ci: wire node-suite regression guard (nightly + merge-queue-ready)

[TheHypnoo]

What

New .github/workflows/node-suite-guard.yml that runs scripts/node_suite_regression_check.py (roadmap I-02) on a nightly schedule, on workflow_dispatch, and on merge_group.

Why

The regression guard already existed — it runs the full print-and-diff node-suite and fails if any baselined module's pass count drops below its floor (test-parity/node_suite_baseline.json, oracle node 26). It was written verbatim because node:dns once silently went 83% → 0% behind a green build — yet it was wired into zero workflows. This wires it in.

Design / scope

• Decoupled from the merge queue (which isn't enabled): runs nightly + on demand today, so it delivers value immediately. The merge_group trigger is inert until a maintainer enables the merge queue in branch protection — then the guard gates every merge with no further workflow change.
• node 26 = the baseline oracle (a different major would compare against the wrong reference and report spurious regressions).
• Uses sccache (now allow-listed after ci(test): add sccache + bound cargo-test timeout #5221) + Swatinem/rust-cache; allow-listed actions only.
• New workflow file only — no existing job touched, no PR gate added. (It has no pull_request trigger by design, so it won't run on this PR; validate before merge with gh workflow run "Node Suite Regression Guard" --ref <branch> if desired — note it builds + runs the full suite, ~1–2 h.)

Follow-up (separate, maintainer's call)

Enabling the GitHub merge queue and routing the existing heavy jobs (parity, compile-smoke, the framework smokes) to merge_group is a workflow-wide change, left as a separate decision. Once the queue is enabled, this guard already runs in it.

Summary by CodeRabbit

• Chores
  • Added an automated regression testing workflow that runs nightly and can be triggered manually to validate the Node.js suite and build artifacts.
  • Includes concurrency safeguards to prevent overlapping runs, enforces a job timeout, and publishes results to the run summary for quick review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a284af0b-c98e-4247-a455-d11fd4fabd48

📥 Commits

Reviewing files that changed from the base of the PR and between 16b9f79 and bb40e58.

📒 Files selected for processing (1)

• .github/workflows/node-suite-guard.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/node-suite-guard.yml

---

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow (node-suite-guard.yml) is added that runs nightly and on manual dispatch. It builds Perry release binaries with sccache, installs Node.js v26, executes scripts/node_suite_regression_check.py, and writes the script output to the GitHub step summary. A merge_group trigger is declared but inactive.

Changes

Node Suite Regression Guard CI Workflow

Layer / File(s)	Summary
Full workflow: triggers, build, and regression check .github/workflows/node-suite-guard.yml	Introduces the complete workflow with workflow_dispatch, nightly cron (merge_group inert), concurrency controls, sccache environment variables, and a job that checks out code, installs Rust, configures sccache, sets up Node.js v26, builds Perry release binaries, runs scripts/node_suite_regression_check.py, and appends its output to GITHUB_STEP_SUMMARY.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• PerryTS/perry#5097: Introduces scripts/node_suite_regression_check.py, which is the script this new workflow builds artifacts for and directly invokes.

Poem

🐇 Hoppity-hop, a new workflow appears,
Each night it wakes and silently peers,
It builds the binaries, checks the nodes,
And prints the results in summarized odes.
No regressions shall sneak past my ears! 🌙

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: introducing a new GitHub Actions workflow for node-suite regression detection with nightly and merge-queue triggers.
Description check	✅ Passed	The PR description includes a comprehensive explanation of what was changed and why, with clear design rationale and implementation details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ci-node-suite-guard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/node-suite-guard.yml:
- Line 40: The workflow uses movable action tags (such as `@v6`) in multiple
`uses:` directives, which weakens supply chain security guarantees. Replace each
movable tag reference with a full commit SHA to pin the exact version of each
action. This applies to the actions/checkout action and any other actions
referenced with version tags throughout the workflow file, ensuring
reproducibility and security by pinning to specific, immutable commit hashes
instead of floating tags.
- Line 40: The actions/checkout@v6 step in the workflow should explicitly
disable credential persistence since the workflow only performs read-only
operations (building and testing) that do not require authenticated Git
operations. Add the persist-credentials property set to false in the checkout
action configuration to follow the principle of least privilege and improve the
security posture of the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 77d9257f-6aa3-44a1-9598-ebbd6af36596

📥 Commits

Reviewing files that changed from the base of the PR and between 7f0c2fe and 16b9f79.

📒 Files selected for processing (1)

• .github/workflows/node-suite-guard.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflow actions are pinned to full SHAs (non-matching lines are violations).
rg -n --iglob '*.yml' --iglob '*.yaml' '^\s*uses:\s*[^@]+@[^[:space:]]+' .github/workflows \
  | rg -n -v '@[0-9a-fA-F]{40}$'

Repository: PerryTS/perry

Length of output: 6511

---

🏁 Script executed:

cat -n .github/workflows/node-suite-guard.yml | sed -n '35,60p'

Repository: PerryTS/perry

Length of output: 998

---

Pin all uses: actions to full commit SHAs.

Lines 40, 43, 46, 48, and 57 use movable tags that weaken workflow supply-chain guarantees and conflict with the stated unpinned-action policy.

Suggested hardening patch

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<40-char-commit-sha>

-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@<40-char-commit-sha>

-        uses: mozilla-actions/sccache-action@v0.0.10
+        uses: mozilla-actions/sccache-action@<40-char-commit-sha>

-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@<40-char-commit-sha>

-        uses: actions/setup-node@v6
+        uses: actions/setup-node@<40-char-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 40-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/node-suite-guard.yml at line 40, The workflow uses movable
action tags (such as `@v6`) in multiple `uses:` directives, which weakens supply
chain security guarantees. Replace each movable tag reference with a full commit
SHA to pin the exact version of each action. This applies to the
actions/checkout action and any other actions referenced with version tags
throughout the workflow file, ensuring reproducibility and security by pinning
to specific, immutable commit hashes instead of floating tags.

Source: Linters/SAST tools

---

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/node-suite-guard.yml

Repository: PerryTS/perry

Length of output: 3335

---

🌐 Web query:

GitHub Actions checkout persist-credentials false security best practice

💡 Result:

Setting persist-credentials: false is a recommended security best practice for GitHub Actions workflows that do not require the ability to perform authenticated Git operations (such as pushing commits or tags) [1][2][3]. By default, the actions/checkout action sets persist-credentials to true, which configures the local Git repository with the authentication token (e.g., GITHUB_TOKEN) used to perform the checkout [4][5]. This makes the token accessible to any subsequent step or third-party action in the same job by reading the.git/config file [6][2][3]. Key security considerations: - Principle of Least Privilege: By setting persist-credentials: false, you prevent unnecessary exposure of your authentication token to subsequent workflow steps, reducing the risk of token theft if a step or dependency is compromised [2][3][7]. - When to use: You should set persist-credentials: false for any workflow that only performs read-only operations, such as running tests, building artifacts, or scanning code [3]. - When to avoid: You should only leave persist-credentials as true (or omit it) if your workflow explicitly requires the ability to run authenticated git commands like git push or git tag against the repository [1][2][3]. - Mitigation: Because the default is true, it must be explicitly set to false in your workflow YAML [2][7]: steps: - uses: actions/checkout@v4 with: persist-credentials: false While modern versions of actions/checkout have improved how credentials are stored (using a separate file in $RUNNER_TEMP rather than directly in.git/config in some cases), explicitly disabling persistence remains a standard security recommendation to minimize the attack surface [4][2][8].

Citations:

• 1: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
• 2: https://actsense.dev/vulnerabilities/unsafe_checkout/
• 3: Add persist-credentials: false to GitHub Actions checkout steps aquasecurity/trivy#10305
• 4: https://github.com/actions/checkout/?tab=readme-ov-file
• 5: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
• 6: Remove persist-credentials or change the default to false actions/checkout#485
• 7: https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/013.md
• 8: [security] Escalate concerning default persist-credentials=true please actions/checkout#2312

---

Add persist-credentials: false to the checkout action.

The workflow only performs read-only operations (building and testing). Explicitly disabling credential persistence follows the principle of least privilege and is a security best practice recommended by OWASP and security tooling for workflows that don't require authenticated Git operations.

Suggested hardening patch

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v6
	- uses: actions/checkout@v6
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 40-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/node-suite-guard.yml at line 40, The actions/checkout@v6
step in the workflow should explicitly disable credential persistence since the
workflow only performs read-only operations (building and testing) that do not
require authenticated Git operations. Add the persist-credentials property set
to false in the checkout action configuration to follow the principle of least
privilege and improve the security posture of the workflow.

Source: Linters/SAST tools

[TheHypnoo]

Done — added persist-credentials: false to the checkout step. The guard only builds + tests (no authenticated git ops), so this follows least-privilege and keeps the GITHUB_TOKEN out of the local git config.