From fe11ac01143e9c967cd974a790fdcce4135ebd24 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Fri, 19 Jun 2026 23:47:41 +0200 Subject: [PATCH 01/11] docs: add conventional commits enforcement design spec --- .../2026-06-19-conventional-commits-design.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .claude/specs/2026-06-19-conventional-commits-design.md diff --git a/.claude/specs/2026-06-19-conventional-commits-design.md b/.claude/specs/2026-06-19-conventional-commits-design.md new file mode 100644 index 0000000..248c2b5 --- /dev/null +++ b/.claude/specs/2026-06-19-conventional-commits-design.md @@ -0,0 +1,89 @@ +# Conventional Commit Enforcement + +**Date:** 2026-06-19 +**Status:** Approved + +## Goal + +Enforce conventional commit message format across all contributions — both locally for fast feedback and in CI as a safety net. Scope validation ensures consistent package-level attribution. + +## Dependencies + +New root-level dev dependencies: + +| Package | Purpose | +|---|---| +| `husky` | Git hook management via `npm prepare` | +| `@commitlint/cli` | Commit message linting | +| `@commitlint/config-conventional` | Standard conventional commits ruleset | + +## commitlint Configuration + +`commitlint.config.js` at the repo root: + +```js +export default { + extends: ['@commitlint/config-conventional'], + rules: { + 'scope-enum': [2, 'always', [ + 'auth0-fastify', + 'auth0-fastify-api', + 'ci', + 'security', + 'deps', + ]], + 'scope-empty': [1, 'never'], + }, +}; +``` + +- `scope-enum` (error): scope must be one of the listed values when present +- `scope-empty` (warning): encourages use of a scope but does not block commits + +The scope list reflects the existing commit history. New scopes can be added here as the repo evolves. + +## Local Hook (Husky) + +1. `npm pkg set scripts.prepare="husky"` — adds the prepare lifecycle hook +2. `npx husky init` — creates `.husky/` directory +3. `.husky/commit-msg` contains: `npx --no -- commitlint --edit $1` + +Devs receive the hook automatically after `npm install` because npm runs `prepare` post-install. + +## CI Enforcement + +A new `commitlint` job added to `.github/workflows/test.yml`, triggered on `pull_request` events only (commits to `main` have already passed a PR): + +```yaml +commitlint: + name: Commitlint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@ # v6 + with: + fetch-depth: 0 + - uses: wagoid/commitlint-github-action@ # v6 + with: + configFile: commitlint.config.js +``` + +The action is pinned to a SHA following the repo's existing security convention for GitHub Actions. + +## Scope List + +| Scope | When to use | +|---|---| +| `auth0-fastify` | Changes to `packages/auth0-fastify` | +| `auth0-fastify-api` | Changes to `packages/auth0-fastify-api` | +| `ci` | GitHub Actions / CI workflow changes | +| `security` | Security hardening (actions pinning, Snyk, etc.) | +| `deps` | Dependency updates (Dependabot, manual bumps) | + +## Examples + +``` +feat(auth0-fastify): add logout redirect support +fix(auth0-fastify-api): handle expired token edge case +chore(deps): bump vitest from 2.0 to 2.1 +ci: add commitlint enforcement +``` From a1333e778a8927d7823141aa3b604ba3eeb462d9 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Fri, 19 Jun 2026 23:50:32 +0200 Subject: [PATCH 02/11] docs: add conventional commits implementation plan --- .../specs/2026-06-19-conventional-commits.md | 242 ++++++++++++++++++ 1 file changed, 242 insertions(+) create mode 100644 .claude/specs/2026-06-19-conventional-commits.md diff --git a/.claude/specs/2026-06-19-conventional-commits.md b/.claude/specs/2026-06-19-conventional-commits.md new file mode 100644 index 0000000..010d9fd --- /dev/null +++ b/.claude/specs/2026-06-19-conventional-commits.md @@ -0,0 +1,242 @@ +# Conventional Commits Enforcement Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Enforce conventional commit message format locally via a Husky git hook and in CI via a GitHub Actions job. + +**Architecture:** Install commitlint + Husky as root dev dependencies. Husky registers a `commit-msg` hook via the npm `prepare` lifecycle so it installs automatically for all contributors. A new `commitlint` CI job validates PR commits using `wagoid/commitlint-github-action` pinned to a SHA. + +**Tech Stack:** Husky v9, @commitlint/cli, @commitlint/config-conventional, wagoid/commitlint-github-action v6.2.1 + +--- + +## File Map + +| Action | File | Change | +|--------|------|--------| +| Create | `commitlint.config.js` | commitlint rule config | +| Create | `.husky/commit-msg` | git hook script | +| Modify | `package.json` | add deps + `prepare` script | +| Modify | `.github/workflows/test.yml` | add `commitlint` job | + +--- + +### Task 1: Install dependencies and configure the prepare script + +**Files:** +- Modify: `package.json` + +- [ ] **Step 1: Install commitlint and husky as root dev dependencies** + +Run from the repo root: + +```bash +npm install --save-dev husky @commitlint/cli @commitlint/config-conventional +``` + +Expected: `package.json` `devDependencies` now includes `husky`, `@commitlint/cli`, and `@commitlint/config-conventional`. + +- [ ] **Step 2: Add the prepare script to package.json** + +```bash +npm pkg set scripts.prepare="husky" +``` + +Expected: `package.json` `scripts` now contains `"prepare": "husky"`. + +- [ ] **Step 3: Verify package.json looks correct** + +`package.json` scripts section should now be: + +```json +"scripts": { + "prepare": "husky", + "build": "turbo run build", + "clean": "turbo run clean", + "test": "turbo run test", + "lint": "turbo run lint", + "docs": "typedoc" +} +``` + +- [ ] **Step 4: Commit** + +```bash +git add package.json package-lock.json +git commit -m "chore(deps): install husky and commitlint" +``` + +--- + +### Task 2: Create the commitlint configuration + +**Files:** +- Create: `commitlint.config.js` + +- [ ] **Step 1: Create the config file** + +Create `commitlint.config.js` at the repo root with this exact content: + +```js +export default { + extends: ['@commitlint/config-conventional'], + rules: { + 'scope-enum': [2, 'always', [ + 'auth0-fastify', + 'auth0-fastify-api', + 'ci', + 'security', + 'deps', + ]], + 'scope-empty': [1, 'never'], + }, +}; +``` + +Rule severity meanings: `2` = error (blocks commit), `1` = warning (allows commit). + +`scope-enum` (error): when a scope is provided it must be one of the five listed values. +`scope-empty` (warning): nudges contributors to include a scope but does not block commits that omit one. + +- [ ] **Step 2: Smoke-test the config with a valid message** + +```bash +echo "feat(auth0-fastify): add something" | npx commitlint +``` + +Expected: exits 0 with no output. + +- [ ] **Step 3: Smoke-test the config with an invalid message** + +```bash +echo "this is not conventional" | npx commitlint +``` + +Expected: exits non-zero and prints an error mentioning `subject-full-stop` or `type-empty`. + +- [ ] **Step 4: Smoke-test scope enforcement** + +```bash +echo "feat(bad-scope): something" | npx commitlint +``` + +Expected: exits non-zero and prints an error mentioning `scope-enum`. + +- [ ] **Step 5: Commit** + +```bash +git add commitlint.config.js +git commit -m "chore(ci): add commitlint configuration" +``` + +--- + +### Task 3: Set up the Husky commit-msg hook + +**Files:** +- Create: `.husky/commit-msg` + +- [ ] **Step 1: Initialise Husky** + +```bash +npx husky init +``` + +Expected: `.husky/` directory created (or already exists) and a `.husky/pre-commit` file created. + +- [ ] **Step 2: Remove the default pre-commit hook** + +The `husky init` command creates a `.husky/pre-commit` stub. Delete it — this repo doesn't use a pre-commit hook: + +```bash +rm .husky/pre-commit +``` + +- [ ] **Step 3: Create the commit-msg hook** + +Create `.husky/commit-msg` with this exact content: + +```sh +npx --no -- commitlint --edit $1 +``` + +> `--no` prevents npx from installing packages not already present. `--edit $1` tells commitlint to read the commit message file passed by git. + +- [ ] **Step 4: Make the hook executable** + +```bash +chmod +x .husky/commit-msg +``` + +- [ ] **Step 5: Test the hook locally with a valid message** + +```bash +echo "feat(auth0-fastify): test hook" > /tmp/test-commit-msg +npx --no -- commitlint --edit /tmp/test-commit-msg +``` + +Expected: exits 0. + +- [ ] **Step 6: Test the hook locally with an invalid message** + +```bash +echo "bad commit message" > /tmp/test-bad-msg +npx --no -- commitlint --edit /tmp/test-bad-msg +``` + +Expected: exits non-zero with a commitlint error. + +- [ ] **Step 7: Commit** + +```bash +git add .husky/commit-msg +git commit -m "chore(ci): add husky commit-msg hook" +``` + +--- + +### Task 4: Add the commitlint CI job + +**Files:** +- Modify: `.github/workflows/test.yml` + +- [ ] **Step 1: Add the commitlint job to the workflow** + +Open `.github/workflows/test.yml` and add the following job after the existing `lint` job: + +```yaml + commitlint: + name: Commitlint + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + fetch-depth: 0 + + - name: Validate conventional commits + uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 + with: + configFile: commitlint.config.js +``` + +Notes: +- `fetch-depth: 0` is required — the action needs the full history to compare against the base branch. +- The SHA `b948419dd99f3fd78a6548d48f94e3df7f6bf3ed` pins to `wagoid/commitlint-github-action@v6.2.1`, following the repo's security convention (all other actions are pinned by SHA with a version comment). +- `if: github.event_name == 'pull_request'` skips this job on direct pushes to `main` and on `workflow_dispatch` — those commits have already been validated via a PR. + +- [ ] **Step 2: Verify the workflow YAML is valid** + +```bash +cat .github/workflows/test.yml +``` + +Check that the indentation is consistent and the `commitlint` job aligns with the other jobs under the `jobs:` key. + +- [ ] **Step 3: Commit** + +```bash +git add .github/workflows/test.yml +git commit -m "ci: add commitlint GitHub Actions job" +``` From 28775abfbdb0ffd5e331784af0390bb3bc4f3b0c Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Fri, 19 Jun 2026 23:53:22 +0200 Subject: [PATCH 03/11] chore(deps): install husky and commitlint --- package.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 8ba8bef..c884d15 100644 --- a/package.json +++ b/package.json @@ -10,13 +10,17 @@ "clean": "turbo run clean", "test": "turbo run test", "lint": "turbo run lint", - "docs": "typedoc" + "docs": "typedoc", + "prepare": "husky" }, "author": "", "license": "ISC", "description": "", "packageManager": "npm@10.1.0", "devDependencies": { + "@commitlint/cli": "^21.0.2", + "@commitlint/config-conventional": "^21.0.2", + "husky": "^9.1.7", "turbo": "^2.4.4", "typedoc": "^0.27.9" } From 365b591c7811c935cc20d9811218b965f3ac6811 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Fri, 19 Jun 2026 23:55:54 +0200 Subject: [PATCH 04/11] chore(ci): add commitlint configuration --- commitlint.config.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 commitlint.config.js diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 0000000..37f4a28 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,13 @@ +export default { + extends: ['@commitlint/config-conventional'], + rules: { + 'scope-enum': [2, 'always', [ + 'auth0-fastify', + 'auth0-fastify-api', + 'ci', + 'security', + 'deps', + ]], + 'scope-empty': [1, 'never'], + }, +}; From 170bbfee1e06ecdd18abc3078a7897e069aa387d Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Fri, 19 Jun 2026 23:58:41 +0200 Subject: [PATCH 05/11] chore(ci): add husky commit-msg hook --- .husky/commit-msg | 1 + 1 file changed, 1 insertion(+) create mode 100755 .husky/commit-msg diff --git a/.husky/commit-msg b/.husky/commit-msg new file mode 100755 index 0000000..0a4b97d --- /dev/null +++ b/.husky/commit-msg @@ -0,0 +1 @@ +npx --no -- commitlint --edit $1 From 712093421cc8716f4f6eb8f2ebe4248a69522c24 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:00:52 +0200 Subject: [PATCH 06/11] ci: add commitlint GitHub Actions job --- .github/workflows/test.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 511f042..1726f0b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -78,4 +78,19 @@ jobs: run: npm run lint -w @auth0/auth0-fastify - name: Lint @auth0/auth0-fastify-api - run: npm run lint -w @auth0/auth0-fastify-api \ No newline at end of file + run: npm run lint -w @auth0/auth0-fastify-api + + commitlint: + name: Commitlint + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + fetch-depth: 0 + + - name: Validate conventional commits + uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 + with: + configFile: commitlint.config.js \ No newline at end of file From 76ee837a84682ee0a58d0098393772b33a06431e Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:03:22 +0200 Subject: [PATCH 07/11] chore: add type module to root package.json --- package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/package.json b/package.json index c884d15..9038196 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,7 @@ { "name": "auth0-fastify", "version": "1.0.0", + "type": "module", "workspaces": [ "packages/*", "examples/*" From 13013f0972ddb935eae4e884790dbcbcddd7b5e7 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:06:43 +0200 Subject: [PATCH 08/11] chore: remove design and plan spec files --- .../2026-06-19-conventional-commits-design.md | 89 ------- .../specs/2026-06-19-conventional-commits.md | 242 ------------------ 2 files changed, 331 deletions(-) delete mode 100644 .claude/specs/2026-06-19-conventional-commits-design.md delete mode 100644 .claude/specs/2026-06-19-conventional-commits.md diff --git a/.claude/specs/2026-06-19-conventional-commits-design.md b/.claude/specs/2026-06-19-conventional-commits-design.md deleted file mode 100644 index 248c2b5..0000000 --- a/.claude/specs/2026-06-19-conventional-commits-design.md +++ /dev/null @@ -1,89 +0,0 @@ -# Conventional Commit Enforcement - -**Date:** 2026-06-19 -**Status:** Approved - -## Goal - -Enforce conventional commit message format across all contributions — both locally for fast feedback and in CI as a safety net. Scope validation ensures consistent package-level attribution. - -## Dependencies - -New root-level dev dependencies: - -| Package | Purpose | -|---|---| -| `husky` | Git hook management via `npm prepare` | -| `@commitlint/cli` | Commit message linting | -| `@commitlint/config-conventional` | Standard conventional commits ruleset | - -## commitlint Configuration - -`commitlint.config.js` at the repo root: - -```js -export default { - extends: ['@commitlint/config-conventional'], - rules: { - 'scope-enum': [2, 'always', [ - 'auth0-fastify', - 'auth0-fastify-api', - 'ci', - 'security', - 'deps', - ]], - 'scope-empty': [1, 'never'], - }, -}; -``` - -- `scope-enum` (error): scope must be one of the listed values when present -- `scope-empty` (warning): encourages use of a scope but does not block commits - -The scope list reflects the existing commit history. New scopes can be added here as the repo evolves. - -## Local Hook (Husky) - -1. `npm pkg set scripts.prepare="husky"` — adds the prepare lifecycle hook -2. `npx husky init` — creates `.husky/` directory -3. `.husky/commit-msg` contains: `npx --no -- commitlint --edit $1` - -Devs receive the hook automatically after `npm install` because npm runs `prepare` post-install. - -## CI Enforcement - -A new `commitlint` job added to `.github/workflows/test.yml`, triggered on `pull_request` events only (commits to `main` have already passed a PR): - -```yaml -commitlint: - name: Commitlint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@ # v6 - with: - fetch-depth: 0 - - uses: wagoid/commitlint-github-action@ # v6 - with: - configFile: commitlint.config.js -``` - -The action is pinned to a SHA following the repo's existing security convention for GitHub Actions. - -## Scope List - -| Scope | When to use | -|---|---| -| `auth0-fastify` | Changes to `packages/auth0-fastify` | -| `auth0-fastify-api` | Changes to `packages/auth0-fastify-api` | -| `ci` | GitHub Actions / CI workflow changes | -| `security` | Security hardening (actions pinning, Snyk, etc.) | -| `deps` | Dependency updates (Dependabot, manual bumps) | - -## Examples - -``` -feat(auth0-fastify): add logout redirect support -fix(auth0-fastify-api): handle expired token edge case -chore(deps): bump vitest from 2.0 to 2.1 -ci: add commitlint enforcement -``` diff --git a/.claude/specs/2026-06-19-conventional-commits.md b/.claude/specs/2026-06-19-conventional-commits.md deleted file mode 100644 index 010d9fd..0000000 --- a/.claude/specs/2026-06-19-conventional-commits.md +++ /dev/null @@ -1,242 +0,0 @@ -# Conventional Commits Enforcement Implementation Plan - -> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. - -**Goal:** Enforce conventional commit message format locally via a Husky git hook and in CI via a GitHub Actions job. - -**Architecture:** Install commitlint + Husky as root dev dependencies. Husky registers a `commit-msg` hook via the npm `prepare` lifecycle so it installs automatically for all contributors. A new `commitlint` CI job validates PR commits using `wagoid/commitlint-github-action` pinned to a SHA. - -**Tech Stack:** Husky v9, @commitlint/cli, @commitlint/config-conventional, wagoid/commitlint-github-action v6.2.1 - ---- - -## File Map - -| Action | File | Change | -|--------|------|--------| -| Create | `commitlint.config.js` | commitlint rule config | -| Create | `.husky/commit-msg` | git hook script | -| Modify | `package.json` | add deps + `prepare` script | -| Modify | `.github/workflows/test.yml` | add `commitlint` job | - ---- - -### Task 1: Install dependencies and configure the prepare script - -**Files:** -- Modify: `package.json` - -- [ ] **Step 1: Install commitlint and husky as root dev dependencies** - -Run from the repo root: - -```bash -npm install --save-dev husky @commitlint/cli @commitlint/config-conventional -``` - -Expected: `package.json` `devDependencies` now includes `husky`, `@commitlint/cli`, and `@commitlint/config-conventional`. - -- [ ] **Step 2: Add the prepare script to package.json** - -```bash -npm pkg set scripts.prepare="husky" -``` - -Expected: `package.json` `scripts` now contains `"prepare": "husky"`. - -- [ ] **Step 3: Verify package.json looks correct** - -`package.json` scripts section should now be: - -```json -"scripts": { - "prepare": "husky", - "build": "turbo run build", - "clean": "turbo run clean", - "test": "turbo run test", - "lint": "turbo run lint", - "docs": "typedoc" -} -``` - -- [ ] **Step 4: Commit** - -```bash -git add package.json package-lock.json -git commit -m "chore(deps): install husky and commitlint" -``` - ---- - -### Task 2: Create the commitlint configuration - -**Files:** -- Create: `commitlint.config.js` - -- [ ] **Step 1: Create the config file** - -Create `commitlint.config.js` at the repo root with this exact content: - -```js -export default { - extends: ['@commitlint/config-conventional'], - rules: { - 'scope-enum': [2, 'always', [ - 'auth0-fastify', - 'auth0-fastify-api', - 'ci', - 'security', - 'deps', - ]], - 'scope-empty': [1, 'never'], - }, -}; -``` - -Rule severity meanings: `2` = error (blocks commit), `1` = warning (allows commit). - -`scope-enum` (error): when a scope is provided it must be one of the five listed values. -`scope-empty` (warning): nudges contributors to include a scope but does not block commits that omit one. - -- [ ] **Step 2: Smoke-test the config with a valid message** - -```bash -echo "feat(auth0-fastify): add something" | npx commitlint -``` - -Expected: exits 0 with no output. - -- [ ] **Step 3: Smoke-test the config with an invalid message** - -```bash -echo "this is not conventional" | npx commitlint -``` - -Expected: exits non-zero and prints an error mentioning `subject-full-stop` or `type-empty`. - -- [ ] **Step 4: Smoke-test scope enforcement** - -```bash -echo "feat(bad-scope): something" | npx commitlint -``` - -Expected: exits non-zero and prints an error mentioning `scope-enum`. - -- [ ] **Step 5: Commit** - -```bash -git add commitlint.config.js -git commit -m "chore(ci): add commitlint configuration" -``` - ---- - -### Task 3: Set up the Husky commit-msg hook - -**Files:** -- Create: `.husky/commit-msg` - -- [ ] **Step 1: Initialise Husky** - -```bash -npx husky init -``` - -Expected: `.husky/` directory created (or already exists) and a `.husky/pre-commit` file created. - -- [ ] **Step 2: Remove the default pre-commit hook** - -The `husky init` command creates a `.husky/pre-commit` stub. Delete it — this repo doesn't use a pre-commit hook: - -```bash -rm .husky/pre-commit -``` - -- [ ] **Step 3: Create the commit-msg hook** - -Create `.husky/commit-msg` with this exact content: - -```sh -npx --no -- commitlint --edit $1 -``` - -> `--no` prevents npx from installing packages not already present. `--edit $1` tells commitlint to read the commit message file passed by git. - -- [ ] **Step 4: Make the hook executable** - -```bash -chmod +x .husky/commit-msg -``` - -- [ ] **Step 5: Test the hook locally with a valid message** - -```bash -echo "feat(auth0-fastify): test hook" > /tmp/test-commit-msg -npx --no -- commitlint --edit /tmp/test-commit-msg -``` - -Expected: exits 0. - -- [ ] **Step 6: Test the hook locally with an invalid message** - -```bash -echo "bad commit message" > /tmp/test-bad-msg -npx --no -- commitlint --edit /tmp/test-bad-msg -``` - -Expected: exits non-zero with a commitlint error. - -- [ ] **Step 7: Commit** - -```bash -git add .husky/commit-msg -git commit -m "chore(ci): add husky commit-msg hook" -``` - ---- - -### Task 4: Add the commitlint CI job - -**Files:** -- Modify: `.github/workflows/test.yml` - -- [ ] **Step 1: Add the commitlint job to the workflow** - -Open `.github/workflows/test.yml` and add the following job after the existing `lint` job: - -```yaml - commitlint: - name: Commitlint - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - steps: - - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - with: - fetch-depth: 0 - - - name: Validate conventional commits - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 - with: - configFile: commitlint.config.js -``` - -Notes: -- `fetch-depth: 0` is required — the action needs the full history to compare against the base branch. -- The SHA `b948419dd99f3fd78a6548d48f94e3df7f6bf3ed` pins to `wagoid/commitlint-github-action@v6.2.1`, following the repo's security convention (all other actions are pinned by SHA with a version comment). -- `if: github.event_name == 'pull_request'` skips this job on direct pushes to `main` and on `workflow_dispatch` — those commits have already been validated via a PR. - -- [ ] **Step 2: Verify the workflow YAML is valid** - -```bash -cat .github/workflows/test.yml -``` - -Check that the indentation is consistent and the `commitlint` job aligns with the other jobs under the `jobs:` key. - -- [ ] **Step 3: Commit** - -```bash -git add .github/workflows/test.yml -git commit -m "ci: add commitlint GitHub Actions job" -``` From 8d85f0c8afbc53d1c056836b7500093b17b09f26 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:10:19 +0200 Subject: [PATCH 09/11] ci: validate PR title follows conventional commits --- .github/workflows/test.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1726f0b..bc518ff 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + pull-requests: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -93,4 +94,14 @@ jobs: - name: Validate conventional commits uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 with: - configFile: commitlint.config.js \ No newline at end of file + configFile: commitlint.config.js + + pr-title: + name: PR Title + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Validate PR title follows conventional commits + uses: amannn/action-semantic-pull-request@48b255084e3858b30ffd45ac31f80bba4e23da4d # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From c2f79b2afeb3aadaa87b659200946c78e7a468f8 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:12:27 +0200 Subject: [PATCH 10/11] ci: enforce scope list on PR title validation --- .github/workflows/test.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc518ff..41ff1d1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -104,4 +104,11 @@ jobs: - name: Validate PR title follows conventional commits uses: amannn/action-semantic-pull-request@48b255084e3858b30ffd45ac31f80bba4e23da4d # v6.1.1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + scopes: | + auth0-fastify + auth0-fastify-api + ci + security + deps \ No newline at end of file From b23a1a3c5c18a5d523ab0229552e1ad799adcc59 Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Sat, 20 Jun 2026 00:13:49 +0200 Subject: [PATCH 11/11] ci: fix pinned SHA for action-semantic-pull-request --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 41ff1d1..e42f123 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -102,7 +102,7 @@ jobs: if: github.event_name == 'pull_request' steps: - name: Validate PR title follows conventional commits - uses: amannn/action-semantic-pull-request@48b255084e3858b30ffd45ac31f80bba4e23da4d # v6.1.1 + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: