ci: Node 24 actions + tighten trunk vs pre-commit lint ownership#182
Merged
Conversation
GitHub will force javascript actions to Node 24 by default on 2026-06-02 and remove Node 20 from runners on 2026-09-16. Current CI runs emit a deprecation warning on every job for: - actions/checkout@v4 -> bump to v6 (Node 24) - actions/cache/restore@v4 -> bump to v5 (Node 24) - actions/cache/save@v4 -> bump to v5 (Node 24) bazelbuild/setup-bazelisk only has v3.0.0 and no Node 24 release yet, so it is intentionally left at v3; the warning for that one will clear once upstream cuts a new tag (or once we move past it). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After PR #180 enabled trunk as a meta-linter, four tools ran in both pre-commit and trunk. That caused real conflicts (shfmt: pre-commit formats to 2-space indent, trunk reformatted to tabs because its custom definition omitted -i=2) and noisy duplicate diagnostics for the rest. Decide ownership per tool, bias toward leaving pre-commit alone since it has been working and trunk is brand new. Decisions: * shfmt: pre-commit owns it. The project pins -bn -ci -i=2 -w in .pre-commit-config.yaml; trunk's custom definition had only -w and defaulted to tabs. Drop from trunk. * actionlint: pre-commit owns it. Pre-commit pins -shellcheck '' to suppress nested shellcheck noise; trunk would have to replicate the flag for parity. Drop from trunk. * shellcheck: pre-commit owns it. Move the project config from .trunk/configs/.shellcheckrc to a repo-root .shellcheckrc so pre-commit's shellcheck picks it up automatically (shellcheck auto-discovers up from the target). Drop `enable=all` because pre-commit's shellcheck didn't have it before and the move would otherwise silently raise strictness. Keep `disable=SC2154` with a comment explaining why (Bazel sh_test + GitHub Actions runner env vars). Drop shellcheck from trunk. * buildifier: trunk owns it. Trunk's custom definition cleanly splits --lint=fix (formatter) from --lint=warn (diagnostic) with a JSON output parser and pins a newer version (8.5.1 vs pre-commit's 8.2.0). Drop the keith/pre-commit-buildifier repo from .pre-commit-config.yaml. * check-yaml and yamllint stay as-is — they overlap on syntax but yamllint adds style coverage; cost is ~1s. Tools that stay trunk-only (no pre-commit equivalent in the repo): checkov, clang-tidy, git-diff-check, markdownlint, prettier, trivy, trufflehog, yamllint. Tools that stay pre-commit-only (no trunk equivalent or custom checks): check-added-large-files, check-merge-conflict, check-yaml, end-of-file-fixer, trailing-whitespace, and the seven local custom hooks (mope-*, *-patch-applies, compare-versions, no-do-not-merge, no-todos-without-context). Pre-commit cannot be dropped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
helly25
changed the title
After enabling trunk as a meta-linter in #180, a full-repo scan surfaced 50 latent findings. This commit clears them. Policy edits: * .trunk/trunk.yaml: override clang-tidy's `run_when` from the plugin's `[cli, monitor, ci]` to `[cli, monitor]`. clang-tidy is fundamentally useless without compile_commands.json; local devs generate it via `bazel run @hedron_compile_commands//:refresh_all` but CI does not. The CI sandbox would otherwise emit ~20 "<header> file not found" diagnostics on every run. * .trunk/configs/.yamllint.yaml: disable `quoted-strings`. The `only-when-needed` setting collides with prettier (which prefers double quotes for many YAML strings) and the rule is purely stylistic — yamllint's other useful checks remain. * .github/workflows/{cache_cleanup,release,test}.yml: declare `permissions: read-all` at the workflow level to satisfy checkov CKV2_GHA_1. cache_cleanup uses secrets.CACHE_ACCESS (a custom PAT) so the default GITHUB_TOKEN does not need write scopes; release.yml's existing job-level `contents: write` override is preserved. Auto-fix sweep (applied once now that trunk owns the relevant formatters): * .bcr/metadata.template.json, .bcr/presubmit.yml: prettier reformatted JSON and YAML indentation. * CODE_OF_CONDUCT.md, CONTRIBUTING.md: prettier/markdownlint reformatted bullets and added language tags to fenced code blocks (MD040). * README.md, RULES.md: markdownlint trailing-punctuation fixes (MD026), missing language tags (MD040), top-level heading placement (MD041), and image alt text (MD045). The two affected section headings were edited by hand to shorter forms with the descriptive sentence moved to body prose. After this commit `trunk check -a` reports zero CI-visible findings; the remaining 25 are all clang-tidy diagnostics now gated to local-only via `run_when: [cli, monitor]`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mirrors-clang-format v19.1.6's default `types_or` includes `json`, because clang-format 14+ added JSON formatting support. trunk's prettier also formats JSON, and the two disagree on array layout: prettier compacts short arrays to a single line, clang-format expands them. The `.bcr/metadata.template.json` change pushed in the previous commit went through trunk-fmt-pre-commit (prettier) but CI's pre-commit then ran clang-format which reverted it, causing the hook to report "files were modified by this hook" and fail. Override `types_or: [c, c++, cuda]` so clang-format only touches actual C/C++/CUDA sources. JSON formatting stays trunk-prettier's job. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
helly25
changed the title
Fab-Cat
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three connected housekeeping changes from a
trunk check -asweep on the fresh meta-linter setup.1. Node 24 GHA action bumps
GitHub will force JavaScript actions to Node 24 by default on 2026-06-02 and remove Node 20 from runners on 2026-09-16. Each CI job was emitting a deprecation warning. Bumped:
actions/checkout@v4→v6actions/cache/restore@v4→v5actions/cache/save@v4→v5bazelbuild/setup-bazelisk@v3left as-is — no Node 24 release upstream yet.2. Split trunk vs pre-commit lint ownership
After #180 enabled trunk as a meta-linter, four tools ran in both pre-commit and trunk. That caused a real conflict (
shfmt: pre-commit formats to 2-space indent, trunk reverted to tabs because its custom definition omitted-i=2) and noisy duplicate diagnostics elsewhere. Trunk is brand new in this repo; pre-commit had been working — bias toward leaving pre-commit alone unless trunk adds clear value.shfmt-bn -ci -i=2 -w; trunk's custom def had only-w(→ tabs by default)actionlint-shellcheck ""to suppress nested shellcheck noiseshellcheck.shellcheckrcmoved from.trunk/configs/to repo root so pre-commit auto-discovers it;enable=alldropped (would have silently raised strictness);disable=SC2154kept and documentedbuildifier--lint=fix(formatter) from--lint=warn(diagnostic) with a JSON parser; newer version (8.5.1 vs 8.2.0)check-yaml/yamllintcheck-yamlis a cheap parse-only sanity check;yamllintadds styleTrunk-only (no pre-commit equivalent):
checkov,clang-tidy,git-diff-check,markdownlint,prettier,trivy,trufflehog,yamllint.Pre-commit-only (no trunk equivalent or custom checks):
check-added-large-files,check-merge-conflict,check-yaml,end-of-file-fixer,trailing-whitespace, and the seven local custom hooks (mope-*,*-patch-applies,compare-versions,no-do-not-merge,no-todos-without-context). Pre-commit cannot be dropped — those local hooks have no portable equivalent.3. Clear
trunk check -afindings (50 → 0 CI-blocking)A full-repo trunk scan surfaced 50 findings. Resolved as follows.
Policy edits:
.trunk/trunk.yaml: overrideclang-tidy'srun_whenfrom[cli, monitor, ci]to[cli, monitor]. clang-tidy is useless withoutcompile_commands.json; local devs generate it viabazel run @hedron_compile_commands//:refresh_allbut CI does not. Even with a compile DB present, trunk's hermeticclang-tidy@16.0.3binary cannot resolve C++ stdlib headers (the install ships onlybin/clang-tidy+ clang-builtin headers, no libc++/libstdc++). Gating to local-only avoids ~20 spurious"<header> file not found"diagnostics per CI run..trunk/configs/.yamllint.yaml: disablequoted-strings. Theonly-when-neededsetting collides with prettier (which prefers double quotes for many YAML strings); the rule is purely stylistic. yamllint's other useful checks remain..github/workflows/{cache_cleanup,release,test}.yml: declare workflow-levelpermissions: read-allto satisfy checkovCKV2_GHA_1.cache_cleanupusessecrets.CACHE_ACCESS(a custom PAT), so the defaultGITHUB_TOKENdoes not need write scopes;release.yml's existing job-levelcontents: writeoverride is preserved.Auto-fix sweep (one-time, applied now that trunk owns the relevant formatters):
.bcr/metadata.template.json,.bcr/presubmit.yml: prettier reformatted JSON/YAML.CODE_OF_CONDUCT.md,CONTRIBUTING.md,README.md,RULES.md: markdownlint fixes (MD040 missing language tags, MD026 trailing punctuation, MD041 top-level heading placement, MD045 image alt text). Two affected headings hand-edited to shorter forms with descriptive text moved to body prose.4. Restrict pre-commit
clang-formatto C/C++/CUDAAfter the auto-fix sweep, CI surfaced a new fight:
mirrors-clang-format@v19.1.6's defaulttypes_orincludesjson(clang-format 14+ added JSON support), and pre-commit's clang-format reformatted.bcr/metadata.template.jsonback to multi-line — undoing trunk-prettier's compaction. Overridetypes_or: [c, c++, cuda]so JSON stays prettier's job.Test plan
bazel test //mbo/testing:matchers_test(covered by parallel feat(testing): add IsElementOf / IsKeyOf / IsValueOf matchers #181)trunk check -areports zero CI-visible findings on this branch (the 25 remaining are clang-tidy diagnostics now gated to local-only)bazelbuild/setup-bazelisk@v3Out of scope
clang-tidyCI integration. The extractor (hedron_compile_commands) itself runs clean — no patches needed. The blocker is that trunk's hermetic clang-tidy binary ships no C++ stdlib; resolving that means either (a) wrapping with the Bazel-built clang-tidy, (b) injecting--extra-arg=-isysroot=...per platform, or (c) dropping clang-tidy from trunk entirely. Tracked separately.🤖 Generated with Claude Code