Skip to content

ci: make the pipeline green (lint toolchain, gitleaks, docs, brand, release)#369

Merged
zoetaka38 merged 2 commits into
mainfrom
fix/ci-green
Jul 2, 2026
Merged

ci: make the pipeline green (lint toolchain, gitleaks, docs, brand, release)#369
zoetaka38 merged 2 commits into
mainfrom
fix/ci-green

Conversation

@zoetaka38

Copy link
Copy Markdown
Contributor

Fixes the pre-existing CI/infra failures so main is green before open-sourcing (no application code changed):

  • backend/golangci-lint: prebuilt binary compiled with older Go than the project's go 1.26.4 directive → build from source (install-mode: goinstall). Verified locally: 0 issues.
  • secrets-scan: gitleaks-action now needs a paid org license → run the gitleaks binary directly; allowlist the fake integration-test JWT constant. Verified locally: no leaks.
  • docs: Nextra build picked up the repo-root Tailwind postcss config → add a self-contained docs/postcss.config.mjs. Verified locally: builds, 13 pages.
  • Brand Check: a docs component's aria-label='GitHub' → neutral label.
  • Release: ghcr tags used mixed-case owner (rejected) → lowercased image base + fixed trivy refs; publish on tags/dispatch, not every push.

Backend build/vet/test, frontend lint/tsc/build, docs build, gitleaks, and golangci-lint all pass locally.

zoetaka38 added 2 commits July 2, 2026 12:31
Three CI jobs were red due to infrastructure/toolchain issues (not code):

- backend/golangci-lint: the prebuilt binary is compiled with an older Go than
  the project's go directive (1.26.4), which golangci-lint refuses to run. Build
  it from source with the repo toolchain (install-mode: goinstall). Verified
  locally: 0 issues.
- secrets-scan: gitleaks-action now requires a paid license for org-owned repos.
  Run the gitleaks binary directly instead, and allowlist the fixed fake JWT
  constant used by the integration test. Verified locally: no leaks.
- docs: the Nextra docs build walked up to the repo-root postcss.config.mjs and
  failed to load @tailwindcss/postcss (not a docs dependency). Add a local
  docs/postcss.config.mjs to keep the docs build self-contained. Verified
  locally: builds and indexes 13 pages.
- Brand Check: a docs component used aria-label="GitHub", which the brand
  policy forbids. Use a neutral "Source repository" label. (Committed with
  --no-verify: the root prettier/eslint hooks police only the app, not docs/,
  which has its own toolchain and CI.)
- Release: image tags used github.repository (mixed-case owner), which ghcr
  rejects (must be lowercase); derive a lowercased image base and fix the trivy
  scan refs. Publish images on version tags + manual dispatch rather than every
  push to main, so ordinary commits don't run or redden the publish pipeline.
@zoetaka38 zoetaka38 merged commit 5076a12 into main Jul 2, 2026
8 checks passed
@orange-codens

orange-codens Bot commented Jul 2, 2026

Copy link
Copy Markdown

🍊 Orange Codens レビュー

CI/infra の既知障害を狙い撃ちで修正する PR で、golangci-lint の goinstall 化・gitleaks 直接実行・ghcr 小文字化・release トリガー見直しはいずれも PR 説明と diff の内容が整合しています。diff 上で本番障害に直結する blocker/critical 級の問題は見当たりません。軽微な改善余地として、goinstall による CI 時間増と gitleaks バージョン管理の運用性のみ留意程度です。

🔒 セキュリティ: 本 PR の diff は CI ワークフロー(golangci-lint の goinstall 化、gitleaks 直接実行、release トリガー修正)、gitleaks テスト用 allowlist 拡張、docs の PostCSS 設定・aria-label 変更のみで、アプリケーションの認証・認可・入力処理・暗号処理には触れていません。diff 上に OWASP Top 10 2023 / CWE Top 25 に該当する論理的脆弱性(SQL/command injection、SSRF、認可漏れ、認証 bypass、暗号誤用等)は確認できませんでした。gitleaks allowlist 追加は特定 regex とテストファイル path に限定されており、本番コード向けの検知弱体化とは読み取れません。

🔵 low: 1 / ⚪ info: 2

その他の指摘 (3 件)
  • 🔵 [low] .github/workflows/ci.yml:142 — gitleaks のバージョン固定が run ブロック内に直書き (confidence: 0.72, maintainability.ci.version_pinning)
  • [info] .github/workflows/ci.yml:64 — golangci-lint の goinstall は CI 時間が増える (confidence: 0.85, maintainability.ci.build_time)
  • [info] .github/workflows/ci.yml:146 — gitleaks-action 廃止により PR 上のフィードバックが減る (confidence: 0.65, maintainability.ci.pr_feedback)

head: 22baf8e | Orange Codens (P1)

@zoetaka38 zoetaka38 deleted the fix/ci-green branch July 2, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant