S-tier hardening: releases, coverage, security, docs, spec versioning#4
Merged
Conversation
Tier 1 — tag-driven release workflow (npm publish --provenance + GitHub Release from the CHANGELOG), coverage gate (npm run test:coverage), CONTRIBUTING/CODE_OF_CONDUCT/SECURITY + issue & PR templates, README badges. Tier 2 — Dependabot (npm + actions), CodeQL workflow, all Actions SHA-pinned, end-to-end CLI tests (test/e2e.test.ts), Node 18/20/22 CI matrix. Tier 3 — docs/ surface (quickstart, spec-reference, recipes, architecture, compatibility), optional done.yaml `version:` field + SPEC_VERSION (warns rather than silently misreading), JSON Schema + yaml-language-server modeline, documented exit-code contract. Self-gate dogfood passes; 31/31 tests green with coverage thresholds enforced. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
| const lines = md.split("\n"); | ||
|
|
||
| // Match "## 0.4.0" (optionally followed by a date/anything). | ||
| const startIdx = lines.findIndex((l) => new RegExp(`^##\\s+v?${version.replace(/\./g, "\\.")}\\b`).test(l)); |
| const lines = md.split("\n"); | ||
|
|
||
| // Match "## 0.4.0" (optionally followed by a date/anything). | ||
| const startIdx = lines.findIndex((l) => new RegExp(`^##\\s+v?${version.replace(/\./g, "\\.")}\\b`).test(l)); |
The matrix renamed the job to "test (node N)", which no longer matched the branch-protection required context "test". Split into a primary `test` job (node 20, the required context) plus a `compat` matrix (18, 22). Remove .github/workflows/codeql.yml: the repo already runs CodeQL via default code-scanning setup, and an advanced workflow conflicts with it (the failing "CodeQL" check). Default setup already satisfies the security-scanning goal. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the S-tier checklist across three tiers. Verified locally: 31/31 tests pass, coverage thresholds enforced, self-gate dogfood passes, JSON Schema validates every real spec, npm publish dry-run clean.
Tier 1 — ship-credibility
release.yml:npm publish --provenance+ GitHub Release from the CHANGELOG section, with a tag↔package.json version guardnpm run test:coverage(lines 85 / branch 70 / funcs 90)CONTRIBUTING.md,CODE_OF_CONDUCT.md,SECURITY.md, issue templates, PR templateTier 2 — trust & safety
dependabot.yml(npm + github-actions),codeql.ymltest/e2e.test.ts— CLI covered as a real process; Node 18/20/22 CI matrixTier 3 — depth & durability
docs/: quickstart, spec-reference, recipes, architecture, compatibilityversion:field +SPEC_VERSION— degrades loudly, never silently misreadsschema/done.schema.json+yaml-language-servermodeline; ships in the npm package🤖 Generated with Claude Code