Skip to content

chore(standards): resolve repo-standards drift (CI, pnpm, changelog, ignores)#137

Merged
BeArchiTek merged 6 commits into
mainfrom
bot/repo-drift
Jul 3, 2026
Merged

chore(standards): resolve repo-standards drift (CI, pnpm, changelog, ignores)#137
BeArchiTek merged 6 commits into
mainfrom
bot/repo-drift

Conversation

@BeArchiTek

@BeArchiTek BeArchiTek commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features

    • Added automated release-note and changelog support for more consistent change tracking.
    • Added a workflow to streamline dependency version updates.
  • Bug Fixes

    • Improved file-change detection and workflow permissions for more reliable CI runs.
    • Fixed several formatting/layout issues in documentation and release-note files.
  • Chores

    • Updated project linting, formatting, and pre-commit checks.
    • Expanded ignore rules for local environments, caches, and secret files.

Resolves mechanical repo-standards drift found by the auditing-repo-standards audit. Restores unit-test coverage that was silently skipped, keeps the repo current with infrahub-sdk releases, standardises changelog/ignore hygiene, tightens CI, and aligns the docs toolchain with the pnpm standard.

Key Changes

CI correctness & hardening

  • Unit tests run again — the sync_all path filter pointed at a non-existent sync/ dir, so PRs touching infrahub_sync/** skipped the unit-tests job. Now triggers on source, tests, and dependency changes. (ci-file-change-detection)
  • Least-privilege tokenspermissions: contents: read added to workflow-linter.yml, workflow-tests.yml, workflow-uv-check.yml. (ci-workflow-setup)
  • Pinned actionpaths-filter pinned to opsmill/paths-filter@v3.0.2 (was dorny/paths-filter@v3).
  • Vale bumped 3.7.13.13.0. (markdown-linting-vale)

Automation & changelog

  • Automated infrahub-sdk upgrades — new update-infrahub-sdk.yml opens a bump PR on each SDK release. (ci-infrahub-sdk-auto-bump)
  • Towncrier changelog — news-fragment setup with the seven standard categories; contributors add one fragment per PR, CHANGELOG.md assembled at release. (python-changelog-towncrier)

Hygiene & toolchain

  • Docs npm → pnpm — generated docs/pnpm-lock.yaml, removed docs/package-lock.json, pinned packageManager: pnpm@11.6.0, and switched build-docs.sh, the documentation CI job (pnpm/action-setup + pnpm cache), and the invoke docusaurus task to pnpm. A docs/pnpm-workspace.yaml declares the core-js build decision so pnpm install --frozen-lockfile is non-interactive/exit-0 in CI. (js-package-manager-pnpm)
  • .gitignore — added venvs and secret globs (*.pem, *.key, credentials.json). (common-gitignore)
  • .yamllint.yml — added truthy: check-keys: false and ignored the generated docs/pnpm-lock.yaml. (yaml-linting-yamllint)
  • CODEOWNERS — added .github/CODEOWNERS (* @opsmill/sa); the repo had no default reviewer. (github-codeowners)
  • .pre-commit-config.yaml — the pre-commit dev dep had no config; added pre-commit-hooks + ruff hooks (rev pinned to ruff 0.15.5) + a rumdl hook, mirroring the SDK repo. (cross-repo gap)
  • Markdown → rumdl — migrated from markdownlint-cli2 to rumdl (the standard used by infrahub-mcp/styrmin). Config in [tool.rumdl]; CI runs uv run rumdl check .; .markdownlint.yml removed. (markdown-linting)

Related Context

Drift fixes from the auditing-repo-standards audit, cross-checked against infrahub, infrahub-mcp, styrmin, and infrahub-sdk-python. ty (vs mypy) is intentionally retained per maintainer decision; the markdown linter was migrated to rumdl to match the modern siblings. A companion PR (infrahub-sdk-python#1129) adds infrahub-sync to the SDK release dispatch so update-infrahub-sdk.yml actually fires.

Applied out-of-band (not in this diff): develop branch protection was enabled via the GitHub API — required PR review (≥1), enforce_admins, force-push and deletion blocked (develop now reports compliant).

Notes

  • Base is main (as requested). The update-infrahub-sdk.yml workflow itself targets develop, this repo's contributor-PR flow.
  • towncrier package is intentionally omitted (infrahub_sync exposes no __version__); pass --version X.Y.Z to towncrier build at release time.

Test Plan

  • CI: yaml-lint, action-lint, python-lint (ruff + ty), unit-tests (py3.10–3.13), uv check, and the documentation/Vale jobs (now pnpm-based).
  • Validated locally: uv run yamllint -s . exits 0; a fresh cd docs && pnpm install --frozen-lockfile exits 0 (proven load-bearing via the allowBuilds decision); uv run towncrier build --draft --version 2.0.1 renders cleanly.
  • Post-merge: manual workflow_dispatch dry-run of update-infrahub-sdk.yml.

…elog

Resolve mechanical drift found by the auditing-repo-standards audit:

- file-filters.yml: the sync_all filter gated unit-tests on sync/** (a
  path that does not exist), so PRs touching infrahub_sync/** silently
  skipped tests. Point it at infrahub_sync/** and add tests/** + the uv
  files so unit tests run on source, test, and dependency changes.
  (ci-file-change-detection)
- update-infrahub-sdk.yml: add the infrahub-sdk auto-bump workflow so the
  repo tracks SDK releases via automated PRs. The workflow itself targets
  develop (this repo's contributor-PR flow). (ci-infrahub-sdk-auto-bump)
- workflow-{tests,linter,uv-check}.yml: pin opsmill/paths-filter@v3.0.2
  (was dorny/paths-filter@v3), the standard pinned fork.
- .gitignore: add .venv/, venv/, and secret globs (*.pem, *.key,
  credentials.json). (common-gitignore)
- towncrier: add [tool.towncrier] config + dev dep + changelog/ scaffold
  (.gitignore + template). package omitted (no __version__); pass
  --version at build. (python-changelog-towncrier)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BeArchiTek BeArchiTek added group/ci Issue related to the CI pipeline type/housekeeping Maintenance task claude-code-assisted labels Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR updates CI and documentation tooling, adds an automated workflow for updating infrahub-sdk, and introduces Towncrier-based changelog generation. It also adjusts file filters, workflow permissions and path filtering, replaces markdownlint-based docs commands with rumdl, and updates repository ignore and ownership settings.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main repo-standards cleanup, including CI, pnpm, changelog, and ignore-file updates.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/update-infrahub-sdk.yml (2)

7-15: 🎯 Functional Correctness | 🔵 Trivial

Unused run input.

The run input ("Whether to run integration tests") is declared but never referenced anywhere else in the job. As written, toggling it has no effect, which is misleading for anyone triggering this workflow manually expecting it to control integration-test execution.

Want me to wire this into the job (e.g. gate an integration-test step on ${{ github.event.inputs.run }}), or should the input be removed if integration testing isn't implemented yet?

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-infrahub-sdk.yml around lines 7 - 15, The workflow
input named run is declared but not used, so either wire it into the job logic
or remove it. Update the update-infrahub-sdk workflow to reference
github.event.inputs.run in the relevant integration-test step(s), likely near
the job that uses version, so manual triggers can actually control whether
integration tests execute; if that behavior is not needed yet, delete the run
input from the workflow inputs block.

63-74: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin github-actions-x/commit to a full commit SHA. The workflow uses secrets.GH_UPDATE_PACKAGE_OTTO to push branches and open PRs, so keeping this action on a mutable tag increases supply-chain risk.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-infrahub-sdk.yml around lines 63 - 74, The Commit
and push changes step is using the mutable github-actions-x/commit@v2.9 tag,
which should be replaced with a full commit SHA to reduce supply-chain risk.
Update the action reference in the update-infrahub-sdk workflow while keeping
the existing inputs (including github-token, push-branch, and rebase) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-infrahub-sdk.yml:
- Around line 36-37: The checkout step is leaving GitHub credentials persisted
on disk, which is unnecessary for this workflow. Update the actions/checkout
invocation in the code path for the “Check out code” step to disable credential
persistence by setting persist-credentials to false, since later steps run
dependency resolution and do not need the ambient GITHUB_TOKEN for any git push.
- Around line 56-88: The `update-infrahub-sdk.yml` workflow is vulnerable
because attacker-controlled values are expanded directly into shell `run:`
blocks via `${{ }}`. Update the `prepare-branch` and `Create a pull request`
steps to use shell environment variables like `$BRANCH_NAME`,
`$INFRAHUB_SDK_VERSION`, and `$matrix.branch-name`-equivalent values instead of
interpolating them in the script text, and keep the existing job-level `env`
entries on the workflow so the `commit@v2.9` and `gh pr create` steps can read
them safely.

---

Nitpick comments:
In @.github/workflows/update-infrahub-sdk.yml:
- Around line 7-15: The workflow input named run is declared but not used, so
either wire it into the job logic or remove it. Update the update-infrahub-sdk
workflow to reference github.event.inputs.run in the relevant integration-test
step(s), likely near the job that uses version, so manual triggers can actually
control whether integration tests execute; if that behavior is not needed yet,
delete the run input from the workflow inputs block.
- Around line 63-74: The Commit and push changes step is using the mutable
github-actions-x/commit@v2.9 tag, which should be replaced with a full commit
SHA to reduce supply-chain risk. Update the action reference in the
update-infrahub-sdk workflow while keeping the existing inputs (including
github-token, push-branch, and rebase) unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3288f376-995a-47e4-851f-5953d50234fe

📥 Commits

Reviewing files that changed from the base of the PR and between 94bd7ce and 44403eb.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • .github/file-filters.yml
  • .github/workflows/update-infrahub-sdk.yml
  • .github/workflows/workflow-linter.yml
  • .github/workflows/workflow-tests.yml
  • .github/workflows/workflow-uv-check.yml
  • .gitignore
  • changelog/.gitignore
  • changelog/towncrier.md.template
  • pyproject.toml

Comment thread .github/workflows/update-infrahub-sdk.yml
Comment thread .github/workflows/update-infrahub-sdk.yml Outdated
…e bump

Second batch of auditing-repo-standards drift fixes:

- workflow-{linter,tests,uv-check}.yml: add least-privilege
  `permissions: contents: read`. (ci-workflow-setup)
- docs: migrate npm -> pnpm. Generate docs/pnpm-lock.yaml (from the old
  package-lock.json), remove package-lock.json, pin packageManager
  pnpm@11.6.0, and add docs/pnpm-workspace.yaml declaring the core-js
  build decision so `pnpm install --frozen-lockfile` is exit-0 in CI.
  Update build-docs.sh, the documentation CI job (pnpm/action-setup +
  pnpm cache), and the invoke docusaurus task to use pnpm.
  (js-package-manager-pnpm)
- .yamllint.yml: add `truthy: check-keys: false` and ignore the generated
  docs/pnpm-lock.yaml. (yaml-linting-yamllint)
- workflow-linter.yml: bump Vale 3.7.1 -> 3.13.0. (markdown-linting-vale)

develop branch protection was applied separately via the GitHub API
(require PR review, enforce_admins, block force-push/deletion).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BeArchiTek BeArchiTek changed the title chore(standards): fix CI filters, add SDK bump + towncrier chore(standards): resolve repo-standards drift (CI, pnpm, changelog, ignores) Jul 2, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying infrahub-sync with  Cloudflare Pages  Cloudflare Pages

Latest commit: 004bd63
Status: ✅  Deploy successful!
Preview URL: https://4d0fd15e.infrahub-sync.pages.dev
Branch Preview URL: https://bot-repo-drift.infrahub-sync.pages.dev

View logs

Benoit Kohler and others added 3 commits July 3, 2026 00:07
The pnpm migration introduced pnpm@11.6.0, which requires Node >=22.13
(it imports the node:sqlite builtin). The documentation job's setup-node
still pinned node-version: 20, so pnpm crashed with ERR_UNKNOWN_BUILTIN_MODULE
before install could run. Bump to Node 22 (LTS) to satisfy pnpm's engine floor.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Fill two gaps found by comparing against sibling OpsMill repos
(infrahub, infrahub-mcp, infrahub-sdk-python, styrmin):

- .github/CODEOWNERS: `* @opsmill/sa` — the repo had no code-ownership
  file, so PRs requested no default reviewer. (github-codeowners)
- .pre-commit-config.yaml: the repo pinned `pre-commit` as a dev dep but
  had no config, so the hook did nothing. Add pre-commit-hooks + the ruff
  format/check hooks (rev matched to the pinned ruff 0.15.5), mirroring
  the SDK repo's setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address the CodeRabbit review on PR #137:

- Set persist-credentials: false on checkout (the job pushes via the
  GH_UPDATE_PACKAGE_OTTO PAT, never the ambient GITHUB_TOKEN).
- Remove template-injection surface: run: blocks now reference shell env
  vars (${BRANCH_NAME}, ${INFRAHUB_SDK_VERSION}, ${MATRIX_BRANCH}) instead
  of splicing ${{ }} into script text; gh reads GH_TOKEN from step env
  rather than piping the secret through the shell.
- Drop the unused `run` workflow_dispatch input (no integration-test step
  gates on it).

Declined: pinning github-actions-x/commit@v2.9 to a SHA — the whole org
(infrahub, infrahub-mcp, the canonical template) uses the tag, and pinning
one action while checkout/setup-python/setup-uv stay on tags is
inconsistent; SHA-pinning belongs in an org-wide hardening pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BeArchiTek

Copy link
Copy Markdown
Contributor Author

CodeRabbit review triage — all 4 findings addressed in c9b0148:

  • persist-credentials: false (checkout) — done.
  • Template injection in run: blocks (critical) — done; run: now uses shell env vars and gh reads GH_TOKEN from env.
  • Unused run input — removed (YAGNI; nothing gates on it, and integration tests aren't wired into this workflow).
  • ⏭️ Pin github-actions-x/commit@v2.9 to a SHA — declined for this PR. The whole org (infrahub, infrahub-mcp, the canonical bump template) uses the @v2.9 tag, and pinning one third-party action while checkout/setup-python/setup-uv stay on tags is inconsistent. SHA-pinning is worth doing org-wide (shared CI catalog / dedicated hardening pass), not ad-hoc in a drift PR.

Verified locally: yamllint -s . and actionlint both clean.

Adopt rumdl (the OpsMill standard used by infrahub-mcp and styrmin) in
place of markdownlint-cli2:

- pyproject.toml: add [tool.rumdl] (config now lives here, not a standalone
  file) translating the former .markdownlint.yml rule set; exclude the
  vendored/agentic trees and the generated docs/docs/reference/cli.mdx; add
  rumdl to the dev extra.
- CI: the markdown-lint job now runs `uv run rumdl check .`.
- tasks/docs.py: docs.rumdl / docs.format-rumdl replace the markdownlint tasks.
- .pre-commit-config.yaml: add a rumdl hook.
- Remove .markdownlint.yml; update AGENTS.md + dev guide references.
- Apply rumdl's auto-fixes to 8 hand-authored .mdx files (blank lines around
  frontmatter/headings/tables) and convert README's markdownlint-disable to
  `rumdl-disable MD041` for the logo.

Also fixes a stale `npm install` in the AGENTS.md docs section (missed in the
earlier pnpm migration).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BeArchiTek BeArchiTek merged commit b5044da into main Jul 3, 2026
19 checks passed
@BeArchiTek BeArchiTek deleted the bot/repo-drift branch July 3, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

claude-code-assisted group/ci Issue related to the CI pipeline type/housekeeping Maintenance task

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant