chore: sync Dependabot SHA bumps from main and fix target branch#43
Merged
chore: sync Dependabot SHA bumps from main and fix target branch#43
Conversation
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com>
Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Four Dependabot PRs (#30, #31, #33, #34) merged directly to main after the default branch was switched back. This commit: - Resolves merge conflicts in labeler.yml and scorecard.yml, taking the newer Action versions from main but pinning them to full commit SHAs (as required by our pinned-dependencies policy) - Adds target-branch: develop to dependabot.yml so all future Dependabot PRs target develop instead of main Updated SHAs: actions/labeler v5 → v6 (634933edcd8ababfe52f92936142cc22ac488b1b) ossf/scorecard-action v2.4.0 → v2.4.3 (99c09fe975337306107572b4fdf4db224cf8e2f2) actions/upload-artifact v4 → v7 (bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) github/codeql-action v3 → v4 (d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
amcheste
added a commit
that referenced
this pull request
Apr 2, 2026
* feat: add /setup-repo skill for new repository configuration Automates the standard branch model setup for any new repo: creates develop branch, sets it as default, applies protection rules to develop and main, and adds v* tag protection ruleset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add /create-repo skill and update /publish-release for enforce_admins (#24) Add a new /create-repo Claude Code skill that creates a repo from the amcheste/repo-template, clones it locally, and applies the full standard branch protection setup in one command. Update /publish-release to work with enforce_admins=true on develop: the old flow pushed directly to develop, which is now blocked. The new flow creates a chore/release-v<version> branch, opens a PR to develop, then after merge opens a develop→main release PR before tagging. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add mascot logo to README (#25) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add missing tools to Brewfile (#26) Add tools that were installed on the machine but not tracked: - tart (via cirruslabs/cli tap) — local VM acceptance testing - git-lfs — large file support - kustomize — Kubernetes config management - octant — Kubernetes dashboard - postgresql@17 — local Postgres - virtualenv — Python virtual environments - claude-code (cask) — Claude Code CLI Also adds the cirruslabs/cli tap declaration. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve OpenSSF security score — pin deps, add permissions, add SAST (#27) - Pin all GitHub Actions to full commit SHAs (satisfies Pinned-Dependencies check) - Add explicit `permissions: contents: read` to all workflows that were missing it (satisfies Token-Permissions check) - Add SAST workflow using Semgrep (p/bash + p/secrets rulesets) with SARIF upload to GitHub Security tab (satisfies SAST check) Dependabot is already configured to keep Action SHAs up to date weekly. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: run scorecard on develop branch and add workflow_dispatch (#28) Allows scorecard to run on develop merges for early visibility into security posture before promoting to main. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: only publish scorecard results from main branch (#29) The scorecard action enforces that publish_results=true can only run from the default/main branch. Conditionally set it so develop runs still produce SARIF output without failing on publication. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: silence gruvbox error on first install and clarify GitHub MCP Docker requirement (#35) - Wrap `colorscheme gruvbox` in a try/catch so first-run `vim +PlugInstall` falls back to `desert` instead of printing an error (gruvbox not yet downloaded at that point) - Remove live `claude mcp list` health check from setup-mcps.sh summary — it always shows GitHub MCP as failed because Docker isn't running at setup time. Replace with a static server list and a clear note that Docker must be running for the GitHub MCP to connect. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress vim pager prompt during plugin install (#38) vim-go's update output is longer than one screen, causing a `-- More --` pager pause that blocks unattended setup. Use `--not-a-term -c "set nomore"` to disable the pager and suppress terminal UI rendering. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress all vim output during plugin install (#39) Redirect stdout in addition to stderr so lightline colour allocation errors don't leak through to the terminal during unattended setup. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle (#40) Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios (#41) * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios Three improvements based on bugs found during testing on a second Mac (issues #36 and #37): VM acceptance test: - Untap cirruslabs/cli before running setup.sh to simulate a truly fresh machine. This would have caught issue #36 (tart not found) immediately. Acceptance checks (acceptance-test.sh): - Add Preflight section: macOS check, admin group check, Homebrew writability check - Add cirruslabs/cli tap and tart installation checks - Add Claude Skills section: verify all three skills are symlinked Preflight unit tests (scripts/preflight-test.sh): - New script that runs entirely on the local machine without a VM - Mocks id and brew via PATH override to test non-admin and unwritable-prefix scenarios in isolation - Wired into the macOS integration job in validate.yml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: remove pull_request trigger from release-drafter workflow (#42) When release-drafter runs on a pull_request event it sets target_commitish to the PR merge ref (refs/pull/N/merge) which GitHub rejects as invalid for a release. Label application is already handled by the separate labeler.yml workflow so the pull_request trigger here is redundant. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: sync Dependabot SHA bumps from main and fix target branch (#43) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: detect and reject sudo/root execution before brew runs (#45) * fix: detect and reject sudo/root execution before brew runs (#44) Users who see "Homebrew prefix not writable" instinctively retry with sudo, which Homebrew rejects. This breaks setup in a confusing loop. - Add root detection check at the top of preflight (before brew runs) using `id -u` so the check is unit-testable via PATH override - Exit immediately with a clear message explaining *not* to use sudo and showing the exact chown command to run first instead - Strengthen the writability error message with an explicit warning: "Do NOT re-run setup.sh with sudo" - Add 4 new preflight unit tests covering the root/sudo scenario Fixes #44 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: auto-fix Homebrew directory ownership instead of failing out (#44) Rather than printing a manual chown command and exiting, setup.sh now attempts to fix the ownership automatically using targeted sudo chown. - Only chowns the specific subdirectories Homebrew uses (bin, Cellar, Caskroom, etc, Frameworks, include, lib, Library, opt, sbin, share, var) — not the entire prefix (e.g. /usr/local), which may contain system-managed files that should remain root-owned - If auto-fix succeeds, setup continues without re-run required - If auto-fix fails (e.g. user can't sudo), prints a targeted manual command using only the affected subdirs rather than the whole prefix - Root-detection message updated: tells user setup.sh will handle the chown automatically if they just re-run without sudo - Updated preflight unit test to match revised root message wording Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace deprecated octant with k9s (#46) (#47) octant was deprecated and disabled in Homebrew on 2024-02-07 (upstream repo archived by VMware). Attempting to install it on a fresh machine fails with "No available formula" and aborts the entire brew bundle run. - Replace `octant` with `k9s` — actively maintained terminal-based Kubernetes dashboard that covers the same day-to-day cluster inspection workflow - Add acceptance-test check for deprecated Brewfile formulae so this class of failure is caught in CI before it reaches a real install Fixes #46 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: use macos-15-xlarge runner for VM acceptance test (#49) * ci: use larger macOS runners for acceptance test and main branch integration - acceptance.yml: upgrade macos-15 → macos-15-xlarge (6-core M-series) Tart nested VMs are CPU-bound; the larger runner should cut test time significantly and improve reliability under load. - validate.yml: use macos-15-xlarge on main branch pushes, macos-latest on develop and PRs. Keeps PR feedback fast and cheap while giving the stable branch a more thorough environment. Requires GitHub Team plan (or higher) for larger runner access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: revert validate integration job to macos-latest No CPU-intensive work in that job — standard runner is sufficient and cheaper. Only the Tart VM acceptance test benefits from xlarge. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: release v1.0.0 (#48) * chore: sync main into develop, resolve pinned SHA conflicts (#51) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: absorb main's divergent Dependabot commits (fix PR #50) (#52) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
amcheste
added a commit
that referenced
this pull request
Apr 3, 2026
* feat: add /setup-repo skill for new repository configuration Automates the standard branch model setup for any new repo: creates develop branch, sets it as default, applies protection rules to develop and main, and adds v* tag protection ruleset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add /create-repo skill and update /publish-release for enforce_admins (#24) Add a new /create-repo Claude Code skill that creates a repo from the amcheste/repo-template, clones it locally, and applies the full standard branch protection setup in one command. Update /publish-release to work with enforce_admins=true on develop: the old flow pushed directly to develop, which is now blocked. The new flow creates a chore/release-v<version> branch, opens a PR to develop, then after merge opens a develop→main release PR before tagging. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add mascot logo to README (#25) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add missing tools to Brewfile (#26) Add tools that were installed on the machine but not tracked: - tart (via cirruslabs/cli tap) — local VM acceptance testing - git-lfs — large file support - kustomize — Kubernetes config management - octant — Kubernetes dashboard - postgresql@17 — local Postgres - virtualenv — Python virtual environments - claude-code (cask) — Claude Code CLI Also adds the cirruslabs/cli tap declaration. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve OpenSSF security score — pin deps, add permissions, add SAST (#27) - Pin all GitHub Actions to full commit SHAs (satisfies Pinned-Dependencies check) - Add explicit `permissions: contents: read` to all workflows that were missing it (satisfies Token-Permissions check) - Add SAST workflow using Semgrep (p/bash + p/secrets rulesets) with SARIF upload to GitHub Security tab (satisfies SAST check) Dependabot is already configured to keep Action SHAs up to date weekly. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: run scorecard on develop branch and add workflow_dispatch (#28) Allows scorecard to run on develop merges for early visibility into security posture before promoting to main. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: only publish scorecard results from main branch (#29) The scorecard action enforces that publish_results=true can only run from the default/main branch. Conditionally set it so develop runs still produce SARIF output without failing on publication. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: silence gruvbox error on first install and clarify GitHub MCP Docker requirement (#35) - Wrap `colorscheme gruvbox` in a try/catch so first-run `vim +PlugInstall` falls back to `desert` instead of printing an error (gruvbox not yet downloaded at that point) - Remove live `claude mcp list` health check from setup-mcps.sh summary — it always shows GitHub MCP as failed because Docker isn't running at setup time. Replace with a static server list and a clear note that Docker must be running for the GitHub MCP to connect. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress vim pager prompt during plugin install (#38) vim-go's update output is longer than one screen, causing a `-- More --` pager pause that blocks unattended setup. Use `--not-a-term -c "set nomore"` to disable the pager and suppress terminal UI rendering. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress all vim output during plugin install (#39) Redirect stdout in addition to stderr so lightline colour allocation errors don't leak through to the terminal during unattended setup. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle (#40) Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios (#41) * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios Three improvements based on bugs found during testing on a second Mac (issues #36 and #37): VM acceptance test: - Untap cirruslabs/cli before running setup.sh to simulate a truly fresh machine. This would have caught issue #36 (tart not found) immediately. Acceptance checks (acceptance-test.sh): - Add Preflight section: macOS check, admin group check, Homebrew writability check - Add cirruslabs/cli tap and tart installation checks - Add Claude Skills section: verify all three skills are symlinked Preflight unit tests (scripts/preflight-test.sh): - New script that runs entirely on the local machine without a VM - Mocks id and brew via PATH override to test non-admin and unwritable-prefix scenarios in isolation - Wired into the macOS integration job in validate.yml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: remove pull_request trigger from release-drafter workflow (#42) When release-drafter runs on a pull_request event it sets target_commitish to the PR merge ref (refs/pull/N/merge) which GitHub rejects as invalid for a release. Label application is already handled by the separate labeler.yml workflow so the pull_request trigger here is redundant. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: sync Dependabot SHA bumps from main and fix target branch (#43) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: detect and reject sudo/root execution before brew runs (#45) * fix: detect and reject sudo/root execution before brew runs (#44) Users who see "Homebrew prefix not writable" instinctively retry with sudo, which Homebrew rejects. This breaks setup in a confusing loop. - Add root detection check at the top of preflight (before brew runs) using `id -u` so the check is unit-testable via PATH override - Exit immediately with a clear message explaining *not* to use sudo and showing the exact chown command to run first instead - Strengthen the writability error message with an explicit warning: "Do NOT re-run setup.sh with sudo" - Add 4 new preflight unit tests covering the root/sudo scenario Fixes #44 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: auto-fix Homebrew directory ownership instead of failing out (#44) Rather than printing a manual chown command and exiting, setup.sh now attempts to fix the ownership automatically using targeted sudo chown. - Only chowns the specific subdirectories Homebrew uses (bin, Cellar, Caskroom, etc, Frameworks, include, lib, Library, opt, sbin, share, var) — not the entire prefix (e.g. /usr/local), which may contain system-managed files that should remain root-owned - If auto-fix succeeds, setup continues without re-run required - If auto-fix fails (e.g. user can't sudo), prints a targeted manual command using only the affected subdirs rather than the whole prefix - Root-detection message updated: tells user setup.sh will handle the chown automatically if they just re-run without sudo - Updated preflight unit test to match revised root message wording Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace deprecated octant with k9s (#46) (#47) octant was deprecated and disabled in Homebrew on 2024-02-07 (upstream repo archived by VMware). Attempting to install it on a fresh machine fails with "No available formula" and aborts the entire brew bundle run. - Replace `octant` with `k9s` — actively maintained terminal-based Kubernetes dashboard that covers the same day-to-day cluster inspection workflow - Add acceptance-test check for deprecated Brewfile formulae so this class of failure is caught in CI before it reaches a real install Fixes #46 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: use macos-15-xlarge runner for VM acceptance test (#49) * ci: use larger macOS runners for acceptance test and main branch integration - acceptance.yml: upgrade macos-15 → macos-15-xlarge (6-core M-series) Tart nested VMs are CPU-bound; the larger runner should cut test time significantly and improve reliability under load. - validate.yml: use macos-15-xlarge on main branch pushes, macos-latest on develop and PRs. Keeps PR feedback fast and cheap while giving the stable branch a more thorough environment. Requires GitHub Team plan (or higher) for larger runner access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: revert validate integration job to macos-latest No CPU-intensive work in that job — standard runner is sufficient and cheaper. Only the Tart VM acceptance test benefits from xlarge. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: release v1.0.0 (#48) * chore: sync main into develop, resolve pinned SHA conflicts (#51) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: absorb main's divergent Dependabot commits (fix PR #50) (#52) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: revert acceptance test to macos-15 — xlarge runner blocks nested VMs (#56) macos-15-xlarge runners are virtualized environments and don't support nested virtualization. Tart cannot obtain an IP address for the inner VM, causing the acceptance test to time out every run. macos-15 (standard, 3-core) runners are bare-metal and fully support Tart. Reverting to ensure the release pipeline is reliable. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: ensure acceptance test uses macos-15 not xlarge --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
amcheste
added a commit
that referenced
this pull request
Apr 3, 2026
* feat: add /setup-repo skill for new repository configuration Automates the standard branch model setup for any new repo: creates develop branch, sets it as default, applies protection rules to develop and main, and adds v* tag protection ruleset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add /create-repo skill and update /publish-release for enforce_admins (#24) Add a new /create-repo Claude Code skill that creates a repo from the amcheste/repo-template, clones it locally, and applies the full standard branch protection setup in one command. Update /publish-release to work with enforce_admins=true on develop: the old flow pushed directly to develop, which is now blocked. The new flow creates a chore/release-v<version> branch, opens a PR to develop, then after merge opens a develop→main release PR before tagging. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add mascot logo to README (#25) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add missing tools to Brewfile (#26) Add tools that were installed on the machine but not tracked: - tart (via cirruslabs/cli tap) — local VM acceptance testing - git-lfs — large file support - kustomize — Kubernetes config management - octant — Kubernetes dashboard - postgresql@17 — local Postgres - virtualenv — Python virtual environments - claude-code (cask) — Claude Code CLI Also adds the cirruslabs/cli tap declaration. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve OpenSSF security score — pin deps, add permissions, add SAST (#27) - Pin all GitHub Actions to full commit SHAs (satisfies Pinned-Dependencies check) - Add explicit `permissions: contents: read` to all workflows that were missing it (satisfies Token-Permissions check) - Add SAST workflow using Semgrep (p/bash + p/secrets rulesets) with SARIF upload to GitHub Security tab (satisfies SAST check) Dependabot is already configured to keep Action SHAs up to date weekly. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: run scorecard on develop branch and add workflow_dispatch (#28) Allows scorecard to run on develop merges for early visibility into security posture before promoting to main. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: only publish scorecard results from main branch (#29) The scorecard action enforces that publish_results=true can only run from the default/main branch. Conditionally set it so develop runs still produce SARIF output without failing on publication. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: silence gruvbox error on first install and clarify GitHub MCP Docker requirement (#35) - Wrap `colorscheme gruvbox` in a try/catch so first-run `vim +PlugInstall` falls back to `desert` instead of printing an error (gruvbox not yet downloaded at that point) - Remove live `claude mcp list` health check from setup-mcps.sh summary — it always shows GitHub MCP as failed because Docker isn't running at setup time. Replace with a static server list and a clear note that Docker must be running for the GitHub MCP to connect. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress vim pager prompt during plugin install (#38) vim-go's update output is longer than one screen, causing a `-- More --` pager pause that blocks unattended setup. Use `--not-a-term -c "set nomore"` to disable the pager and suppress terminal UI rendering. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress all vim output during plugin install (#39) Redirect stdout in addition to stderr so lightline colour allocation errors don't leak through to the terminal during unattended setup. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle (#40) Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios (#41) * fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios Three improvements based on bugs found during testing on a second Mac (issues #36 and #37): VM acceptance test: - Untap cirruslabs/cli before running setup.sh to simulate a truly fresh machine. This would have caught issue #36 (tart not found) immediately. Acceptance checks (acceptance-test.sh): - Add Preflight section: macOS check, admin group check, Homebrew writability check - Add cirruslabs/cli tap and tart installation checks - Add Claude Skills section: verify all three skills are symlinked Preflight unit tests (scripts/preflight-test.sh): - New script that runs entirely on the local machine without a VM - Mocks id and brew via PATH override to test non-admin and unwritable-prefix scenarios in isolation - Wired into the macOS integration job in validate.yml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: remove pull_request trigger from release-drafter workflow (#42) When release-drafter runs on a pull_request event it sets target_commitish to the PR merge ref (refs/pull/N/merge) which GitHub rejects as invalid for a release. Label application is already handled by the separate labeler.yml workflow so the pull_request trigger here is redundant. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: sync Dependabot SHA bumps from main and fix target branch (#43) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: detect and reject sudo/root execution before brew runs (#45) * fix: detect and reject sudo/root execution before brew runs (#44) Users who see "Homebrew prefix not writable" instinctively retry with sudo, which Homebrew rejects. This breaks setup in a confusing loop. - Add root detection check at the top of preflight (before brew runs) using `id -u` so the check is unit-testable via PATH override - Exit immediately with a clear message explaining *not* to use sudo and showing the exact chown command to run first instead - Strengthen the writability error message with an explicit warning: "Do NOT re-run setup.sh with sudo" - Add 4 new preflight unit tests covering the root/sudo scenario Fixes #44 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: auto-fix Homebrew directory ownership instead of failing out (#44) Rather than printing a manual chown command and exiting, setup.sh now attempts to fix the ownership automatically using targeted sudo chown. - Only chowns the specific subdirectories Homebrew uses (bin, Cellar, Caskroom, etc, Frameworks, include, lib, Library, opt, sbin, share, var) — not the entire prefix (e.g. /usr/local), which may contain system-managed files that should remain root-owned - If auto-fix succeeds, setup continues without re-run required - If auto-fix fails (e.g. user can't sudo), prints a targeted manual command using only the affected subdirs rather than the whole prefix - Root-detection message updated: tells user setup.sh will handle the chown automatically if they just re-run without sudo - Updated preflight unit test to match revised root message wording Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace deprecated octant with k9s (#46) (#47) octant was deprecated and disabled in Homebrew on 2024-02-07 (upstream repo archived by VMware). Attempting to install it on a fresh machine fails with "No available formula" and aborts the entire brew bundle run. - Replace `octant` with `k9s` — actively maintained terminal-based Kubernetes dashboard that covers the same day-to-day cluster inspection workflow - Add acceptance-test check for deprecated Brewfile formulae so this class of failure is caught in CI before it reaches a real install Fixes #46 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: use macos-15-xlarge runner for VM acceptance test (#49) * ci: use larger macOS runners for acceptance test and main branch integration - acceptance.yml: upgrade macos-15 → macos-15-xlarge (6-core M-series) Tart nested VMs are CPU-bound; the larger runner should cut test time significantly and improve reliability under load. - validate.yml: use macos-15-xlarge on main branch pushes, macos-latest on develop and PRs. Keeps PR feedback fast and cheap while giving the stable branch a more thorough environment. Requires GitHub Team plan (or higher) for larger runner access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: revert validate integration job to macos-latest No CPU-intensive work in that job — standard runner is sufficient and cheaper. Only the Tart VM acceptance test benefits from xlarge. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: release v1.0.0 (#48) * chore: sync main into develop, resolve pinned SHA conflicts (#51) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: absorb main's divergent Dependabot commits (fix PR #50) (#52) * chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: revert acceptance test to macos-15 — xlarge runner blocks nested VMs (#56) macos-15-xlarge runners are virtualized environments and don't support nested virtualization. Tart cannot obtain an IP address for the inner VM, causing the acceptance test to time out every run. macos-15 (standard, 3-core) runners are bare-metal and fully support Tart. Reverting to ensure the release pipeline is reliable. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace Tart VM acceptance test with direct macOS runner test (#58) GitHub-hosted macOS runners are themselves VMs — Apple's Virtualization.framework is unavailable, so Tart (which requires bare-metal Apple Silicon) fails with "Virtualization is not available on this hardware" on every runner type. Replace the nested-VM approach with a direct end-to-end test: - Run setup.sh on the macOS runner itself (clean environment each job) - Use BREWFILE.ci to skip heavy GUI casks - Pre-create ~/.secrets stub so the interactive credential wizard is skipped - Run acceptance-test.sh to verify the result Also fix acceptance-test.sh to be path-agnostic (REPO_DIR from script location rather than hardcoded ~/Repos/...) and remove the two Tart- specific checks (cirruslabs/cli tap, tart installed) that no longer apply. The Tart VM workflow (vm-acceptance-test.sh) is preserved for local use. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the default branch was switched back to
main, Dependabot started targetingmaindirectly. Four PRs merged there before the issue was noticed: #30, #31, #33, #34.This PR:
develop(resolving merge conflicts by keeping newer versions with pinned SHAs)target-branch: developtodependabot.ymlso all future Dependabot PRs correctly targetdevelopAfter merging, PR #32 (the release-drafter Dependabot PR still targeting
main) will be closed — Dependabot will recreate it targetingdevelopon the next run.Updated SHAs:
actions/labelerossf/scorecard-actionactions/upload-artifactgithub/codeql-action🤖 Generated with Claude Code