feat: v1 finalize Track D — dogfood polish (6 ACs)#75
Merged
Conversation
Run Semgrep with `p/auto` + `p/owasp-top-ten` in the canonical `semgrep/semgrep` container on push/PR to main and weekly Mondays. Upload SARIF as `category: semgrep` via codeql-action/upload-sarif@v4 with `if: always()` so findings reach Code Scanning even when the scan exits non-zero. Refs spec 006 §Track D AC-D-1 (.erpaval gitignored).
Move the OSV vulnerability scan out of the embedded ci.yml job into a dedicated osv.yml workflow with weekly cron and the same SARIF + exit-code-gating shape as the prior embedded job. Bump the binary pin v2.3.5 → v2.3.8 (released 2026-05-08, bug fixes only — no breaking changes; URL pattern unchanged). Delete the embedded osv: job from ci.yml in the same change so the SARIF upload runs exactly once per commit. Refs spec 006 §Track D AC-D-2.
Run codehub against itself using the local workspace build (not the npm-published CLI). Triggers on push/PR to main and weekly Wednesdays. Use pnpm exec node packages/cli/dist/index.js because pnpm link --global was removed in pnpm 11.x; this invocation is forward-compatible. Upload .codehub/scan.sarif as category opencodehub-self via codeql-action/ upload-sarif@v4. Optional license-tier gate opens an issue on BLOCK (non-blocking) per packages/cli/src/commands/ci-templates/github-weekly.yml. Refs spec 006 §Track D AC-D-3.
Inline the code-pack build + gh release upload --clobber inside the release-please workflow, gated on steps.release.outputs.release_created. Inline (rather than a separate workflow listening on release: published) because events triggered by the default GITHUB_TOKEN do not fire downstream workflow runs (GitHub Actions safety rule); a separate release-published workflow would never run automatically. The pack invocation is `code-pack . --budget 100000 --tokenizer openai:o200k_base@tiktoken-0.8.0 --out-dir /tmp/pack` so the resulting tarball is byte-identical given the same release SHA + tokenizer pin. Refs spec 006 §Track D AC-D-3 and the asset-attach pattern from the release-please-action v5 README. Note: sbom.yml has the same latent release: published bug; flagged for follow-on PR rather than expanded scope here.
Promote the 22-line scaffold to a fuller shape: top-level min_version,
assert_lefthook_installed, glob_matcher (doublestar — gobwas default
does not treat ** recursively), output blocks, and a pnpm template.
Per-job changes:
- biome / banned-strings / commitlint / typecheck / test gain fail_text.
- pre-commit gains priority on biome (1) and banned-strings (2).
- pre-commit gains a new pnpm-lock-sync job that fires only when
pnpm-lock.yaml or package.json or pnpm-workspace.yaml is staged.
- pre-push typecheck + test gain skip: [merge, rebase] and a diff-scoped
files: glob.
- pre-push gains a new verdict job running
pnpm exec codehub verdict --base origin/main --head HEAD --exit-code
so a policy-block verdict aborts the push.
banned-strings is now glob-scoped to source / doc / config files instead
of running on the whole repo.
Refs spec 006 §Track D AC-D-5.
Five new tasks:
- pack:determinism wraps scripts/pack-determinism-audit.sh and is
appended to check:full deps so the byte-identity gate runs as part
of the full local CI.
- och:self-{analyze,scan,verdict,pack} dogfood the codehub CLI on
this repo via pnpm exec node packages/cli/dist/index.js — pnpm link
--global was removed in pnpm 11.x so this invocation is forward-
compatible.
The audit script SKIPs gracefully on dev boxes without an existing
.codehub/duck.db, so wiring it into check:full does not break
green-tree CI.
Refs spec 006 §Track D AC-D-6.
The codehub verdict CLI does not accept --exit-code; it sets process.exitCode by default based on tier (block returns non-zero, auto_merge returns 0). The pre-push verdict hook caught this on first push attempt — adjust lefthook.yml + mise.toml + och-self-scan.yml to match the real CLI surface. Bonus: the dogfood path proved its worth on the first run by catching a CLI-spec mismatch before it hit CI.
…dev boxes Guard the verdict run on a present .codehub/graph.duckdb (or graph.lbug) so the hook prints a SKIP message and exits 0 when the dev box hasn't run 'codehub analyze' yet, rather than hard-blocking the push. Matches the SKIP behaviour of scripts/pack-determinism-audit.sh. This keeps the spec D1-E-4 contract intact for indexed checkouts (CI + dev boxes that have analyzed) while removing the foot-gun for new clones.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
… dogfood pre-push hook Two compound-extracted lessons from the v1-finalize Track D session: 1. release-published events from default GITHUB_TOKEN do not fire downstream workflows — inline asset-attach in release-please.yml gated on steps.release.outputs.release_created, OR pass a PAT to release-please-action. Existing sbom.yml has the same latent bug. 2. Dogfood pre-push hooks catch CLI spec drift on first push. Pattern the SKIP-with-message shape from pack-determinism-audit.sh for any gate that depends on a derived artifact (index, build output, cache).
Closed
theagenticguy
added a commit
that referenced
this pull request
May 10, 2026
## Summary
Track D — leg 4/4 of v1.0 finalize. CI / lefthook / mise dogfood polish
per `.erpaval/specs/006-v1-finalize/spec.md§Track D`.
- **AC-D-1** `feat(ci): add standalone Semgrep workflow` (`9b36bf4`) —
`semgrep/semgrep` container, `p/auto + p/owasp-top-ten`, SARIF upload as
`category: semgrep`.
- **AC-D-2** `feat(ci): split OSV-Scanner into standalone workflow`
(`22253da`) — extract from embedded `ci.yml` job into `osv.yml`. Bumped
pin v2.3.5 → v2.3.8 (released 2026-05-08, fixes only).
- **AC-D-3** `feat(ci): add self-scan dogfood workflow` (`0e43d06`) —
`och-self-scan.yml` runs `codehub` on itself via `pnpm exec node
packages/cli/dist/index.js` (no `pnpm link --global` — removed in pnpm
11.x).
- **AC-D-4** `feat(ci): attach codehub code-pack as a release asset`
(`1ab82a6`) — **inline** in `release-please.yml` gated on
`steps.release.outputs.release_created`; a separate `release: published`
workflow would not fire under default `GITHUB_TOKEN` (research finding).
Latent same-bug in `sbom.yml` flagged for follow-on.
- **AC-D-5** `chore(repo): polish lefthook config to claude-sql parity`
(`4cf07a8`) — `min_version`, `assert_lefthook_installed`, `glob_matcher:
doublestar`, `output:` blocks, `templates: {pnpm}`, per-job
`fail_text`/`priority`/`skip`/`files:` diff-scoping. NEW pre-commit
`pnpm-lock-sync` job. NEW pre-push `verdict` job with graceful-degrade
guard for un-indexed checkouts.
- **AC-D-6** `chore(repo): add och:self-* dogfood mise tasks +
pack:determinism` (`3894ca9`) — `pack:determinism` wired into
`check:full` deps; 4 dogfood tasks (analyze/scan/verdict/pack).
- **fix(ci)** `drop --exit-code from codehub verdict invocations`
(`55dc684`) — pre-push hook on first run caught a CLI-spec mismatch;
verdict already exits with non-zero on `block` by default, no flag
needed.
- **fix(ci)** `make pre-push verdict hook degrade gracefully on
un-indexed dev boxes` (`044ef43`) — guard on presence of
`.codehub/graph.duckdb` or `graph.lbug`, mirroring
`pack-determinism-audit.sh` SKIP shape.
Spec coordinate sweep: zero `AC-*` / `M-*` / `W-*` / `CL-*` leakage in
source per
`.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md`.
## Validation
- `mise run check` exit 0 (lint + typecheck + test 235/235 cli + 17
packages green + banned-strings).
- `mise run pack:determinism` SKIP-clean (no `.codehub/duck.db` on dev —
graceful, expected).
- `mise run check:full --dry-run` confirms `pack:determinism` wired into
the DAG.
- `bash scripts/check-banned-strings.sh` PASS — every commit gated by
lefthook pre-commit hook.
- All 6 YAML files parse via `yaml.safe_load`; `mise.toml` parses via
`tomli.load`.
- Per-commit lefthook gates fired green (banned-strings + commitlint +
on push: typecheck + test + verdict).
## API freshness — research-grounded 2026-05-09
`./.erpaval/sessions/session-85faf1/research-track-d.md` cites every API
decision against the upstream source: codeql-action@v4, checkout@v6,
upload-artifact@v7, mise-action@v4, release-please-action@v5,
semgrep/semgrep, osv-scanner v2.3.8, lefthook v2.1.6 schema, mise.toml
task syntax, pnpm 11.x removal of `pnpm link --global`.
## Test plan
- [ ] Confirm CI passes on the PR (lint + typecheck + test on Node 22 +
24, sarif-validate, banned-strings, licenses, osv).
- [ ] Verify the new `semgrep.yml` runs (dispatch on push to PR) and
uploads SARIF to Code Scanning under `category: semgrep`.
- [ ] Verify the new `osv.yml` runs and uploads SARIF under `category:
osv-scanner`; embedded `ci.yml` `osv:` job is gone.
- [ ] Verify `och-self-scan.yml` workflow_dispatches successfully on
this branch (manual trigger from Actions tab).
- [ ] Smoke `mise run pack:determinism` after running `codehub analyze`
on a clean checkout to confirm byte-identity.
- [ ] (Future PR) Migrate `sbom.yml` from `release: [published]` →
inline in `release-please.yml` per the same finding that drove AC-D-4.
## Adjacent debt flagged for follow-on PRs
- `sbom.yml` has the same `release: [published]` + default
`GITHUB_TOKEN` latent bug as the prior AC-D-4 design. One-line workflow
change to inline; out of scope here.
- `lefthook.yml` `core.hooksPath` hint surfaces every commit on this dev
box; cosmetic — local clone has `.git/hooks` set explicitly.
## Rollback
Each AC commit touches disjoint files (different `.yml` workflows /
`lefthook.yml` / `mise.toml`). Any AC can be reverted independently with
`git revert <sha>` without disturbing the others.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Track D — leg 4/4 of v1.0 finalize. CI / lefthook / mise dogfood polish per
.erpaval/specs/006-v1-finalize/spec.md§Track D.feat(ci): add standalone Semgrep workflow(9b36bf4) —semgrep/semgrepcontainer,p/auto + p/owasp-top-ten, SARIF upload ascategory: semgrep.feat(ci): split OSV-Scanner into standalone workflow(22253da) — extract from embeddedci.ymljob intoosv.yml. Bumped pin v2.3.5 → v2.3.8 (released 2026-05-08, fixes only).feat(ci): add self-scan dogfood workflow(0e43d06) —och-self-scan.ymlrunscodehubon itself viapnpm exec node packages/cli/dist/index.js(nopnpm link --global— removed in pnpm 11.x).feat(ci): attach codehub code-pack as a release asset(1ab82a6) — inline inrelease-please.ymlgated onsteps.release.outputs.release_created; a separaterelease: publishedworkflow would not fire under defaultGITHUB_TOKEN(research finding). Latent same-bug insbom.ymlflagged for follow-on.chore(repo): polish lefthook config to claude-sql parity(4cf07a8) —min_version,assert_lefthook_installed,glob_matcher: doublestar,output:blocks,templates: {pnpm}, per-jobfail_text/priority/skip/files:diff-scoping. NEW pre-commitpnpm-lock-syncjob. NEW pre-pushverdictjob with graceful-degrade guard for un-indexed checkouts.chore(repo): add och:self-* dogfood mise tasks + pack:determinism(3894ca9) —pack:determinismwired intocheck:fulldeps; 4 dogfood tasks (analyze/scan/verdict/pack).drop --exit-code from codehub verdict invocations(55dc684) — pre-push hook on first run caught a CLI-spec mismatch; verdict already exits with non-zero onblockby default, no flag needed.make pre-push verdict hook degrade gracefully on un-indexed dev boxes(044ef43) — guard on presence of.codehub/graph.duckdborgraph.lbug, mirroringpack-determinism-audit.shSKIP shape.Spec coordinate sweep: zero
AC-*/M-*/W-*/CL-*leakage in source per.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md.Validation
mise run checkexit 0 (lint + typecheck + test 235/235 cli + 17 packages green + banned-strings).mise run pack:determinismSKIP-clean (no.codehub/duck.dbon dev — graceful, expected).mise run check:full --dry-runconfirmspack:determinismwired into the DAG.bash scripts/check-banned-strings.shPASS — every commit gated by lefthook pre-commit hook.yaml.safe_load;mise.tomlparses viatomli.load.API freshness — research-grounded 2026-05-09
./.erpaval/sessions/session-85faf1/research-track-d.mdcites every API decision against the upstream source: codeql-action@v4, checkout@v6, upload-artifact@v7, mise-action@v4, release-please-action@v5, semgrep/semgrep, osv-scanner v2.3.8, lefthook v2.1.6 schema, mise.toml task syntax, pnpm 11.x removal ofpnpm link --global.Test plan
semgrep.ymlruns (dispatch on push to PR) and uploads SARIF to Code Scanning undercategory: semgrep.osv.ymlruns and uploads SARIF undercategory: osv-scanner; embeddedci.ymlosv:job is gone.och-self-scan.ymlworkflow_dispatches successfully on this branch (manual trigger from Actions tab).mise run pack:determinismafter runningcodehub analyzeon a clean checkout to confirm byte-identity.sbom.ymlfromrelease: [published]→ inline inrelease-please.ymlper the same finding that drove AC-D-4.Adjacent debt flagged for follow-on PRs
sbom.ymlhas the samerelease: [published]+ defaultGITHUB_TOKENlatent bug as the prior AC-D-4 design. One-line workflow change to inline; out of scope here.lefthook.ymlcore.hooksPathhint surfaces every commit on this dev box; cosmetic — local clone has.git/hooksset explicitly.Rollback
Each AC commit touches disjoint files (different
.ymlworkflows /lefthook.yml/mise.toml). Any AC can be reverted independently withgit revert <sha>without disturbing the others.