chore(ci): pin GitHub Actions to commit SHAs + add bump printer#110
Merged
Conversation
Replaces every `uses: <owner>/<repo>@<tag>` reference across `.github/workflows/*.yml` (ci, pages, release, release-candidate, review-fix-shipped) with the resolved 40-char commit SHA, keeping the human-readable version label as a trailing `# vX.Y.Z` comment. Eight unique actions, 31 references in total. Tags resolved via `gh api repos/<owner>/<repo>/git/ref/tags/<tag>`, peeling annotated tags through `git/tags/<sha>` where required. Adds `scripts/bump-actions.mjs` (Node ESM, no deps) that walks every workflow, parses each pin, queries each action's latest release, and prints a status table with `up-to-date` / `PENDING` / `unresolved` / `no-releases` rows. Read-only — humans re-resolve via `gh api` and edit. Exits non-zero on PENDING so the signal can gate a future scheduled bot. `eslint.config.js` gains a `scripts/**/*.mjs` override that disables the type-checked unsafe-* rules and turns on Node globals — the script runs via plain `node`, not the lib's TS toolchain, so the `recommendedTypeChecked` preset would otherwise misfire on `JSON.parse` and `execFileSync` returns. Closes row 3 of `docs/plans/2026-04-25-comprehensive-polish-and-harden.md`. No library change. No changeset.
Owner
Author
|
@codex review |
size-limit report 📦
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3ba91cd3ef
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…Codex P1) Two correctness gaps in `scripts/bump-actions.mjs` flagged on PR #110: 1. `latestReleaseTag` and `tagToCommitSha` swallowed every `gh api` failure as `null`, conflating real "no releases" / "tag missing" 404s with missing CLI, expired auth, network blips, and rate limits. The script then exited 0 with a false-green "no actionable updates" report. New `ghTry` helper distinguishes 404 from other errors via stderr probing (`HTTP 404|Not Found`); both resolvers throw on non-404 and the main loop renders an `ERROR` row + non-zero exit so broken tooling fails the gate honestly. 2. When the same action appeared with different SHA/label tuples across workflows the previous code only annotated the source list with `DIVERGENT` while keeping the first-seen SHA as the comparison key — so a stale later occurrence stayed `up-to-date` if the first was current. Pin storage is now a list of variants per `owner/repo`; multiple variants short-circuit to status `DIVERGENT` (treated as failing) regardless of latest comparison so real outdated pins surface every time.
Owner
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
…ha-pinning # Conflicts: # docs/plans/2026-04-25-comprehensive-polish-and-harden.md
…ha-pinning # Conflicts: # docs/plans/2026-04-25-comprehensive-polish-and-harden.md
This was referenced Apr 25, 2026
Luis85
added a commit
that referenced
this pull request
Apr 26, 2026
## Summary
Doc-audit pass over `docs/plans` + `docs/specs`. Three things land
together:
- **`docs/archive/{plans,specs}/`** — new home for plans whose roadmap
rows have all shipped (or whose goals were folded into a successor)
and specs whose design is now reflected in code. Includes a
`README.md` explaining the policy; `CLAUDE.md` documents the
convention.
- **`git mv` 23 plans + 3 specs into the archive.** The active live
set is now the comprehensive polish-and-harden plan plus three
specs (post-tfjs improvements, mvp-demo, vision), each with a
refreshed status banner.
- **Refresh the live comprehensive plan** against current `develop`:
- PR column updated for rows 16/19/20/3/4/22 (now shipped via
PRs #91 / #98 / #104 / #110 / #113 / #111).
- New "Post-roadmap follow-ups" section covers PRs #92 → #125
(review-bot infra, tracker findings, demo + tfjs hotfixes,
tooling).
- Stale prose-baked counts dropped (size budgets now reference
`package.json#size-limit` only).
- Coverage-thresholds section gains a pointer to the sticky PR
comment shipped in PR #124.
## Other doc fixes
- `README.md`: drop the unverifiable "Phase A milestones (M0–M15) are
all green" claim — the milestones don't exist as documented IDs
anywhere; replace with a pointer to the live polish plan.
- `vision.md`: refresh cadence note (was pinned to 2026-04-19 + "next
review at 1.0").
- `2026-04-24-post-tfjs-improvements.md`: mark recommended-order items
that have shipped (PRs #61, #76, #77, #83, #84, #91, #94, #96,
#104, #113), link the active roadmap as the heir.
- `mvp-demo.md`: status banner explaining where active polish work is
now tracked.
## Mechanical
- Update inline cross-refs in `CLAUDE.md`, `eslint.config.js`,
`src/agent/{Agent,AgentModule}.ts`, `tests/unit/exports.test.ts`,
and `docs/daily-reviews/2026-04-25.md` to point at the new
`docs/archive/` paths so links keep resolving.
No code change beyond comment-path updates.
## Test plan
- [x] `npm run verify` green (`format:check` + `lint` + `typecheck` +
`test` + `build` + `docs`). 523 tests pass; the 2 lint warnings
are pre-existing (`CognitionPipeline.invokeSkillAction` complexity
+ `scoreFailure` param count) and on the ratchet menu.
- [x] `git ls-files docs/archive/` shows the moved files; renames are
preserved (`git log --follow` works for any moved file).
- [ ] Codex review: clean, no blockers.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Luis Mendez <hallo@luis-mendez.de>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uses: <owner>/<repo>@<tag>reference across.github/workflows/*.yml(ci, pages, release, release-candidate, review-fix-shipped) with the resolved 40-char commit SHA, keeping the human-readable version label as a trailing# vX.Y.Zcomment. 8 unique actions, 31 total references. Tags resolved viagh api repos/<owner>/<repo>/git/ref/tags/<tag>, peeling annotated tags throughgit/tags/<sha>where required.scripts/bump-actions.mjs(Node ESM, no deps) that walks every workflow, parses each pin, queries each action's latest release, and prints a status table withup-to-date/PENDING/unresolved/no-releasesrows. Read-only — humans re-resolve viagh apiand edit. Exits non-zero on PENDING so the signal can gate a future scheduled bot.eslint.config.jsgains ascripts/**/*.mjsoverride that disables the type-checked unsafe-* rules and turns on Node globals — the script runs via plainnode, not the lib's TS toolchain, so therecommendedTypeCheckedpreset would otherwise misfire onJSON.parseandexecFileSyncreturns.Pin table (
v6etc. → SHA):actions/checkoutde0fac2e4500dabe0009e67214ff5f5447ce83ddactions/setup-node48b55a011bda9f5d6aeb4c2d9c7362e8dae4041eactions/github-scriptf28e40c7f34bde8b3046d885e986cb6290c5673bactions/upload-pages-artifactfc324d3547104276b827a68afc52ff2a11cc49c9actions/deploy-pagescd2ce8fcbc39b97be8ca5fce6e763baed58fa128changesets/action6a0a831ff30acef54f2c6aa1cbbc1096b066edafreviewdog/action-actionlint6fb7acc99f4a1008869fa8a0f09cfca740837d9dandresz1/size-limit-actione7493a72a44b113341c0cf6186ab49c17c4b65c1Closes row 3 of
docs/plans/2026-04-25-comprehensive-polish-and-harden.md(marked shipped in same diff). No library change. No changeset.Test plan
node scripts/bump-actions.mjsprints pending bumps without crashingnpm run verifygreen locally (format:check + lint + typecheck + test + build + docs — all confirmed pre-push)