Harden workflows and activate Copilot guidance#111
Harden workflows and activate Copilot guidance#111chrismaz11 wants to merge 10 commits intomasterfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 252537429d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR primarily hardens GitHub Actions workflows (pinning actions, narrowing permissions, consolidating AI control sync, and adjusting artifact verification triggers) and adds repo-level Copilot guidance, while also introducing API-side rate limiting refactors plus dependency/lockfile updates.
Changes:
- Consolidates AI control/skill sync into
sync.yml, removes the redundant workflow, and adds.github/copilot-instructions.md. - Pins GitHub Actions to commit SHAs, adds explicit read-only permissions, and moves artifact verification to
workflow_dispatch+release.published. - Updates API code for rate limiting/auth hashing behavior and refreshes multiple dependency lockfiles.
Reviewed changes
Copilot reviewed 12 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
vantademo/package-lock.json |
Bumps picomatch patch version in demo lockfile. |
src/routes/verify.ts |
Adds per-route rate limiting to /v1/verify-bundle. |
sdk/index.ts |
Replaces regex URL trimming with a helper function. |
package-lock.json |
Updates lockfile (notably serialize-javascript). |
apps/api/src/server.ts |
Refactors some routes to combine scope + per-key rate limiting via a helper. |
apps/api/src/security.ts |
Switches API key hashing to WebCrypto and updates rate-limit fingerprinting. |
apps/api/package-lock.json |
Large dependency/lockfile update (adds Solana web3, bumps Fastify/pdf libs, etc.). |
.github/workflows/sync.yml |
Renames/retools AI control sync workflow; pins checkout/setup-node; adds inputs and summary. |
.github/workflows/scorecard.yml |
Pins actions and trims workflow boilerplate; pins CodeQL SARIF upload action. |
.github/workflows/main.yml |
Runs artifact verification only on dispatch + published releases; pins checkout. |
.github/workflows/copilotsetupsteps.yml |
Pins actions, uses Node 20, adds npm ci and Prisma generate step. |
.github/workflows/codeql.yml |
Pins CodeQL actions and adds top-level read-only permissions. |
.github/workflows/ci.yml |
Pins actions, adds read-only permissions, and installs deps for local verify-artifact action checks. |
.github/workflows/ai-skill-sync.yml |
Removes the redundant legacy AI skill sync workflow. |
.github/copilot-instructions.md |
Adds Copilot guidance (commands, scope, risk areas, workflow conventions). |
Files not reviewed (2)
- apps/api/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 33eab74e40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 395c563557
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 17 changed files in this pull request and generated 3 comments.
Files not reviewed (3)
- apps/api/package-lock.json: Language not supported
- github-actions/trustsignal-verify-artifact/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 17 changed files in this pull request and generated 3 comments.
Files not reviewed (3)
- apps/api/package-lock.json: Language not supported
- github-actions/trustsignal-verify-artifact/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot apply changes based on the comments in this thread |
…ype import Agent-Logs-Url: https://github.com/TrustSignal-dev/TrustSignal/sessions/e10f7335-a7c1-4a92-820b-6c76ffd0fb62 Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
…tion plan Agent-Logs-Url: https://github.com/TrustSignal-dev/TrustSignal/sessions/e10f7335-a7c1-4a92-820b-6c76ffd0fb62 Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
|
Addressed the outstanding review feedback in commits
The CodeQL |
|
@copilot apply changes based on the comments in this thread |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 18 changed files in this pull request and generated 1 comment.
Files not reviewed (3)
- apps/api/package-lock.json: Language not supported
- github-actions/trustsignal-verify-artifact/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Agent-Logs-Url: https://github.com/TrustSignal-dev/TrustSignal/sessions/6ae3c972-c937-4278-adee-6c9c870e64f4 Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
All three comments in that review were already addressed in previous commits (
Applied in commit
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 18 changed files in this pull request and generated 3 comments.
Files not reviewed (3)
- apps/api/package-lock.json: Language not supported
- github-actions/trustsignal-verify-artifact/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.0.0 | ||
| with: | ||
| node-version: 22 | ||
| node-version: '22' | ||
|
|
||
| - name: Install action dependencies | ||
| working-directory: github-actions/trustsignal-verify-artifact | ||
| run: npm ci |
There was a problem hiding this comment.
This job uses Node.js 22, but the repo declares support as >=20.18.0 <21 (root package.json engines). Even if this subdirectory install works, running CI on a newer major can hide compatibility issues; consider aligning this to 20.18 (or explain why Node 22 is required for the action checks).
There was a problem hiding this comment.
@copilot apply changes based on this feedback
| "engines": { | ||
| "node": "20.x" | ||
| "node": ">=20.18.0 <21" | ||
| }, | ||
| "workspaces": [ | ||
| "apps/*", | ||
| "packages/*" | ||
| ], | ||
| "dependencies": { | ||
| "axios": "^1.13.6", | ||
| "axios": "^1.15.0", | ||
| "better-sqlite3": "^12.8.0", |
There was a problem hiding this comment.
The PR description is focused on workflow hardening/Copilot guidance, but this change also updates runtime/runtime-adjacent dependency constraints (e.g. Node engine range and axios bump). To keep review/auditability tight, either call out these dependency/runtime changes explicitly in the PR description or split them into a separate PR.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Updated the PR description (ab151fe) to explicitly call out all dependency/runtime changes: Node engine range tightened to >=20.18.0 <21, all CI jobs pinned to 20.18, and the scopedRateLimit/auth hashing behavior changes. Also took the opportunity to align the verify-artifact CI job from Node 22 to 20.18 to match the repo engines constraint.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/TrustSignal-dev/TrustSignal/sessions/a2817e71-139d-4e5a-8225-df6d98d3802a Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
Summary
ai-skill-sync.ymlworkflow and consolidate AI-control sync intosync.ymlworkflow_dispatchplus published releasescopilotsetupsteps.ymlintentional for GitHub agents and add.github/copilot-instructions.mdWhy
This reduces workflow-related Security tab noise, tightens token scope, makes the GitHub agent surface usable, and removes overlapping automation that was not adding value.
Expected follow-up