Skip to content

Commit fd24db5

Browse files
committed
Merge remote-tracking branch 'origin/master' into feat/release-v0.3.0
# Conflicts: # CHANGELOG.md
2 parents a25e1af + 137246e commit fd24db5

6 files changed

Lines changed: 147 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Dependabot version-update config.
2+
#
3+
# Security-advisory updates are already on via the repo-level "Dependabot
4+
# security updates" setting; this file covers *version* updates (catching
5+
# stale deps before they ship a vuln, not after).
6+
#
7+
# Non-major updates are grouped into a single weekly PR per ecosystem to
8+
# keep noise down; majors still open individually so they get real review.
9+
10+
version: 2
11+
12+
updates:
13+
- package-ecosystem: npm
14+
directory: /
15+
schedule:
16+
interval: weekly
17+
day: monday
18+
time: "09:00"
19+
timezone: Etc/UTC
20+
open-pull-requests-limit: 10
21+
groups:
22+
non-major:
23+
update-types:
24+
- minor
25+
- patch
26+
commit-message:
27+
prefix: chore
28+
include: scope
29+
30+
- package-ecosystem: github-actions
31+
directory: /
32+
schedule:
33+
interval: weekly
34+
day: monday
35+
time: "09:00"
36+
timezone: Etc/UTC
37+
open-pull-requests-limit: 5
38+
groups:
39+
non-major:
40+
update-types:
41+
- minor
42+
- patch
43+
commit-message:
44+
prefix: ci
45+
include: scope

.github/workflows/actionlint.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
name: actionlint
2+
3+
# Validates GitHub Actions workflow YAML against actionlint's rule set.
4+
# