Skip to content

ci+deps: tighten workflows, bump go-sdk to v1.6.1, setup-go to v6#94

Merged
blue4209211 merged 1 commit into
mainfrom
ci/tighten-workflows
Jun 7, 2026
Merged

ci+deps: tighten workflows, bump go-sdk to v1.6.1, setup-go to v6#94
blue4209211 merged 1 commit into
mainfrom
ci/tighten-workflows

Conversation

@blue4209211

@blue4209211 blue4209211 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Bundled CI hygiene + dependency security fix:

1. Workflow tightening

  • Release: tag trigger `''` → `'v'` — prevents accidental non-version tags from kicking off a release.
  • Release: run `make test` before building — closes the gap where a broken main could still ship binaries.
  • CI: also run on `push` to main — catches anything that lands via direct push or stale-branch merge.
  • `actions/setup-go`: v4 → v5 in both workflows.

2. Dependabot alerts

Bumps `github.com/modelcontextprotocol/go-sdk` from `v1.3.1` → `v1.4.1`, closing all three open high-severity alerts (#2, #3, #4):

  • Improper handling of null Unicode in JSON parsing
  • Cross-Site Tool Execution for HTTP servers without auth
  • DNS Rebinding Protection disabled by default on localhost

Transitive bumps from `go mod tidy`: `segmentio/encoding` v0.5.3→v0.5.4, `oauth2` v0.30→v0.34, `x/sys` v0.36→v0.40.

Test plan

  • `make test` green locally with the new SDK
  • `nbctl mcp` registers all 44 tools and reports "MCP server started, waiting for requests..."
  • Integration tests (gated by `NUDGEBEE_INTEGRATION=1`) auto-skip in CI as expected
  • After merge: push to main triggers the new CI job; next `v*` tag triggers release with test gate; accidental non-`v*` tags ignored

🤖 Generated with Claude Code

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@blue4209211 blue4209211 changed the title ci(workflows): tighten release trigger, add main-branch and test gates ci+deps: tighten workflows and bump go-sdk to v1.4.1 Jun 7, 2026
@blue4209211 blue4209211 changed the title ci+deps: tighten workflows and bump go-sdk to v1.4.1 ci+deps: tighten workflows, bump go-sdk to v1.6.1, setup-go to v6 Jun 7, 2026
Bundled CI hygiene + dependency security fix.

Workflow tightening:
- Release: restrict tag trigger from '*' to 'v*' so accidental
  non-version tags don't kick off a release.
- Release: run `make test` before building so a broken main can't
  ship binaries.
- CI: also run on push to main, catching anything that lands via
  direct push or stale-branch merge.
- actions/setup-go: v4 -> v6 in both workflows (matches Dependabot's
  recommendation).

Dependabot alerts closed:
- go-sdk: v1.3.1 -> v1.6.1, resolving 3 high-severity alerts on
  github.com/modelcontextprotocol/go-sdk (null Unicode JSON parsing,
  cross-site tool execution without auth, DNS rebinding protection
  disabled by default on localhost).

Transitive bumps from go mod tidy:
- github.com/google/jsonschema-go v0.4.2 -> v0.4.3
- github.com/segmentio/encoding v0.5.3 -> v0.5.4
- golang.org/x/oauth2 v0.30.0 -> v0.35.0
- golang.org/x/sys v0.36.0 -> v0.41.0

Supersedes (closed): #72, #78, #84.

Verified locally: full test suite green, `nbctl mcp` registers all
44 tools and reports "MCP server started, waiting for requests..."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@blue4209211 blue4209211 force-pushed the ci/tighten-workflows branch from cd5d24f to 2a5dbd2 Compare June 7, 2026 10:18
@blue4209211 blue4209211 merged commit f0dfdb5 into main Jun 7, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants