chore(standards): resolve repo-standards drift (CI, pnpm, changelog, ignores)#137
Conversation
…elog
Resolve mechanical drift found by the auditing-repo-standards audit:
- file-filters.yml: the sync_all filter gated unit-tests on sync/** (a
path that does not exist), so PRs touching infrahub_sync/** silently
skipped tests. Point it at infrahub_sync/** and add tests/** + the uv
files so unit tests run on source, test, and dependency changes.
(ci-file-change-detection)
- update-infrahub-sdk.yml: add the infrahub-sdk auto-bump workflow so the
repo tracks SDK releases via automated PRs. The workflow itself targets
develop (this repo's contributor-PR flow). (ci-infrahub-sdk-auto-bump)
- workflow-{tests,linter,uv-check}.yml: pin opsmill/paths-filter@v3.0.2
(was dorny/paths-filter@v3), the standard pinned fork.
- .gitignore: add .venv/, venv/, and secret globs (*.pem, *.key,
credentials.json). (common-gitignore)
- towncrier: add [tool.towncrier] config + dev dep + changelog/ scaffold
(.gitignore + template). package omitted (no __version__); pass
--version at build. (python-changelog-towncrier)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
WalkthroughThis PR updates CI and documentation tooling, adds an automated workflow for updating 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/update-infrahub-sdk.yml (2)
7-15: 🎯 Functional Correctness | 🔵 TrivialUnused
runinput.The
runinput ("Whether to run integration tests") is declared but never referenced anywhere else in the job. As written, toggling it has no effect, which is misleading for anyone triggering this workflow manually expecting it to control integration-test execution.Want me to wire this into the job (e.g. gate an integration-test step on
${{ github.event.inputs.run }}), or should the input be removed if integration testing isn't implemented yet?🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/update-infrahub-sdk.yml around lines 7 - 15, The workflow input named run is declared but not used, so either wire it into the job logic or remove it. Update the update-infrahub-sdk workflow to reference github.event.inputs.run in the relevant integration-test step(s), likely near the job that uses version, so manual triggers can actually control whether integration tests execute; if that behavior is not needed yet, delete the run input from the workflow inputs block.
63-74: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin
github-actions-x/committo a full commit SHA. The workflow usessecrets.GH_UPDATE_PACKAGE_OTTOto push branches and open PRs, so keeping this action on a mutable tag increases supply-chain risk.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/update-infrahub-sdk.yml around lines 63 - 74, The Commit and push changes step is using the mutable github-actions-x/commit@v2.9 tag, which should be replaced with a full commit SHA to reduce supply-chain risk. Update the action reference in the update-infrahub-sdk workflow while keeping the existing inputs (including github-token, push-branch, and rebase) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/update-infrahub-sdk.yml:
- Around line 36-37: The checkout step is leaving GitHub credentials persisted
on disk, which is unnecessary for this workflow. Update the actions/checkout
invocation in the code path for the “Check out code” step to disable credential
persistence by setting persist-credentials to false, since later steps run
dependency resolution and do not need the ambient GITHUB_TOKEN for any git push.
- Around line 56-88: The `update-infrahub-sdk.yml` workflow is vulnerable
because attacker-controlled values are expanded directly into shell `run:`
blocks via `${{ }}`. Update the `prepare-branch` and `Create a pull request`
steps to use shell environment variables like `$BRANCH_NAME`,
`$INFRAHUB_SDK_VERSION`, and `$matrix.branch-name`-equivalent values instead of
interpolating them in the script text, and keep the existing job-level `env`
entries on the workflow so the `commit@v2.9` and `gh pr create` steps can read
them safely.
---
Nitpick comments:
In @.github/workflows/update-infrahub-sdk.yml:
- Around line 7-15: The workflow input named run is declared but not used, so
either wire it into the job logic or remove it. Update the update-infrahub-sdk
workflow to reference github.event.inputs.run in the relevant integration-test
step(s), likely near the job that uses version, so manual triggers can actually
control whether integration tests execute; if that behavior is not needed yet,
delete the run input from the workflow inputs block.
- Around line 63-74: The Commit and push changes step is using the mutable
github-actions-x/commit@v2.9 tag, which should be replaced with a full commit
SHA to reduce supply-chain risk. Update the action reference in the
update-infrahub-sdk workflow while keeping the existing inputs (including
github-token, push-branch, and rebase) unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 3288f376-995a-47e4-851f-5953d50234fe
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (9)
.github/file-filters.yml.github/workflows/update-infrahub-sdk.yml.github/workflows/workflow-linter.yml.github/workflows/workflow-tests.yml.github/workflows/workflow-uv-check.yml.gitignorechangelog/.gitignorechangelog/towncrier.md.templatepyproject.toml
…e bump
Second batch of auditing-repo-standards drift fixes:
- workflow-{linter,tests,uv-check}.yml: add least-privilege
`permissions: contents: read`. (ci-workflow-setup)
- docs: migrate npm -> pnpm. Generate docs/pnpm-lock.yaml (from the old
package-lock.json), remove package-lock.json, pin packageManager
pnpm@11.6.0, and add docs/pnpm-workspace.yaml declaring the core-js
build decision so `pnpm install --frozen-lockfile` is exit-0 in CI.
Update build-docs.sh, the documentation CI job (pnpm/action-setup +
pnpm cache), and the invoke docusaurus task to use pnpm.
(js-package-manager-pnpm)
- .yamllint.yml: add `truthy: check-keys: false` and ignore the generated
docs/pnpm-lock.yaml. (yaml-linting-yamllint)
- workflow-linter.yml: bump Vale 3.7.1 -> 3.13.0. (markdown-linting-vale)
develop branch protection was applied separately via the GitHub API
(require PR review, enforce_admins, block force-push/deletion).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying infrahub-sync with
|
| Latest commit: |
004bd63
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://4d0fd15e.infrahub-sync.pages.dev |
| Branch Preview URL: | https://bot-repo-drift.infrahub-sync.pages.dev |
The pnpm migration introduced pnpm@11.6.0, which requires Node >=22.13 (it imports the node:sqlite builtin). The documentation job's setup-node still pinned node-version: 20, so pnpm crashed with ERR_UNKNOWN_BUILTIN_MODULE before install could run. Bump to Node 22 (LTS) to satisfy pnpm's engine floor. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Fill two gaps found by comparing against sibling OpsMill repos (infrahub, infrahub-mcp, infrahub-sdk-python, styrmin): - .github/CODEOWNERS: `* @opsmill/sa` — the repo had no code-ownership file, so PRs requested no default reviewer. (github-codeowners) - .pre-commit-config.yaml: the repo pinned `pre-commit` as a dev dep but had no config, so the hook did nothing. Add pre-commit-hooks + the ruff format/check hooks (rev matched to the pinned ruff 0.15.5), mirroring the SDK repo's setup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address the CodeRabbit review on PR #137: - Set persist-credentials: false on checkout (the job pushes via the GH_UPDATE_PACKAGE_OTTO PAT, never the ambient GITHUB_TOKEN). - Remove template-injection surface: run: blocks now reference shell env vars (${BRANCH_NAME}, ${INFRAHUB_SDK_VERSION}, ${MATRIX_BRANCH}) instead of splicing ${{ }} into script text; gh reads GH_TOKEN from step env rather than piping the secret through the shell. - Drop the unused `run` workflow_dispatch input (no integration-test step gates on it). Declined: pinning github-actions-x/commit@v2.9 to a SHA — the whole org (infrahub, infrahub-mcp, the canonical template) uses the tag, and pinning one action while checkout/setup-python/setup-uv stay on tags is inconsistent; SHA-pinning belongs in an org-wide hardening pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
CodeRabbit review triage — all 4 findings addressed in c9b0148:
Verified locally: |
Adopt rumdl (the OpsMill standard used by infrahub-mcp and styrmin) in place of markdownlint-cli2: - pyproject.toml: add [tool.rumdl] (config now lives here, not a standalone file) translating the former .markdownlint.yml rule set; exclude the vendored/agentic trees and the generated docs/docs/reference/cli.mdx; add rumdl to the dev extra. - CI: the markdown-lint job now runs `uv run rumdl check .`. - tasks/docs.py: docs.rumdl / docs.format-rumdl replace the markdownlint tasks. - .pre-commit-config.yaml: add a rumdl hook. - Remove .markdownlint.yml; update AGENTS.md + dev guide references. - Apply rumdl's auto-fixes to 8 hand-authored .mdx files (blank lines around frontmatter/headings/tables) and convert README's markdownlint-disable to `rumdl-disable MD041` for the logo. Also fixes a stale `npm install` in the AGENTS.md docs section (missed in the earlier pnpm migration). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary by CodeRabbit
New Features
Bug Fixes
Chores
Resolves mechanical repo-standards drift found by the
auditing-repo-standardsaudit. Restores unit-test coverage that was silently skipped, keeps the repo current withinfrahub-sdkreleases, standardises changelog/ignore hygiene, tightens CI, and aligns the docs toolchain with the pnpm standard.Key Changes
CI correctness & hardening
sync_allpath filter pointed at a non-existentsync/dir, so PRs touchinginfrahub_sync/**skipped theunit-testsjob. Now triggers on source, tests, and dependency changes. (ci-file-change-detection)permissions: contents: readadded toworkflow-linter.yml,workflow-tests.yml,workflow-uv-check.yml. (ci-workflow-setup)paths-filterpinned toopsmill/paths-filter@v3.0.2(wasdorny/paths-filter@v3).3.7.1→3.13.0. (markdown-linting-vale)Automation & changelog
infrahub-sdkupgrades — newupdate-infrahub-sdk.ymlopens a bump PR on each SDK release. (ci-infrahub-sdk-auto-bump)CHANGELOG.mdassembled at release. (python-changelog-towncrier)Hygiene & toolchain
docs/pnpm-lock.yaml, removeddocs/package-lock.json, pinnedpackageManager: pnpm@11.6.0, and switchedbuild-docs.sh, thedocumentationCI job (pnpm/action-setup+ pnpm cache), and theinvoke docusaurustask to pnpm. Adocs/pnpm-workspace.yamldeclares thecore-jsbuild decision sopnpm install --frozen-lockfileis non-interactive/exit-0 in CI. (js-package-manager-pnpm).gitignore— added venvs and secret globs (*.pem,*.key,credentials.json). (common-gitignore).yamllint.yml— addedtruthy: check-keys: falseand ignored the generateddocs/pnpm-lock.yaml. (yaml-linting-yamllint).github/CODEOWNERS(* @opsmill/sa); the repo had no default reviewer. (github-codeowners).pre-commit-config.yaml— thepre-commitdev dep had no config; added pre-commit-hooks + ruff hooks (rev pinned to ruff 0.15.5) + a rumdl hook, mirroring the SDK repo. (cross-repo gap)[tool.rumdl]; CI runsuv run rumdl check .;.markdownlint.ymlremoved. (markdown-linting)Related Context
Drift fixes from the
auditing-repo-standardsaudit, cross-checked againstinfrahub,infrahub-mcp,styrmin, andinfrahub-sdk-python.ty(vs mypy) is intentionally retained per maintainer decision; the markdown linter was migrated to rumdl to match the modern siblings. A companion PR (infrahub-sdk-python#1129) adds infrahub-sync to the SDK release dispatch soupdate-infrahub-sdk.ymlactually fires.Applied out-of-band (not in this diff):
developbranch protection was enabled via the GitHub API — required PR review (≥1),enforce_admins, force-push and deletion blocked (developnow reportscompliant).Notes
main(as requested). Theupdate-infrahub-sdk.ymlworkflow itself targetsdevelop, this repo's contributor-PR flow.packageis intentionally omitted (infrahub_syncexposes no__version__); pass--version X.Y.Ztotowncrier buildat release time.Test Plan
yaml-lint,action-lint,python-lint(ruff + ty),unit-tests(py3.10–3.13),uv check, and thedocumentation/Vale jobs (now pnpm-based).uv run yamllint -s .exits 0; a freshcd docs && pnpm install --frozen-lockfileexits 0 (proven load-bearing via theallowBuildsdecision);uv run towncrier build --draft --version 2.0.1renders cleanly.workflow_dispatchdry-run ofupdate-infrahub-sdk.yml.