Skip to content

ci: add security checks (MMNT-15)#7

Merged
listenrightmeow merged 9 commits into
mainfrom
claude/feature/MMNT-15-ci-security-checks-agc9O
Mar 23, 2026
Merged

ci: add security checks (MMNT-15)#7
listenrightmeow merged 9 commits into
mainfrom
claude/feature/MMNT-15-ci-security-checks-agc9O

Conversation

@listenrightmeow

Copy link
Copy Markdown
Member

Summary

  • Adds gitleaks configuration for secret detection in CI
  • Adds security scanning job to the CI workflow
  • Independent from the main stack — can be merged anytime after PR 4

Stack

This is PR 5 of 9 in the Sprint 1 stack. Merge order: 1 → 2 → 3 → 4 → 5 (independent) → 6 → 7 → 8 → 9

  • Independent branch based on main

Test plan

  • Verify .gitleaks.toml configuration is valid
  • Confirm security job in ci.yml runs gitleaks
  • Test that intentional secret patterns are detected

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL

@listenrightmeow listenrightmeow force-pushed the claude/feature/MMNT-15-ci-security-checks-agc9O branch from 0c35cd8 to 7d5d517 Compare March 23, 2026 08:53
@listenrightmeow listenrightmeow changed the base branch from main to claude/feature/MMNT-14-ci-tier1-checks-agc9O March 23, 2026 08:53
No test files exist yet in the scaffolded packages. Vitest fails
when run with --coverage on packages with no tests. Add
--passWithNoTests flag to all test steps so CI passes until
actual tests are written.

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
Base automatically changed from claude/feature/MMNT-14-ci-tier1-checks-agc9O to main March 23, 2026 09:26
listenrightmeow and others added 7 commits March 23, 2026 02:27
Coverage was failing because v8 measured vitest.config.ts and dist/ files
with no tests to cover them. Setting `all: false` means only files imported
by tests are measured, and `include: ['src/**/*.ts']` scopes coverage to
source files only.

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
Snyk cannot connect to this private repo yet. All three Snyk steps
(SCA, SAST, License) are now skipped unless the ENABLE_SNYK repository
variable is set to "true" or "TRUE". Gitleaks remains unconditional.

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
- Remove invalid `config-path` input (not supported by v2)
- Pass config via GITLEAKS_CONFIG env var instead
- Add GITLEAKS_LICENSE secret (required for organization repos)

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
…T-15)

Gitleaks-action needs pull-requests:read to list commits on a PR.
Add explicit permissions (contents:read, pull-requests:read) to the
security job.

https://claude.ai/code/session_019XtyUDXFQ7G6ukurqJj6xL
@listenrightmeow listenrightmeow merged commit 19e1806 into main Mar 23, 2026
3 checks passed
@listenrightmeow listenrightmeow deleted the claude/feature/MMNT-15-ci-security-checks-agc9O branch March 23, 2026 22:21
listenrightmeow pushed a commit that referenced this pull request Apr 9, 2026
P2 #7 from the post-mortem. The CLI README documented several
features that don't match the shipped code, misleading both
consumers and contributors.

Fixes:

1. moment init <name> (positional) → moment init --name <name>
   (flag). The command uses parseArgs with --name and --dir options,
   not positional arguments.

2. moment.manifest.json → .manifest.yaml. The scaffolder writes
   YAML, not JSON.

3. Global Options table (--output, --format, --verbose) removed.
   None of these exist as global flags. Replaced with a Common
   Options table listing the actual per-command flags with which
   commands support them: --json (10 commands), --out (generate,
   emit-ts), --out-dir (simulate), --all (simulate, serve),
   --dry-run (emit-ts), --verbose (status only), --port (serve).

4. --format json → --json throughout. The CLI uses a boolean --json
   flag, not --format json|text|silent. Fixed in the lint command
   description and in the CI/CD and schema governance code examples.

5. Example blocks updated to use the correct flags (--name for init,
   --out for generate/emit-ts).
listenrightmeow added a commit that referenced this pull request Apr 10, 2026
* docs(cli): fix README drift against actual implementation

P2 #7 from the post-mortem. The CLI README documented several
features that don't match the shipped code, misleading both
consumers and contributors.

Fixes:

1. moment init <name> (positional) → moment init --name <name>
   (flag). The command uses parseArgs with --name and --dir options,
   not positional arguments.

2. moment.manifest.json → .manifest.yaml. The scaffolder writes
   YAML, not JSON.

3. Global Options table (--output, --format, --verbose) removed.
   None of these exist as global flags. Replaced with a Common
   Options table listing the actual per-command flags with which
   commands support them: --json (10 commands), --out (generate,
   emit-ts), --out-dir (simulate), --all (simulate, serve),
   --dry-run (emit-ts), --verbose (status only), --port (serve).

4. --format json → --json throughout. The CLI uses a boolean --json
   flag, not --format json|text|silent. Fixed in the lint command
   description and in the CI/CD and schema governance code examples.

5. Example blocks updated to use the correct flags (--name for init,
   --out for generate/emit-ts).

* docs(cli): address Copilot review on README drift PR

Four fixes from Copilot on #147:

1. "most commands" → "many commands" for --json coverage. 10 out of
   ~18 entry points support it — slightly above half, not "most".

2. Common Options table was incomplete. Added --output-dir for
   import --from-sift and split --all into two rows (simulate/serve
   vs sync accept) since the semantics are different per command.
   Added a "non-exhaustive" caveat so readers know each command may
   have additional flags.

3. --out src/generated in the example would double-prefix (the
   emitter already writes paths starting with src/). Removed --out
   from the example so emit-ts and generate default to project
   root, matching the most common usage.

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants