Skip to content

Republish on dependency bumps; harden configure.sh#351

Merged
ptr727 merged 5 commits into
developfrom
feature/publish-dep-currency
Jun 29, 2026
Merged

Republish on dependency bumps; harden configure.sh#351
ptr727 merged 5 commits into
developfrom
feature/publish-dep-currency

Conversation

@ptr727

@ptr727 ptr727 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Mirrors the change landed in LanguageTags: keeps push-self-publish (correct for NuGet), closes the stale-dependency window, and brings repo-config to the hardened canonical.

Dependency currency

A NuGet version can't be re-pushed, so (unlike a Docker image with a base refresh) a merged dependency bump must republish or the package keeps shipping old/vulnerable dependency constraints. Directory.Packages.props is now a shipped input: a dependency bump auto-publishes that branch. GitHub-Actions bumps stay excluded (they do not ship). The shipped library has effectively one runtime dependency (Serilog); the rest are test/Sandbox - wide-but-robust, cheap version churn over a stale dependency. WORKFLOW.md/AGENTS.md updated.

configure.sh hardening

ruleset_id (error-distinction, jq --arg, pipefail-safe, per_page=100), jq_lacks (set -e-safe), check_secrets (gh stderr surfaced), main-no-linear-history assert. README states the actual branch cleanup (auto-delete off; merge-bot deletes bot branches with --delete-branch).

Branch-deletion CI guard

Documented the !github.event.deleted guard the PR workflow carries (WORKFLOW.md said "unconditionally"); added scenario S16.

Verification

actionlint, markdownlint, shellcheck, bash -n clean; EOL preserved.

ptr727 and others added 2 commits June 28, 2026 21:12
ruleset_id (error-distinction with gh's stderr, jq --arg, pipefail-safe first//empty,
per_page=100), jq_lacks (set -e-safe via || rc=$?, propagates real jq errors), check_secrets
(surfaces gh stderr, accurate fail-fast comment), and the main-no-linear-history assert.
repo-config README states the actual branch cleanup (auto-delete setting off so a
develop -> main promotion does not delete develop; merge-bot deletes bot branches with
--delete-branch). Align validate/test-pr task comments to the terse canonical.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Directory.Packages.props to the publisher's shipped-input paths: a NuGet version can't
be re-pushed, so a dependency bump must republish to keep the package's declared
dependencies current (GitHub-Actions bumps stay excluded - they do not ship). Document the
!github.event.deleted branch-deletion guard the PR workflow carries (was described as
running "unconditionally"). WORKFLOW.md (section 0, glossary, D4.1, D8.2, 5A, S10, S16) and
AGENTS.md updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 29, 2026 04:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s CI/CD contract and configuration-as-code tooling so dependency bumps trigger self-publishing (NuGet dependency currency) and repository configuration checks are more failure-transparent and robust.

Changes:

  • Treat Directory.Packages.props as a shipped input so merges that bump dependencies auto-publish on main/develop.
  • Harden repo-config/configure.sh checks (ruleset lookup, jq helpers, secrets API error distinction, and main linear-history assertion).
  • Document and implement a !github.event.deleted guard to skip CI on branch-deletion push events.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
WORKFLOW.md Updates workflow contract docs for dependency-bump republish and branch-deletion CI guard scenario.
repo-config/README.md Clarifies branch deletion behavior with auto-delete-off and explicit per-merge deletion.
repo-config/configure.sh Improves failure modes and robustness for ruleset lookup, jq predicates, and secrets checks.
AGENTS.md Adds guidance on where durable rules belong and tightens documentation/comment guidance.
.github/workflows/validate-task.yml Adjusts workflow-lint step configuration (actionlint invocation).
.github/workflows/test-pull-request.yml Adds !github.event.deleted guards to avoid failing runs on branch deletion pushes.
.github/workflows/publish-release.yml Expands shipped-input paths to include Directory.Packages.props so dependency bumps republish.

Comment thread .github/workflows/validate-task.yml
The actionlint binary (installed by raven-actions/actionlint) is intentionally left unpinned
to track latest lint rules - a tool an action installs is not a uses: ref. Make D9.1's
carve-out explicit, matching the sibling repos.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/test-pull-request.yml Outdated
checkout/build fail -> fails.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread repo-config/configure.sh Outdated
jq -e returns 4 when a filter produces no output (not 1), so the "main does not require
linear history" assert - jq_lacks on a rule that correctly does not exist - was getting
exit 4 and failing on a correct ruleset. Treat both 1 (false/null) and 4 (no output) as
"lacks"; still propagate real jq errors (2/3/5).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

@ptr727 ptr727 merged commit a777ad0 into develop Jun 29, 2026
10 checks passed
@ptr727 ptr727 deleted the feature/publish-dep-currency branch June 29, 2026 04:28
ptr727 added a commit that referenced this pull request Jun 29, 2026
repo-config README said the script 'asserts ... a GitHub App is
installed', but check_app only notes it (best-effort, does not fail the
audit) - inconsistent with WORKFLOW.md. Separate the assert (secret
names) from the note (App install). Follow-up to #351/#352.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
The summary said 'selects nothing'; jq_lacks also treats exit 1
(false/null output) as lacks. Reword to 'yields no truthy value (selects
nothing, or only false/null)'. Follow-up to #351/#352.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
…#352)

Promotes PR #351 from develop to main.

## What lands on main
- **Dependency currency:** `Directory.Packages.props` is a shipped
input, so a dependency bump republishes and the package's declared
dependencies stay current (a NuGet version can't be re-pushed).
GitHub-Actions bumps stay excluded.
- **configure.sh hardened:** `ruleset_id` (error-distinction, `jq
--arg`, pipefail-safe, `per_page=100`), `jq_lacks` (set -e-safe; treats
jq exit 1 and **4** as "lacks" so the main-no-linear-history assert
passes on a correct ruleset; propagates real errors), `check_secrets`
(surfaces gh stderr), the main-no-linear-history assert.
- repo-config README states the actual branch cleanup (auto-delete off;
merge-bot deletes bot branches with `--delete-branch`).
WORKFLOW.md/AGENTS.md updated (dep-currency, branch-deletion guard, D9.1
installed-tool carve-out).

Standard promotion PR with review (no admin bypass). No library code
change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants