isala404 · isala404 · May 30, 2026 · May 23, 2026 · May 24, 2026 · May 25, 2026
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -19,8 +19,4 @@ SQLX_OFFLINE = "true"
 # To enable sccache (caches across `cargo clean`):
 #   export RUSTC_WRAPPER=sccache
 #
-# Documented here so contributors can find the levers without grepping CI.
-
-[build]
-# The default `target/` location is fine. Override with CARGO_TARGET_DIR if you
-# need a separate cache per branch (useful when bisecting feature flags).
+# Documented here so contributors can find the levers without grepping CI.
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
@@ -4,10 +4,7 @@ on:
   issue_comment:
     types: [created]
 
-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
+permissions: {}
 
 jobs:
   parse:
@@ -16,6 +13,9 @@ jobs:
       github.event.issue.pull_request &&
       startsWith(github.event.comment.body, '/')
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: read
     outputs:
       cmd: ${{ steps.parse.outputs.cmd }}
       matrix: ${{ steps.parse.outputs.matrix }}
@@ -25,10 +25,23 @@ jobs:
       - name: Gate on author association
         env:
           ASSOC: ${{ github.event.comment.author_association }}
+          BODY: ${{ github.event.comment.body }}
         run: |
-          case "$ASSOC" in
-            OWNER|MEMBER|COLLABORATOR) ;;
-            *) echo "::error::author_association=$ASSOC not allowed"; exit 1 ;;
+          first_line=$(printf '%s' "$BODY" | head -n1)
+          cmd=$(printf '%s' "$first_line" | awk '{print $1}')
+          case "$cmd" in
+            /squash-merge)
+              case "$ASSOC" in
+                OWNER|MEMBER) ;;
+                *) echo "::error::author_association=$ASSOC not allowed for /squash-merge"; exit 1 ;;
+              esac
+              ;;
+            *)
+              case "$ASSOC" in
+                OWNER|MEMBER|COLLABORATOR) ;;
+                *) echo "::error::author_association=$ASSOC not allowed"; exit 1 ;;
+              esac
+              ;;
           esac
 
       - name: Parse
@@ -66,7 +79,7 @@ jobs:
 
       - name: Resolve PR head
         id: pr
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7.0.1
         with:
           script: |
             const pr = await github.rest.pulls.get({
@@ -78,7 +91,7 @@ jobs:
             core.setOutput('ref', pr.data.head.ref);
 
       - name: React to comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7.0.1
         with:
           script: |
             await github.rest.reactions.createForIssueComment({
@@ -107,6 +120,10 @@ jobs:
     if: needs.parse.outputs.cmd == '/squash-merge'
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
     steps:
       - name: Enable auto-merge
         env:
@@ -117,7 +134,7 @@ jobs:
 
       - name: Comment
         if: always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7.0.1
         with:
           script: |
             const result = '${{ job.status }}';
@@ -137,8 +154,10 @@ jobs:
     needs: [parse, test-template]
     if: always() && needs.parse.result == 'success' && needs.parse.outputs.cmd == '/test-template'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v7.0.1
         with:
           script: |
             const result = '${{ needs.test-template.result }}';
@@ -150,3 +169,22 @@ jobs:
               issue_number: context.issue.number,
               body: `${emoji} \`/test-template\` ${result} — [run](${runUrl})`,
             });
+
+  report-error:
+    name: Report parse error
+    needs: parse
+    if: always() && needs.parse.result != 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: `❌ command rejected (gate or parse failed) — [run](${runUrl})`,
+            });
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,14 +36,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 25
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt, clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           cache-on-failure: true
+          save-if: ${{ github.ref == 'refs/heads/main' }}
 
       - name: fmt
         run: cargo fmt --all --check
@@ -64,9 +65,9 @@ jobs:
       matrix:
         preset: [worker, api, minimal]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           save-if: "false"
@@ -79,12 +80,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@1.92
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: msrv
           cache-on-failure: true
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - run: scripts/ci/create-env-stubs.sh
       - run: cargo check --workspace --all-features
 
@@ -93,16 +95,19 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           save-if: "false"
 
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/install-action@v2.49.10
         with:
-          tool: cargo-deny,cargo-audit
+          # Pin exact versions: an unpinned cargo-deny drifted to a release that
+          # rejects deny.toml's `unmaintained = "workspace"` key, failing the job
+          # while local (0.19.5) passed. These are the versions verified locally.
+          tool: cargo-deny@0.19.5,cargo-audit@0.22.1
 
       - name: cargo deny
         run: cargo deny check
@@ -129,14 +134,14 @@ jobs:
           --health-timeout 5s
           --health-retries 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           save-if: "false"
       - name: Install sqlx-cli
-        run: cargo install sqlx-cli --no-default-features --features rustls,postgres
+        run: cargo install sqlx-cli --locked --version 0.8.6 --no-default-features --features rustls,postgres
       - name: Apply system migrations
         run: |
           for f in crates/forge-runtime/migrations/system/v*.sql; do
@@ -174,13 +179,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           save-if: "false"
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@v2.0.2
       - run: scripts/ci/create-env-stubs.sh
       - name: Typecheck generated frontend bindings
         run: scripts/ci/typecheck-codegen.sh
@@ -191,7 +196,7 @@ jobs:
     name: Workspace integration
     needs: [validate, guardrails]
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
     services:
       postgres:
         image: postgres:18
@@ -209,16 +214,25 @@ jobs:
     env:
       TEST_DATABASE_URL: postgres://postgres:postgres@localhost:5432/forge_ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@v2.7.7
         with:
           shared-key: ci
           save-if: "false"
       - run: cargo test -p forge-svelte-demo-template --features testcontainers
       - run: cargo test -p todo --features testcontainers
       - run: cargo test -p todo-dioxus --features testcontainers
       - run: cargo test -p forge-harness --features testcontainers
+      # forge-runtime's own integration suite (jobs queue, change_log, leader
+      # election, migration runner, signals, KV) — previously never run in CI,
+      # so it had rotted. Two non-obvious requirements:
+      #   * `full` — every subsystem is #[cfg(feature)]-gated; bare
+      #     `testcontainers` compiles and runs ZERO subsystem tests (silent no-op).
+      #   * `--test-threads=1` — these tests exercise PG instance-global state
+      #     (advisory locks, pg_terminate_backend, leader election) that cannot
+      #     run concurrently against one shared database without interfering.
+      - run: cargo test -p forge-runtime --features "full,testcontainers" -- --test-threads=1
 
   pr-smoke:
     name: PR Smoke

diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -23,11 +23,11 @@ jobs:
       run:
         working-directory: docs
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@v2.0.2
         with:
-          bun-version: latest
+          bun-version: 1.1.34
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -36,7 +36,7 @@ jobs:
         run: bun run build
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@v3.0.1
         with:
           path: docs/build
 
@@ -49,4 +49,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v4.0.5
diff --git a/.github/workflows/docker-otel-lgtm.yml b/.github/workflows/docker-otel-lgtm.yml
@@ -19,7 +19,7 @@ jobs:
     name: Build & Push
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
 
       - name: Extract otel-lgtm version from Dockerfile
         id: version
@@ -29,7 +29,7 @@ jobs:
           echo "otel-lgtm version: $VERSION"
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}