From 16b9f79d4dbd45e921472d6ce33b7ac10704792a Mon Sep 17 00:00:00 2001
From: TheHypnoo <sergi.gonzalez.lloria@gmail.com>
Date: Tue, 16 Jun 2026 12:30:35 +0200
Subject: [PATCH 1/2] ci: wire node-suite regression guard (nightly + dispatch
 + merge-queue-ready)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add .github/workflows/node-suite-guard.yml running
scripts/node_suite_regression_check.py against the node 26 floor baseline
(test-parity/node_suite_baseline.json). The guard fails if any baselined
module's pass count drops below its floor — exactly the node:dns 83%->0%
class — yet it previously ran in ZERO workflows.

Runs nightly and on workflow_dispatch today. The merge_group trigger is inert
until the merge queue is enabled in branch protection, at which point the
guard gates every merge with no further change. Decoupled from the merge
queue on purpose so it delivers value immediately.

Uses sccache (now allow-listed after #5221) + Swatinem/rust-cache; node 26 to
match the baseline oracle.
---
 .github/workflows/node-suite-guard.yml | 74 ++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/node-suite-guard.yml

diff --git a/.github/workflows/node-suite-guard.yml b/.github/workflows/node-suite-guard.yml
new file mode 100644
index 000000000..5b823b770
--- /dev/null
+++ b/.github/workflows/node-suite-guard.yml
@@ -0,0 +1,74 @@
+name: Node Suite Regression Guard
+
+# Wires scripts/node_suite_regression_check.py (roadmap I-02) into CI. That
+# guard runs the full print-and-diff node-suite and FAILS if any baselined
+# module's pass count drops below its floor (test-parity/node_suite_baseline.json,
+# oracle node 26). It was written verbatim because node:dns once silently went
+# 83% -> 0% behind a green build, yet until now it ran in ZERO workflows.
+#
+# Decoupled from the (not-yet-enabled) merge queue on purpose: it runs nightly
+# and on demand today, and the `merge_group` trigger below is INERT until a
+# maintainer turns the merge queue on in branch protection — at which point this
+# guard automatically gates every merge with no further workflow change.
+on:
+  workflow_dispatch:
+  schedule:
+    # Nightly, offset from the Node Core Subset Radar (17 3) to avoid overlap.
+    - cron: "37 4 * * *"
+  # Inert until the merge queue is enabled in branch protection; then this guard
+  # runs once per merge against the actual merged tree.
+  merge_group:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: node-suite-guard-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  RUSTC_WRAPPER: sccache
+  SCCACHE_GHA_ENABLED: "true"
+  SCCACHE_CACHE_SIZE: "2G"
+  CARGO_INCREMENTAL: "0"
+
+jobs:
+  node-suite-guard:
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Start sccache
+        uses: mozilla-actions/sccache-action@v0.0.10
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: "${{ runner.os }}-perry"
+          save-if: ${{ github.ref == 'refs/heads/main' }}
+
+      - name: Setup Node.js
+        # Node 26 is the oracle the node_suite_baseline.json floors were
+        # captured on; running any other major would compare against the
+        # wrong reference and produce spurious regressions.
+        uses: actions/setup-node@v6
+        with:
+          node-version: "26"
+
+      - name: Build Perry release binary
+        run: cargo build --release -p perry -p perry-runtime -p perry-stdlib
+
+      - name: Node-suite regression guard (floor baseline, node 26)
+        # Fails (exit 1) if any baselined module drops below its floor;
+        # improvements are accepted and reported as +N. pipefail propagates the
+        # script's exit through the tee into the step.
+        run: |
+          set -euo pipefail
+          echo '### Node-suite regression guard (node 26)' >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+          python3 scripts/node_suite_regression_check.py target/release/perry . \
+            | tee -a "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"

From bb40e5806788f5ce2a221d96bd9042bc680dc60b Mon Sep 17 00:00:00 2001
From: TheHypnoo <sergi.gonzalez.lloria@gmail.com>
Date: Tue, 16 Jun 2026 21:21:41 +0200
Subject: [PATCH 2/2] ci(node-suite-guard): set persist-credentials: false on
 checkout (CodeRabbit)

The guard job only builds and tests (read-only); it never performs an
authenticated git operation. Disabling credential persistence keeps the
GITHUB_TOKEN out of the local git config (least privilege).
---
 .github/workflows/node-suite-guard.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/node-suite-guard.yml b/.github/workflows/node-suite-guard.yml
index 5b823b770..bdb885437 100644
--- a/.github/workflows/node-suite-guard.yml
+++ b/.github/workflows/node-suite-guard.yml
@@ -38,6 +38,10 @@ jobs:
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v6
+        with:
+          # Read-only job (build + test); don't leave the GITHUB_TOKEN in the
+          # local git config (least privilege — OWASP / CodeRabbit).
+          persist-credentials: false
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable