Republish on dependency bumps; harden configure.sh#351
Merged
Conversation
ruleset_id (error-distinction with gh's stderr, jq --arg, pipefail-safe first//empty, per_page=100), jq_lacks (set -e-safe via || rc=$?, propagates real jq errors), check_secrets (surfaces gh stderr, accurate fail-fast comment), and the main-no-linear-history assert. repo-config README states the actual branch cleanup (auto-delete setting off so a develop -> main promotion does not delete develop; merge-bot deletes bot branches with --delete-branch). Align validate/test-pr task comments to the terse canonical. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Directory.Packages.props to the publisher's shipped-input paths: a NuGet version can't be re-pushed, so a dependency bump must republish to keep the package's declared dependencies current (GitHub-Actions bumps stay excluded - they do not ship). Document the !github.event.deleted branch-deletion guard the PR workflow carries (was described as running "unconditionally"). WORKFLOW.md (section 0, glossary, D4.1, D8.2, 5A, S10, S16) and AGENTS.md updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repo’s CI/CD contract and configuration-as-code tooling so dependency bumps trigger self-publishing (NuGet dependency currency) and repository configuration checks are more failure-transparent and robust.
Changes:
- Treat
Directory.Packages.propsas a shipped input so merges that bump dependencies auto-publish onmain/develop. - Harden
repo-config/configure.shchecks (ruleset lookup, jq helpers, secrets API error distinction, and main linear-history assertion). - Document and implement a
!github.event.deletedguard to skip CI on branch-deletion push events.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | Updates workflow contract docs for dependency-bump republish and branch-deletion CI guard scenario. |
| repo-config/README.md | Clarifies branch deletion behavior with auto-delete-off and explicit per-merge deletion. |
| repo-config/configure.sh | Improves failure modes and robustness for ruleset lookup, jq predicates, and secrets checks. |
| AGENTS.md | Adds guidance on where durable rules belong and tightens documentation/comment guidance. |
| .github/workflows/validate-task.yml | Adjusts workflow-lint step configuration (actionlint invocation). |
| .github/workflows/test-pull-request.yml | Adds !github.event.deleted guards to avoid failing runs on branch deletion pushes. |
| .github/workflows/publish-release.yml | Expands shipped-input paths to include Directory.Packages.props so dependency bumps republish. |
The actionlint binary (installed by raven-actions/actionlint) is intentionally left unpinned to track latest lint rules - a tool an action installs is not a uses: ref. Make D9.1's carve-out explicit, matching the sibling repos. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
checkout/build fail -> fails. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jq -e returns 4 when a filter produces no output (not 1), so the "main does not require linear history" assert - jq_lacks on a rule that correctly does not exist - was getting exit 4 and failing on a correct ruleset. Treat both 1 (false/null) and 4 (no output) as "lacks"; still propagate real jq errors (2/3/5). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 29, 2026
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
repo-config README said the script 'asserts ... a GitHub App is installed', but check_app only notes it (best-effort, does not fail the audit) - inconsistent with WORKFLOW.md. Separate the assert (secret names) from the note (App install). Follow-up to #351/#352. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
…#352) Promotes PR #351 from develop to main. ## What lands on main - **Dependency currency:** `Directory.Packages.props` is a shipped input, so a dependency bump republishes and the package's declared dependencies stay current (a NuGet version can't be re-pushed). GitHub-Actions bumps stay excluded. - **configure.sh hardened:** `ruleset_id` (error-distinction, `jq --arg`, pipefail-safe, `per_page=100`), `jq_lacks` (set -e-safe; treats jq exit 1 and **4** as "lacks" so the main-no-linear-history assert passes on a correct ruleset; propagates real errors), `check_secrets` (surfaces gh stderr), the main-no-linear-history assert. - repo-config README states the actual branch cleanup (auto-delete off; merge-bot deletes bot branches with `--delete-branch`). WORKFLOW.md/AGENTS.md updated (dep-currency, branch-deletion guard, D9.1 installed-tool carve-out). Standard promotion PR with review (no admin bypass). No library code change.
This was referenced Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirrors the change landed in LanguageTags: keeps push-self-publish (correct for NuGet), closes the stale-dependency window, and brings repo-config to the hardened canonical.
Dependency currency
A NuGet version can't be re-pushed, so (unlike a Docker image with a base refresh) a merged dependency bump must republish or the package keeps shipping old/vulnerable dependency constraints.
Directory.Packages.propsis now a shipped input: a dependency bump auto-publishes that branch. GitHub-Actions bumps stay excluded (they do not ship). The shipped library has effectively one runtime dependency (Serilog); the rest are test/Sandbox - wide-but-robust, cheap version churn over a stale dependency. WORKFLOW.md/AGENTS.md updated.configure.sh hardening
ruleset_id (error-distinction, jq --arg, pipefail-safe, per_page=100), jq_lacks (set -e-safe), check_secrets (gh stderr surfaced), main-no-linear-history assert. README states the actual branch cleanup (auto-delete off; merge-bot deletes bot branches with --delete-branch).
Branch-deletion CI guard
Documented the
!github.event.deletedguard the PR workflow carries (WORKFLOW.md said "unconditionally"); added scenario S16.Verification
actionlint, markdownlint, shellcheck,
bash -nclean; EOL preserved.