ci: add security checks (MMNT-15)#7
Merged
listenrightmeow merged 9 commits intoMar 23, 2026
Conversation
0c35cd8 to
7d5d517
Compare
No test files exist yet in the scaffolded packages. Vitest fails when run with --coverage on packages with no tests. Add --passWithNoTests flag to all test steps so CI passes until actual tests are written. https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
Base automatically changed from
claude/feature/MMNT-14-ci-tier1-checks-agc9O
to
main
March 23, 2026 09:26
Coverage was failing because v8 measured vitest.config.ts and dist/ files with no tests to cover them. Setting `all: false` means only files imported by tests are measured, and `include: ['src/**/*.ts']` scopes coverage to source files only. https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
Snyk cannot connect to this private repo yet. All three Snyk steps (SCA, SAST, License) are now skipped unless the ENABLE_SNYK repository variable is set to "true" or "TRUE". Gitleaks remains unconditional. https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
- Remove invalid `config-path` input (not supported by v2) - Pass config via GITLEAKS_CONFIG env var instead - Add GITLEAKS_LICENSE secret (required for organization repos) https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
Gitleaks-action v2 requires GITHUB_TOKEN to scan pull requests. https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
…T-15) Gitleaks-action needs pull-requests:read to list commits on a PR. Add explicit permissions (contents:read, pull-requests:read) to the security job. https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
5 tasks
This was referenced Apr 9, 2026
listenrightmeow
pushed a commit
that referenced
this pull request
Apr 9, 2026
P2 #7 from the post-mortem. The CLI README documented several features that don't match the shipped code, misleading both consumers and contributors. Fixes: 1. moment init <name> (positional) → moment init --name <name> (flag). The command uses parseArgs with --name and --dir options, not positional arguments. 2. moment.manifest.json → .manifest.yaml. The scaffolder writes YAML, not JSON. 3. Global Options table (--output, --format, --verbose) removed. None of these exist as global flags. Replaced with a Common Options table listing the actual per-command flags with which commands support them: --json (10 commands), --out (generate, emit-ts), --out-dir (simulate), --all (simulate, serve), --dry-run (emit-ts), --verbose (status only), --port (serve). 4. --format json → --json throughout. The CLI uses a boolean --json flag, not --format json|text|silent. Fixed in the lint command description and in the CI/CD and schema governance code examples. 5. Example blocks updated to use the correct flags (--name for init, --out for generate/emit-ts).
listenrightmeow
added a commit
that referenced
this pull request
Apr 10, 2026
* docs(cli): fix README drift against actual implementation P2 #7 from the post-mortem. The CLI README documented several features that don't match the shipped code, misleading both consumers and contributors. Fixes: 1. moment init <name> (positional) → moment init --name <name> (flag). The command uses parseArgs with --name and --dir options, not positional arguments. 2. moment.manifest.json → .manifest.yaml. The scaffolder writes YAML, not JSON. 3. Global Options table (--output, --format, --verbose) removed. None of these exist as global flags. Replaced with a Common Options table listing the actual per-command flags with which commands support them: --json (10 commands), --out (generate, emit-ts), --out-dir (simulate), --all (simulate, serve), --dry-run (emit-ts), --verbose (status only), --port (serve). 4. --format json → --json throughout. The CLI uses a boolean --json flag, not --format json|text|silent. Fixed in the lint command description and in the CI/CD and schema governance code examples. 5. Example blocks updated to use the correct flags (--name for init, --out for generate/emit-ts). * docs(cli): address Copilot review on README drift PR Four fixes from Copilot on #147: 1. "most commands" → "many commands" for --json coverage. 10 out of ~18 entry points support it — slightly above half, not "most". 2. Common Options table was incomplete. Added --output-dir for import --from-sift and split --all into two rows (simulate/serve vs sync accept) since the semantics are different per command. Added a "non-exhaustive" caveat so readers know each command may have additional flags. 3. --out src/generated in the example would double-prefix (the emitter already writes paths starting with src/). Removed --out from the example so emit-ts and generate default to project root, matching the most common usage. --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stack
This is PR 5 of 9 in the Sprint 1 stack. Merge order: 1 → 2 → 3 → 4 → 5 (independent) → 6 → 7 → 8 → 9
mainTest plan
.gitleaks.tomlconfiguration is validhttps://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL