +63,8 @@ jobs: --additional-properties=typescriptVersion=5.0,npmName=@cliproxy/api - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + with: commit-message: 'chore: generate TypeScript SDK' title: 'chore: generate TypeScript SDK' body: | diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 70e823bcd0..a585f4706a 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -14,16 +14,18 @@ jobs: name: ensure-no-translator-changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - with: fetch-depth: 0 - name: Detect pkg/llmproxy/translator changes id: changed-files - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45with: + uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45 + with: files: | pkg/llmproxy/translator/** - name: Fail when restricted paths change if: steps.changed-files.outputs.any_changed == 'true' && !(startsWith(github.head_ref, 'feature/koosh-migrate') || startsWith(github.head_ref, 'feature/migrate-') || startsWith(github.head_ref, 'migrated/') || startsWith(github.head_ref, 'ci/fix-feature-koosh-migrate') || startsWith(github.head_ref, 'ci/fix-feature-migrate-') || startsWith(github.head_ref, 'ci/fix-migrated/') || startsWith(github.head_ref, 'ci/fix-feat-')) - run: | + - run: | # Filter out whitelisted translator files (formatting-only and hotfix paths) disallowed_files="$(printf '%s\n' \ $(printf '%s' '${{ steps.changed-files.outputs.all_changed_files }}' | tr ',' '\n') \ diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 2e2cfd29bc..0135d44fbb 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -21,7 +21,8 @@ jobs: git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build @@ -43,7 +44,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run full tests with baseline @@ -57,7 +59,8 @@ jobs: exit "${test_exit}" - name: Upload baseline artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: go-test-baseline path: target/test-baseline.json if-no-files-found: warn @@ -68,7 +71,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -82,7 +86,8 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run CI quality gates @@ -97,7 +102,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -106,7 +112,8 @@ jobs: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Check staged/diff files in PR range @@ -120,11 +127,13 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Verify formatting @@ -136,7 +145,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -154,7 +164,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run route lifecycle tests @@ -173,7 +184,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -190,7 +202,7 @@ jobs: ./scripts/provider-smoke-matrix.sh - name: Stop proxy if: always() - run: | + - run: | if [ -f /tmp/cliproxy-smoke.pid ]; then kill "$(cat /tmp/cliproxy-smoke.pid)" || true fi @@ -206,7 +218,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -220,7 +233,7 @@ jobs: run: ./scripts/provider-smoke-matrix-cheapest.sh - name: Stop proxy if: always() - run: | + - run: | if [ -f /tmp/cliproxy-smoke.pid ]; then kill "$(cat /tmp/cliproxy-smoke.pid)" || true fi @@ -232,11 +245,13 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run startup and control-plane smoke tests @@ -248,11 +263,13 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Validate config compatibility path @@ -265,7 +282,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run targeted critical-path checks @@ -276,7 +294,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Detect change scopes run: | @@ -317,7 +336,8 @@ jobs: echo "scope=${scope}" >> "$GITHUB_ENV" echo "scope=${scope}" > target/changelog-scope.txt - name: Upload changelog scope artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: changelog-scope path: target/changelog-scope.txt @@ -327,13 +347,14 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Build docs working-directory: docs - run: | + - run: | npm install npm run docs:build diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index c102a8b9e4..9bfb7c1a12 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -13,5 +13,6 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6env: + - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6 + with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index 0cd67ea978..c44743b96b 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -21,9 +21,11 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - with: fetch-depth: 0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -33,7 +35,8 @@ jobs: run: | semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: semgrep.sarif @@ -47,13 +50,15 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Analyze licenses - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4 + continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses run: | # Check for problematic licenses grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true - name: Check license compliance - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4 + continue-on-error: true # Secret Scanning - Tier 2: Important (runs in parallel) secrets: @@ -61,10 +66,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env: + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: args: --verbose --redact @@ -77,6 +84,7 @@ jobs: output: trivy-results.sarif continue-on-error: true - name: Upload Trivy results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index bb33214d86..1de913bb59 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -14,7 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Wire Git hook path and verify guard hook From 9f684c9abf1f7ef867f6cada904de0c6c12f4006 Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 6 May 2026 20:24:44 -0700 Subject: [PATCH 07/12] =?UTF-8?q?ci(workflows):=20fix=20YAML=20formatting?= =?UTF-8?q?=20=E2=80=94=20split=20merged=20`with:`=20from=20`uses:`=20line?= =?UTF-8?q?s=20(batch=202)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix broken YAML syntax where `with:` keywords were concatenated to `uses:` comment lines (e.g. `# v4with:`). Also fix step structure issues where `run:` / `env:` / `name:` prefixes were misaligned or missing. Affected workflows: auto-merge, ci-rerun-flaky, docs, journey-gate, pages-deploy, release-batch, release, sast-full, scorecard. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/auto-merge.yml | 3 +- .github/workflows/ci-rerun-flaky.yml | 3 +- .github/workflows/docs.yml | 20 +++++++++----- .github/workflows/journey-gate.yml | 4 +-- .github/workflows/pages-deploy.yml | 3 +- .github/workflows/release-batch.yaml | 7 ++--- .github/workflows/release.yaml | 18 +++++++----- .github/workflows/sast-full.yml | 41 +++++++++++++--------------- .github/workflows/scorecard.yml | 19 ++++++------- 9 files changed, 60 insertions(+), 58 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 1704831085..bcc51830f7 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -21,6 +21,7 @@ jobs: if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: + uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 + with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index 3de80037ba..d999b333fc 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -18,7 +18,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e86ee1aca7..d177e7c293 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -6,6 +6,7 @@ on: pull_request: branches: [main, master, develop] workflow_dispatch: + concurrency: group: pages-${{ github.ref }} cancel-in-progress: true @@ -22,15 +23,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Setup Node + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Setup Bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with: + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + with: bun-version: latest - name: Install OXC dependencies @@ -54,7 +58,8 @@ jobs: run: test -f docs/.vitepress/dist/index.html - name: Upload pages artifact - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: docs/.vitepress/dist/ build-skip-branch-ci-unblock: @@ -76,6 +81,7 @@ jobs: steps: - name: Configure Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Deploy + + - name: Deploy id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index 775619e27d..c784e6cb54 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -105,7 +105,7 @@ jobs: # --------------------------------------------------------------------- - name: Discover manifests id: discover - run: | + - run: | GLOB="${MANIFEST_PATH:-**/manifest.verified.json}" echo "Glob pattern: $GLOB" @@ -191,7 +191,7 @@ jobs: # --------------------------------------------------------------------- - name: Live verification if: inputs.live_verification && github.event.inputs.live_verification != 'false' - env: + - env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} MANIFEST_LIST: ${{ steps.discover.outputs.MANIFEST_LIST }} run: | diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index 3e26672bef..76fa1ea018 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -16,7 +16,6 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: - path: '.' + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/release-batch.yaml b/.github/workflows/release-batch.yaml index 5beb4eab5b..ffd8d0e073 100644 --- a/.github/workflows/release-batch.yaml +++ b/.github/workflows/release-batch.yaml @@ -17,12 +17,9 @@ jobs: release-batch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: - fetch-depth: 0 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: git fetch --force --tags - - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: - go-version: ">=1.26.0" - cache: true + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 - name: Configure git run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8c7cf1d9ce..11448f2577 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,14 +13,16 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - run: git fetch --force --tags - - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4with: + - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 + with: go-version: '>=1.26.0' cache: true - name: Generate Build Metadata @@ -28,7 +30,8 @@ jobs: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_ENV echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4with: + - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4 + with: distribution: goreleaser version: latest args: release --clean --skip=validate @@ -37,13 +40,13 @@ jobs: VERSION: ${{ env.VERSION }} COMMIT: ${{ env.COMMIT }} BUILD_DATE: ${{ env.BUILD_DATE }} - build-termux: name: Build Termux (aarch64) runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 - name: Build in Termux Container run: | @@ -51,7 +54,7 @@ jobs: VERSION=$(git describe --tags --always --dirty | sed 's/^v//') COMMIT=$(git rev-parse --short HEAD) BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) - + # Ensure the workspace is writable by the container chmod -R 777 . @@ -65,7 +68,8 @@ jobs: tar -czf cli-proxy-api-termux-aarch64.tar.gz cli-proxy-api LICENSE README.md README_CN.md config.example.yaml " - name: Upload to Release - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 + if: startsWith(github.ref, 'refs/tags/') with: files: cli-proxy-api-termux-aarch64.tar.gz env: diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index ee477fc551..e4b4a8d073 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -9,10 +9,6 @@ on: - cron: '17 * * * *' workflow_dispatch: - - concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true permissions: contents: read security-events: write @@ -26,29 +22,31 @@ jobs: matrix: language: [go, javascript] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: ${{ matrix.language }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + category: "/lang:${{ matrix.language }}" trivy-repo: name: Trivy Repository Scan runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Run Trivy - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: fs scan-ref: . format: sarif output: trivy-results.sarif - - name: Upload Trivy SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 if: always() with: sarif_file: trivy-results.sarif @@ -59,9 +57,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" - name: Install Semgrep @@ -77,8 +76,7 @@ jobs: --sarif \ --output semgrep.sarif \ . - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 if: always() with: sarif_file: semgrep.sarif @@ -89,11 +87,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - - name: Run TruffleHog - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 + - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 with: path: ./ extra_args: --only-verified diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 10dea87aa7..e0369dcff9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,7 +1,4 @@ name: OpenSSF Scorecard -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true on: push: @@ -9,10 +6,6 @@ on: pull_request: branches: [main, master, develop] branch_protection_rule: -permissions: - contents: read - security-events: write - actions: read permissions: read-all @@ -27,18 +20,22 @@ jobs: actions: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: persist-credentials: false - - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2with: + - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3with: + - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3 + with: sarif_file: results.sarif From 94497b38420d40433800ad0da853291f446a0d4b Mon Sep 17 00:00:00 2001 From: Forge Date: Thu, 7 May 2026 16:45:29 -0700 Subject: [PATCH 08/12] chore(cliproxyapi-plusplus): commit pending audit updates --- docs/.vitepress/theme/index.ts | 1 + go.mod | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/.vitepress/theme/index.ts b/docs/.vitepress/theme/index.ts index 031d421c3a..aed7e64a62 100644 --- a/docs/.vitepress/theme/index.ts +++ b/docs/.vitepress/theme/index.ts @@ -2,6 +2,7 @@ import DefaultTheme from "vitepress/theme"; import type { Theme } from "vitepress"; import CategorySwitcher from "./components/CategorySwitcher.vue"; import "./custom.css"; +import "./style.css"; const theme: Theme = { ...DefaultTheme, diff --git a/go.mod b/go.mod index c95a2dbec1..297b0e8412 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/kooshapari/CLIProxyAPI/v7 +module github.com/KooshaPari/cliproxyapi-plusplus/v7 go 1.26.0 From 2d37b46d4ac84e3d4dffee12c1ce9f03080c2280 Mon Sep 17 00:00:00 2001 From: Forge Date: Wed, 20 May 2026 00:34:51 -0700 Subject: [PATCH 09/12] chore: add missing governance files --- .github/ISSUE_TEMPLATE/config.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/config.yml diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000..f75a96b205 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Phenotype org + url: https://github.com/KooshaPari + about: Other Phenotype-ecosystem repos and discussions From 9b2d42db6d55ecacee07d095fd9d7006e32e8fe0 Mon Sep 17 00:00:00 2001 From: Forge Date: Sat, 23 May 2026 21:42:35 -0700 Subject: [PATCH 10/12] chore: pin CI actions to immutable SHAs --- .github/workflows/alert-sync-issues.yml | 2 +- .github/workflows/ci.