Skip to content

ci: foundation parity with dario / claude-bridge / deepdive#1

Merged
askalf merged 2 commits intomainfrom
feat/ci-foundation-parity
Apr 23, 2026
Merged

ci: foundation parity with dario / claude-bridge / deepdive#1
askalf merged 2 commits intomainfrom
feat/ci-foundation-parity

Conversation

@askalf
Copy link
Copy Markdown
Owner

@askalf askalf commented Apr 23, 2026

Summary

Standard CI / security / release scaffolding, ported pattern-for-pattern from the sibling askalf repos. No runtime-behavior change — this is just the boring necessary plumbing before any code work starts.

Lessons from the sibling repos baked in preemptively:

  • actionlint with no path filter — the path-filtered version leaves required-check gates permanently pending on src-only PRs. Cost a day of debugging across dario + claude-bridge. Not repeating it here.
  • Auto-release with inline npm publishGITHUB_TOKEN-created releases don't fire downstream workflows (loop protection). Cost deepdive v0.3.0 a manual delete+recreate. Publish logic lives directly in `auto-release.yml` so the chain is single-run.

What's here

  • `.github/workflows/ci.yml` — typecheck + build + `--help` smoke on Node 20 / 22.
  • `.github/workflows/codeql.yml` — javascript-typescript analysis on PR + push + weekly scheduled.
  • `.github/workflows/actionlint.yml` — v1.7.1 on every PR + push.
  • `.github/workflows/stale.yml` — 60 warn / 14 close, sibling-repo exempt label set.
  • `.github/workflows/auto-release.yml` — version-bump gate → build → `gh release create` → `npm publish --access public --provenance`, all in one run.
  • `.github/dependabot.yml` — weekly Monday 09:00 UTC npm + github-actions.
  • `CHANGELOG.md` — Unreleased convention + [0.1.0] seed-origin note.

Follow-up (not in this PR, tracked for after merge)

  • Labels: `security` / `auth` / `pinned` / `wip` / `blocked` / `review-feedback` via `gh label create`.
  • Branch protection: require `build (20)` / `build (22)` / `analyze` / `actionlint`, flip `required_conversation_resolution: true`, `allow_update_branch: true`.
  • `NPM_TOKEN` secret (needed before the first version bump can auto-release). Doesn't block this PR.
  • Modernization: bump `@anthropic-ai/sdk` past 0.74.0, default-route through dario, behavioural tests, flip repo public.

Test plan

  • Seed builds clean locally (`npm ci && npm run typecheck && npm run build` all pass — verified before this PR).
  • CI matrix green on 20 + 22.
  • CodeQL clean (baseline scan — any hits get addressed in a follow-up).
  • actionlint clean on the new workflow set (it self-lints this PR).

askalf added 2 commits April 23, 2026 19:28
@askalf
ci: foundation parity with dario / claude-bridge / deepdive
d3693cc 
Standard CI / security / release scaffolding, ported pattern-for-pattern:

- ci.yml: typecheck + build + --help smoke on Node 20/22
- codeql.yml: javascript-typescript on PR + push + weekly scheduled
- actionlint.yml: v1.7.1 on every PR + push (no path filter — required-
  check-never-reports trap lesson from sibling repos)
- dependabot.yml: weekly npm + github-actions, non-major grouped
- stale.yml: 60 warn + 14 close, exempts security/auth/review-feedback/
  help-wanted/good-first-issue/pinned for issues; wip/blocked/security
  for PRs
- auto-release.yml: fires on merged PR, version-bump gate, inline npm
  publish with SLSA provenance (GITHUB_TOKEN doesn't fire downstream
  workflows — deepdive v0.3.0 lesson baked in preemptively)

Plus CHANGELOG.md with the Unreleased convention documented, and a
seed-origin note in the [0.1.0] section pointing at agent@bef177d.
No runtime-behavior change.
@askalf
chore: sync package-lock.json to @askalf/hands rename
6410ad0
@askalf askalf merged commit 98111de into main Apr 23, 2026
3 of 4 checks passed
@askalf askalf deleted the feat/ci-foundation-parity branch April 23, 2026 23:30
@askalf askalf mentioned this pull request Apr 25, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@askalf