feat(discovery): skip transient non-project dirs (catalog-flag 3→0)#36
Merged
Conversation
… audit.yml Pin every `uses:` ref across all 5 workflows (audit, ci, codeql, pypi, release) from floating major tags to the commit SHA their current tag resolves to, annotated with the resolved version. Removes the moving-tag supply-chain surface: a compromised or repointed tag can no longer swap action code into our CI silently. Add a concurrency group to audit.yml (ci.yml and codeql.yml already had one) with cancel-in-progress: false, so overlapping scheduled audit runs serialize instead of racing on the history cache. Pins are re-derived fresh against canonical's current action majors (checkout v6, setup-python v6, upload/download-artifact v7, action-gh-release v3); supersedes the stale archived attempt that targeted older v4/v5 majors.
Sibling to the same-origin canonicalization fix (#32). The workspace scan admitted three classes of scratch directory as real projects, dragging them into the catalog-completeness gate as permanently-unfixable flags: - NoGoPRJs/* operator-flagged never-pursued projects - *-smoke-export/* generated AuraForge signed-smoke-export bundles - *-tmp-<timestamp> transient clones left by tooling runs Add _is_ignored_project_dir (token + regex ignore-list, sibling to SKIP_DIRS), applied in discover_workspace_projects and _discover_nested_projects to skip a directory and its subtree. Live-workspace check: 132 -> 129 projects; the three residual catalog-flags drop to 0 while real repos (incl. ResumeEvolver, whose -tmp clone is filtered) are retained.
…flows The pin-all-actions-to-SHAs change (94dca6d) replaced tag refs like codeql-action/init@v4 and gh-action-pypi-publish@release/v1 with SHA pins carrying '# vN.x' comments, but these policy tests still asserted the old tag literals — so they fail on main. Update the assertions to verify the action is present and pinned to the intended major line (# v4 / # v1) instead of an exact tag, preserving the security intent and tolerating future patch bumps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the last gap in Arc A. Sibling to the same-origin canonicalization fix (#32).
Problem
The workspace scan admitted three classes of scratch directory as real projects, so they reached the catalog-completeness gate as permanently-unfixable
catalogflags (the residual 3 after #34 seeded the 37-repo worklist):Misc:NoGoPRJs/app— operator-flagged never-pursued projectauraforge-signed-smoke-export/…-plan— generated AuraForge bundle (no git, empty README)resume-evolver-tmp-1776063720— a-tmp-<ts>clone of the already-catalogued ResumeEvolverCataloguing them would misrepresent scratch dirs as projects; the right layer is discovery.
Change (commit 1 —
feat(discovery))Add
_is_ignored_project_dir(token + regex ignore-list, sibling toSKIP_DIRS), applied indiscover_workspace_projectsand_discover_nested_projectsto skip a directory and its subtree:nogoprjs,smoke-export-tmp-\d+$Guarded against over-matching:
resume-evolver,smoke-test-runner,tmp-toolsare kept.Verification
tmp_pathintegration tests intest_portfolio_truth_sources.py(red→green)discover_workspace_projects(~/Projects)→ 132 → 129, all 3 targets filtered,GithubRepoAuditor+ResumeEvolverretained → after the next portfolio-truth regen, catalog-flag 3 → 0Change (commit 2 —
test(ci))Pre-existing red on main: the pin-actions-to-SHAs commit (94dca6d) replaced
codeql-action/init@v4/gh-action-pypi-publish@release/v1with SHA pins (# v4.36.1/# v1.14.0), buttest_distribution_policy.pystill asserted the old tag literals. Realigned the 3 stale assertions to verify the action is present + pinned to the intended major line (# v4/# v1) — preserves security intent, tolerates patch bumps. Unblocks CI.Gate
ruff check .clean