boringstack-xyz · agjs · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -31,7 +31,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
 
     steps:

@@ -23,7 +23,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     services:

@@ -20,7 +20,7 @@ permissions:
 jobs:
   drift:
     name: apps/ui OpenAPI schema is fresh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 8
 
     # The job always runs (so the required-status-check rule on `main` is

@@ -29,7 +29,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - name: Checkout

@@ -25,7 +25,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     container:
       image: semgrep/semgrep:1.142.0@sha256:03402a5040a88a570dec58375ef1a19fa777dd61575afdc7d5527ddf308dd765

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/api
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -52,7 +52,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/docs
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -68,6 +68,9 @@ jobs:
               - 'apps/docs/astro.config.mjs'
               - 'apps/docs/package.json'
               - 'apps/docs/bun.lock'
+              - 'apps/docs/wrangler.jsonc'
+              - 'apps/docs/bunfig.toml'
+              - 'apps/docs/osv-scanner.toml'
               - '.github/workflows/apps-docs-linkcheck.yml'
             catalog:
               - 'apps/api/scripts/**'

@@ -25,7 +25,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/docs
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:
@@ -41,9 +41,7 @@ jobs:
         with:
           filters: |
             code:
-              - 'apps/docs/package.json'
-              - 'apps/docs/bun.lock'
-              - 'apps/docs/scripts/**'
+              - 'apps/docs/**'
               - '.github/workflows/apps-docs-security-deps.yml'
 
       - name: Install osv-scanner CLI

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/docs
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -32,7 +32,7 @@ jobs:
   # straight bun keeps the toolchain consistent with local dev.
   size-diff:
     if: github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 8
     steps:
       - name: Checkout

@@ -34,7 +34,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/ui
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - name: Checkout

@@ -25,7 +25,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/ui
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/ui
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     container:
       image: semgrep/semgrep:1.142.0@sha256:03402a5040a88a570dec58375ef1a19fa777dd61575afdc7d5527ddf308dd765

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/ui
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -21,7 +21,7 @@ jobs:
     defaults:
       run:
         working-directory: apps/ui
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     steps:
       - name: Checkout

@@ -27,7 +27,7 @@ jobs:
     defaults:
       run:
         working-directory: infra/bootstrap
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     steps:

@@ -28,7 +28,7 @@ jobs:
     defaults:
       run:
         working-directory: infra/bootstrap
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -19,7 +19,7 @@ jobs:
     defaults:
       run:
         working-directory: infra/bootstrap
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

@@ -39,7 +39,7 @@ permissions:
 jobs:
   smoke:
     name: register → login → /me through the full stack
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # 8 min upper bound: with Playwright moved out, the curl-only path
     # completes in ~3–4 min on a warm runner. A short ceiling means a
     # stuck step fails fast instead of running for 20 min like the old

@@ -39,7 +39,7 @@ permissions:
 jobs:
   playwright:
     name: UI Playwright E2E (browser-based smoke)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # 15 min upper bound: Playwright's own inner timeout is 12 min; the
     # buffer covers compose build + image pulls + browser install. A
     # genuine hang surfaces within minutes of the inner timeout rather

@@ -26,7 +26,7 @@ jobs:
     defaults:
       run:
         working-directory: infra/compose
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     env:

@@ -14,7 +14,9 @@ on:
       # trigger in lockstep so direct pushes touching them still run it.
       - "scripts/**"
       - "setup.sh"
-      - ".github/workflows/infra-compose-validate-compose.yml"
+      # The yamllint job lints every workflow file, so any workflow edit
+      # must trigger this run — not just edits to this file.
+      - ".github/workflows/**"
       # Prod Dockerfiles COPY the whole app context, so any app source
       # change can break the prod image build — not just Dockerfile or
       # lockfile edits.
@@ -33,7 +35,7 @@ permissions:
 jobs:
   compose-config:
     name: docker compose config (all overlay combinations)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
 
     # Build contexts point at monorepo apps (`../../../apps/api` and
@@ -207,7 +209,7 @@ jobs:
 
   shellcheck:
     name: shellcheck (scripts/)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 2
     steps:
       - name: Checkout
@@ -221,6 +223,7 @@ jobs:
             code:
               - 'infra/compose/**'
               - 'scripts/**'
+              - 'setup.sh'
               - '.github/workflows/**'
 
       - name: ShellCheck
@@ -238,7 +241,7 @@ jobs:
 
   prod-image-build:
     name: build prod images (sanity)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     # Cheaper than booting the prod profile end-to-end, but still
     # exercises the actual prod Dockerfiles. Catches broken
@@ -294,8 +297,13 @@ jobs:
 
   yamllint:
     name: yamllint (compose + workflows)
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 2
+    env:
+      # Single source for the yamllint pin — the local pre-push gate
+      # (infra/compose/scripts/pre-push.sh) reads this value at runtime to
+      # warn when the brew-installed yamllint diverges from CI.
+      YAMLLINT_VERSION: "1.38.0"
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -313,7 +321,7 @@ jobs:
       - name: yamllint
         if: steps.filter.outputs.code == 'true'
         run: |
-          pip install --user yamllint
+          pip install --user "yamllint==${YAMLLINT_VERSION}"
           # Document syntax (line length, indentation, truthy values) but
           # don't fail on style nits — only on real syntax errors.
           ~/.local/bin/yamllint -d "{extends: relaxed, rules: {line-length: disable}}" \

@@ -23,6 +23,9 @@ Run `bun run lint:meta --list-rules` for the machine-readable list from the regi
 | `github-actions-timeout-required`         | ci           | no          | GitHub Actions jobs require an explicit timeout-minutes (reusable-workflow calls exempt).                                                                                                      |
 | `github-actions-bun-cache`                | ci           | no          | Workflows running bun install must cache ~/.bun/install/cache.                                                                                                                                 |
 | `github-actions-concurrency-explicit`     | ci           | no          | Workflows with a concurrency block must set cancel-in-progress explicitly.                                                                                                                     |
+| `github-actions-paths-filter-parity`      | ci           | no          | Workflows pairing push.paths with a dorny/paths-filter gate must keep the two path sets mutually covered.                                                                                      |
+| `github-actions-pip-install-pinned`       | ci           | no          | Workflow pip install steps must pin package versions with == so CI tools cannot drift with PyPI releases.                                                                                      |
+| `github-actions-runner-pinned`            | ci           | no          | Workflows must pin runner images to an explicit OS version instead of floating *-latest labels.                                                                                                |
 | `github-actions-security-no-cancel`       | ci           | no          | Security scan workflows (*-security-{sast,secrets,deps}) must set concurrency cancel-in-progress: false so no pushed ref goes unscanned.                                                       |
 | `github-actions-expression-syntax`        | ci           | no          | Every expression opener in a workflow must be a well-formed Actions expression.                                                                                                                |
 | `github-actions-service-image-digest-pin` | ci           | no          | Workflow service/container images must be pinned by @sha256 digest, not tag alone.                                                                                                             |

@@ -35,6 +35,9 @@ import { checkEnginePinParity } from "./rules/ci/engine-pin-parity";
 import { checkWorkflowBunCache } from "./rules/ci/github-actions-bun-cache";
 import { checkWorkflowConcurrencyExplicit } from "./rules/ci/github-actions-concurrency-explicit";
 import { checkWorkflowExpressionSyntax } from "./rules/ci/github-actions-expression-syntax";
+import { checkWorkflowPathsFilterParity } from "./rules/ci/github-actions-paths-filter-parity";
+import { checkWorkflowPipInstallPinned } from "./rules/ci/github-actions-pip-install-pinned";
+import { checkWorkflowRunnerPinned } from "./rules/ci/github-actions-runner-pinned";
 import { checkWorkflowSecurityNoCancel } from "./rules/ci/github-actions-security-no-cancel";
 import { checkWorkflowServiceImageDigestPin } from "./rules/ci/github-actions-service-image-digest-pin";
 import { checkWorkflowShas } from "./rules/ci/github-actions-permissions";
@@ -137,6 +140,9 @@ export {
   checkWorkflowBunCache,
   checkWorkflowConcurrencyExplicit,
   checkWorkflowExpressionSyntax,
+  checkWorkflowPathsFilterParity,
+  checkWorkflowPipInstallPinned,
+  checkWorkflowRunnerPinned,
   checkWorkflowSecurityNoCancel,
   checkWorkflowServiceImageDigestPin,
   checkWorkflowShas,

@@ -4,6 +4,9 @@ import { enginePinParityRule } from "./rules/ci/engine-pin-parity";
 import { githubActionsBunCacheRule } from "./rules/ci/github-actions-bun-cache";
 import { githubActionsConcurrencyExplicitRule } from "./rules/ci/github-actions-concurrency-explicit";
 import { githubActionsExpressionSyntaxRule } from "./rules/ci/github-actions-expression-syntax";
+import { githubActionsPathsFilterParityRule } from "./rules/ci/github-actions-paths-filter-parity";
+import { githubActionsPipInstallPinnedRule } from "./rules/ci/github-actions-pip-install-pinned";
+import { githubActionsRunnerPinnedRule } from "./rules/ci/github-actions-runner-pinned";
 import { githubActionsPermissionsRule } from "./rules/ci/github-actions-permissions";
 import { githubActionsSecurityNoCancelRule } from "./rules/ci/github-actions-security-no-cancel";
 import { githubActionsServiceImageDigestPinRule } from "./rules/ci/github-actions-service-image-digest-pin";
@@ -43,6 +46,9 @@ export const META_RULES: readonly IMetaRule[] = [
   githubActionsTimeoutRequiredRule,
   githubActionsBunCacheRule,
   githubActionsConcurrencyExplicitRule,
+  githubActionsPathsFilterParityRule,
+  githubActionsPipInstallPinnedRule,
+  githubActionsRunnerPinnedRule,
   githubActionsSecurityNoCancelRule,
   githubActionsExpressionSyntaxRule,
   githubActionsServiceImageDigestPinRule,