From 1f65182099221110fe1b29e62cf82e99a037090d Mon Sep 17 00:00:00 2001 From: Alan Chester Date: Fri, 3 Apr 2026 11:33:32 -0400 Subject: [PATCH 1/4] fix(ci): stop false failures on develop pushes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Scorecard: only run on main — SARIF upload requires Advanced Security - SAST: gate SARIF upload to main only - monthly-dependency-release: replace heredoc with printf to fix GitHub YAML parse error --- .../workflows/monthly-dependency-release.yml | 21 ++++--------------- .github/workflows/sast.yml | 2 +- .github/workflows/scorecard.yml | 3 ++- 3 files changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/monthly-dependency-release.yml b/.github/workflows/monthly-dependency-release.yml index 800e097..c3d3890 100644 --- a/.github/workflows/monthly-dependency-release.yml +++ b/.github/workflows/monthly-dependency-release.yml @@ -98,24 +98,11 @@ jobs: git checkout -b "$BRANCH" git push origin "$BRANCH" + printf '## Monthly dependency patch — v%s\n\nThis PR was opened automatically. It bumps the patch version to capture\n**%s Dependabot update(s)** merged to `develop` since the last release.\n\n## What to do\n1. Review the dependency commits included in this release\n2. Merge this PR into `develop`\n3. Promote `develop`→`main` via CLI merge (or run `/publish-release`)\n4. Push the tag to trigger the release pipeline\n\n> **Note:** CI will not auto-run on this PR due to GitHub token restrictions.\n> All dependency changes were individually validated by CI when Dependabot\n> merged them to `develop`. Trigger CI manually if you want an extra check.\n' \ + "${NEW_VERSION}" "${DEP_COUNT}" > /tmp/pr-body.md + gh pr create \ --base develop \ --head "$BRANCH" \ --title "chore: release v${NEW_VERSION} (monthly dependency patch)" \ - --body "$(cat < **Note:** CI will not auto-run on this PR due to GitHub token restrictions. -> All dependency changes were individually validated by CI when Dependabot -> merged them to \`develop\`. Trigger CI manually if you want an extra check. -EOF -)" + --body-file /tmp/pr-body.md diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index eaf51da..095fa42 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -29,6 +29,6 @@ jobs: generateSarif: "1" - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 - if: always() && github.event_name != 'pull_request' + if: always() && github.ref == 'refs/heads/main' with: sarif_file: semgrep.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 61a573a..bb534cc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -5,7 +5,7 @@ on: schedule: - cron: '30 1 * * 1' # Every Monday at 01:30 UTC push: - branches: [main, develop] + branches: [main] workflow_dispatch: permissions: read-all @@ -38,5 +38,6 @@ jobs: retention-days: 5 - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v4 + if: github.ref == 'refs/heads/main' with: sarif_file: results.sarif From 7a3abf187719b11c42e7fb4d85e995018cbb9104 Mon Sep 17 00:00:00 2001 From: Alan Chester Date: Fri, 3 Apr 2026 16:54:07 -0400 Subject: [PATCH 2/4] fix(ci): add continue-on-error to SARIF upload steps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Advanced Security is not enabled — upload-sarif will always fail. continue-on-error allows the scan to complete and mark green while the upload step fails silently. --- .github/workflows/sast.yml | 1 + .github/workflows/scorecard.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 095fa42..4af7975 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -30,5 +30,6 @@ jobs: - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 if: always() && github.ref == 'refs/heads/main' + continue-on-error: true with: sarif_file: semgrep.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index bb534cc..6e9142e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -39,5 +39,6 @@ jobs: - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v4 if: github.ref == 'refs/heads/main' + continue-on-error: true with: sarif_file: results.sarif From 832a1c15deeb591286daea7c67b2c4fa18f2c186 Mon Sep 17 00:00:00 2001 From: Alan Chester Date: Fri, 3 Apr 2026 17:06:37 -0400 Subject: [PATCH 3/4] chore: add CODEOWNERS to auto-request review from @amcheste --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..e9f9592 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @amcheste From df0ef6ec77899c9086c7478803eee6c111be3dbb Mon Sep 17 00:00:00 2001 From: Alan Chester Date: Fri, 3 Apr 2026 17:18:34 -0400 Subject: [PATCH 4/4] fix(ci): add continue-on-error to Scorecard job (private repo) --- .github/workflows/scorecard.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6e9142e..56b6fbe 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,6 +14,7 @@ jobs: analysis: name: Scorecard Analysis runs-on: ubuntu-latest + continue-on-error: true # Scorecard requires a public repo — fails silently on private repos permissions: security-events: write id-token: write