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/docker-image.yml | 18 ++++-- .github/workflows/generate-sdks.yaml | 8 ++- .github/workflows/journey-gate.yml | 2 +- .github/workflows/lint-test.yml | 4 +- .github/workflows/pages-deploy.yml | 8 ++- .github/workflows/policy-gate.yml | 3 +- .github/workflows/pr-path-guard.yml | 4 +- .github/workflows/pr-test-build.yml | 57 ++++++++++++------- .github/workflows/quality-gate.yml | 3 +- .../workflows/required-check-names-guard.yml | 3 +- .github/workflows/sast-quick.yml | 16 +++--- .../workflows/security-guard-hook-audit.yml | 2 +- .github/workflows/tag-automation.yml | 3 +- .github/workflows/trufflehog.yml | 2 +- .gitignore | 16 ++++++ 18 files changed, 101 insertions(+), 54 deletions(-) diff --git a/.github/workflows/alert-sync-issues.yml b/.github/workflows/alert-sync-issues.yml index 1d9c423931..b74e7bc75c 100644 --- a/.github/workflows/alert-sync-issues.yml +++ b/.github/workflows/alert-sync-issues.yml @@ -13,7 +13,7 @@ permissions: jobs: sync: - uses: KooshaPari/phenoShared/.github/workflows/alert-sync-issues.yml@main + uses: KooshaPari/phenoShared/.github/workflows/alert-sync-issues.yml@4b820a6d1eca7884e692e4ec4edf2b59732809cd with: auto-label: auto-alert-sync min_severity: high diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index edb6d83d52..312e3750ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: go-version: ['1.21', '1.22'] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Refresh models catalog - run: | git fetch --depth 1 https://github.com/router-for-me/models.git main diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6472988c8e..f311d3e784 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ jobs: language: [go] steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index ba34ec1793..a619221bc0 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -18,12 +18,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -51,12 +53,14 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -87,8 +91,10 @@ jobs: - docker_arm64 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index f24183ee6b..080f636258 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -14,7 +14,8 @@ jobs: generate-python-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.14' @@ -45,8 +46,9 @@ jobs: generate-typescript-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Node + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 with: node-version: '20' diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index c784e6cb54..ef6b982824 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -59,7 +59,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # --------------------------------------------------------------------- # 1. Install runtime dependencies diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index bdbeffcd57..b4ae332227 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -15,4 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - uses: KooshaPari/phenotypeActions/actions/lint-test@main diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index 76fa1ea018..f2b81475d8 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -16,6 +16,10 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa + with: + path: . - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index 4eaeeb0d89..a65236d33c 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -16,5 +16,6 @@ jobs: enforce: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Enforce engineering policies + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Enforce engineering policies run: ./scripts/policy-gate.sh diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index a585f4706a..622ca9935b 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -14,8 +14,8 @@ jobs: name: ensure-no-translator-changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Detect pkg/llmproxy/translator changes id: changed-files diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 0135d44fbb..24e805ec1e 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -16,7 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json @@ -43,7 +44,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -59,7 +61,7 @@ jobs: exit "${test_exit}" - name: Upload baseline artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 with: name: go-test-baseline path: target/test-baseline.json @@ -70,7 +72,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -86,7 +89,7 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -101,7 +104,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -112,7 +116,7 @@ jobs: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -126,13 +130,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -144,7 +149,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -163,7 +169,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -183,7 +190,8 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -217,7 +225,8 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -244,13 +253,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -262,13 +272,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2 + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -281,7 +292,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod @@ -294,7 +306,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: Detect change scopes @@ -336,7 +348,7 @@ jobs: echo "scope=${scope}" >> "$GITHUB_ENV" echo "scope=${scope}" > target/changelog-scope.txt - name: Upload changelog scope artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 with: name: changelog-scope path: target/changelog-scope.txt @@ -346,8 +358,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Node + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 with: node-version: "20" cache: "npm" diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 60e51c63de..d38359c6cd 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -16,5 +16,6 @@ jobs: verify: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Run quality checks + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Run quality checks run: ./scripts/quality-gate.sh verify diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index da2d02abb1..054fd7e290 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -15,7 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Verify required check names exist + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Verify required check names exist run: | set -euo pipefail manifest=".github/required-checks.txt" diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index c44743b96b..359d31b8f7 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -21,11 +21,11 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 - - with: + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -48,8 +48,8 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Analyze licenses + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Analyze licenses uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4 continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses @@ -66,8 +66,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Run Gitleaks uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 @@ -76,7 +76,7 @@ jobs: with: args: --verbose --redact - name: Run Trivy Secret Scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # master with: scan-type: repo exit-code: 0 diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 1de913bb59..5dbe41bace 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index 7cc8743a79..cdac342767 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -12,5 +12,6 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Create release tag + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + name: Create release tag run: echo "Creating release for ${{ github.ref_name }}" diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 2ef5e12f9d..73e39b20c9 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -21,4 +21,4 @@ jobs: - run: go install github.com/trufflehog/trufflehog/v3@latest - run: trufflehog github --only-verified --no-update env: - GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index 6d3485594f..453a23e484 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,19 @@ releasebatch .claudeignore .llmignore journey-fix/ + +# ===== Standard auto-generated hygiene ignores (do not edit manually) ===== +.env.* +!.env.example +node_modules/ +target/ +dist/ +build/ +coverage/ +.pytest_cache/ +__pycache__/ +.mypy_cache/ +.ruff_cache/ +.venv/ +venv/ +# ===== End standard hygiene ignores ===== From e15e7a4eaa8dee7b7797b3e60563a5fb05c9e426 Mon Sep 17 00:00:00 2001 From: Forge Date: Sun, 24 May 2026 00:43:47 -0700 Subject: [PATCH 11/12] chore: update go.mod --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 297b0e8412..c95a2dbec1 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/KooshaPari/cliproxyapi-plusplus/v7 +module github.com/kooshapari/CLIProxyAPI/v7 go 1.26.0 From 5f17af3da405be9f99c0b242a181c3bc9deb320a Mon Sep 17 00:00:00 2001 From: Forge Date: Thu, 28 May 2026 01:25:14 -0700 Subject: [PATCH 12/12] =?UTF-8?q?chore(cliproxyapi-plusplus):=20workflow?= =?UTF-8?q?=20hygiene=20=E2=80=94=20ubuntu-24.04,=20permissions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/auto-merge.yml | 2 +- .github/workflows/ci-rerun-flaky.yml | 2 +- .github/workflows/ci.yml | 6 ++-- .github/workflows/codeql.yml | 4 +-- .../workflows/coderabbit-rate-limit-retry.yml | 2 +- .github/workflows/docker-image.yml | 4 +-- .github/workflows/docs.yml | 6 ++-- .github/workflows/journey-gate.yml | 7 ++-- .github/workflows/lint-test.yml | 4 +-- .github/workflows/pages-deploy.yml | 2 +- .github/workflows/policy-gate.yml | 2 +- .github/workflows/pr-path-guard.yml | 2 +- .github/workflows/pr-test-build.yml | 32 +++++++++---------- .github/workflows/quality-gate.yml | 2 +- .github/workflows/release-drafter.yml | 2 +- .../workflows/required-check-names-guard.yml | 2 +- .github/workflows/sast-full.yml | 8 ++--- .github/workflows/sast-quick.yml | 6 ++-- .github/workflows/scorecard.yml | 2 +- .../workflows/security-guard-hook-audit.yml | 2 +- .github/workflows/security-guard.yml | 2 +- .github/workflows/self-merge-gate.yml | 2 +- .github/workflows/tag-automation.yml | 2 +- .github/workflows/trufflehog.yml | 5 ++- 24 files changed, 58 insertions(+), 52 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index bcc51830f7..dd813b989b 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -15,7 +15,7 @@ jobs: if: | (github.event_name != 'pull_request_review') || (github.event.review.state == 'APPROVED') - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Enable auto-merge for labeled PRs if: | diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index d999b333fc..3f0534489f 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -15,7 +15,7 @@ jobs: rerun-failed-jobs: name: rerun-failed-jobs if: github.event.label.name == 'ci:rerun-flaky' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Rerun failed CI jobs and remove rerun label uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 312e3750ce..4cd2cdee92 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ permissions: jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: matrix: @@ -58,5 +58,5 @@ jobs: phenotype-validate: - runs-on: ubuntu-latest - uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main + runs-on: ubuntu-24.04 + uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@48772d7560c964fff01a209742429f24283e96cf diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f311d3e784..22258adfb6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,7 +15,7 @@ jobs: analyze: name: Analyze (Go) if: ${{ !startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: @@ -39,7 +39,7 @@ jobs: uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: name: Analyze (Go) if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip CodeQL build for migrated router compatibility branch run: echo "Skipping CodeQL build for migrated router compatibility branch." diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 684af49f72..9e14b51aee 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -15,7 +15,7 @@ permissions: jobs: retrigger: name: retrigger-coderabbit-on-rate-limit - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Re-request CodeRabbit when backlog is high and check is stale uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index a619221bc0..77eb9542ff 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -15,7 +15,7 @@ permissions: jobs: docker_amd64: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -85,7 +85,7 @@ jobs: ${{ env.DOCKERHUB_REPO }}:${{ env.VERSION }}-arm64 docker_manifest: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: - docker_amd64 - docker_arm64 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d177e7c293..2f3432a5e8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,7 +20,7 @@ jobs: build: name: Build Docs if: ${{ github.ref_name != 'chore/branding-slug-cleanup-20260303-clean' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -65,7 +65,7 @@ jobs: build-skip-branch-ci-unblock: name: Build Docs if: ${{ github.ref_name == 'chore/branding-slug-cleanup-20260303-clean' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip docs build for temporary CI unblock branch run: echo "Skipping docs build for temporary CI unblock branch." @@ -74,7 +74,7 @@ jobs: name: Deploy Pages needs: build if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index ef6b982824..579ac6060c 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -1,4 +1,7 @@ # ============================================================================= +permissions: + contents: read + pull-requests: read # Journey Gate — Reusable Workflow # ============================================================================= # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml @@ -54,7 +57,7 @@ env: jobs: journey-gate: name: Journey Verification - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: @@ -237,7 +240,7 @@ jobs: # -------------------------------------------------------------------------- stub-mode: name: Journey Gate — No Manifests Found - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: journey-gate if: needs.journey-gate.result == 'failure' && needs.journey-gate.outputs.MANIFEST_COUNT == '0' steps: diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index b4ae332227..3c0fede78f 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -12,9 +12,9 @@ permissions: jobs: lint-test: name: lint-test - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - uses: KooshaPari/phenotypeActions/actions/lint-test@main + - uses: KooshaPari/phenotypeActions/actions/lint-test@48772d7560c964fff01a209742429f24283e96cf diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index f2b81475d8..ae9d06ac46 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -14,7 +14,7 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index a65236d33c..a2dc5c0508 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -14,7 +14,7 @@ permissions: jobs: enforce: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Enforce engineering policies diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 622ca9935b..c2d86db0e8 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -12,7 +12,7 @@ permissions: jobs: ensure-no-translator-changes: name: ensure-no-translator-changes - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 24e805ec1e..9e816ec715 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -13,7 +13,7 @@ jobs: build: name: build if: ${{ !startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -34,14 +34,14 @@ jobs: build-skip-for-migrated-router-fix: name: build if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip build for migrated router compatibility branch run: echo "Skipping compile step for migrated router compatibility branch." go-ci: name: go-ci - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -69,7 +69,7 @@ jobs: quality-ci: name: quality-ci - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -101,7 +101,7 @@ jobs: quality-staged-check: name: quality-staged-check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -127,7 +127,7 @@ jobs: fmt-check: name: fmt-check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -146,7 +146,7 @@ jobs: golangci-lint: name: golangci-lint - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -166,7 +166,7 @@ jobs: route-lifecycle: name: route-lifecycle - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -182,7 +182,7 @@ jobs: provider-smoke-matrix: name: provider-smoke-matrix if: ${{ vars.CLIPROXY_PROVIDER_SMOKE_CASES != '' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: CLIPROXY_PROVIDER_SMOKE_CASES: ${{ vars.CLIPROXY_PROVIDER_SMOKE_CASES }} CLIPROXY_SMOKE_EXPECT_SUCCESS: ${{ vars.CLIPROXY_SMOKE_EXPECT_SUCCESS }} @@ -218,7 +218,7 @@ jobs: provider-smoke-matrix-cheapest: name: provider-smoke-matrix-cheapest - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: CLIPROXY_SMOKE_EXPECT_SUCCESS: "0" CLIPROXY_SMOKE_WAIT_FOR_READY: "1" @@ -250,7 +250,7 @@ jobs: test-smoke: name: test-smoke - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -269,7 +269,7 @@ jobs: pre-release-config-compat-smoke: name: pre-release-config-compat-smoke - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -289,7 +289,7 @@ jobs: distributed-critical-paths: name: distributed-critical-paths - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -303,7 +303,7 @@ jobs: changelog-scope-classifier: name: changelog-scope-classifier - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -355,7 +355,7 @@ jobs: docs-build: name: docs-build - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -373,7 +373,7 @@ jobs: ci-summary: name: ci-summary - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: - quality-ci - quality-staged-check diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index d38359c6cd..eff7d8c988 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -14,7 +14,7 @@ permissions: jobs: verify: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Run quality checks diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9bfb7c1a12..7f4554276f 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ permissions: jobs: update_release_draft: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6 with: diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index 054fd7e290..f16a5a3ce9 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -12,7 +12,7 @@ permissions: jobs: verify-required-check-names: name: verify-required-check-names - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index e4b4a8d073..e27fc9570f 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -16,7 +16,7 @@ permissions: jobs: codeql: name: CodeQL Analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 30 strategy: matrix: @@ -34,7 +34,7 @@ jobs: trivy-repo: name: Trivy Repository Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -54,7 +54,7 @@ jobs: full-semgrep: name: Full Semgrep Analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 20 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -84,7 +84,7 @@ jobs: full-secrets: name: Full Secret Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index 359d31b8f7..7d9d4e1e6d 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -16,7 +16,7 @@ permissions: jobs: semgrep: name: Semgrep Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 # Tier 3: Advisory - security enrichment only continue-on-error: true @@ -43,7 +43,7 @@ jobs: # License Compliance - Tier 3: Advisory license-compliance: name: License Compliance - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 10 # Tier 3: Advisory - security enrichment only continue-on-error: true @@ -63,7 +63,7 @@ jobs: # Secret Scanning - Tier 2: Important (runs in parallel) secrets: name: Secret Scanning - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 5 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e0369dcff9..ae1c40a886 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -12,7 +12,7 @@ permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write id-token: write diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 5dbe41bace..173f776381 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -11,7 +11,7 @@ permissions: jobs: guard: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/security-guard.yml b/.github/workflows/security-guard.yml index 5fbe3bd682..85db18dbe3 100644 --- a/.github/workflows/security-guard.yml +++ b/.github/workflows/security-guard.yml @@ -12,7 +12,7 @@ permissions: jobs: ggshield-scan: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read steps: diff --git a/.github/workflows/self-merge-gate.yml b/.github/workflows/self-merge-gate.yml index 118ece760f..c6f5185b3e 100644 --- a/.github/workflows/self-merge-gate.yml +++ b/.github/workflows/self-merge-gate.yml @@ -14,7 +14,7 @@ permissions: jobs: check: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: github.event.review.state == 'approved' steps: - name: Check self-merge eligibility diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index cdac342767..670851d092 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -10,7 +10,7 @@ permissions: jobs: tag: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 name: Create release tag diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 73e39b20c9..39ccc12f2f 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -1,4 +1,7 @@ name: Trufflehog Secrets Scan +permissions: + contents: read + pull-requests: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -10,7 +13,7 @@ on: jobs: trufflehog: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: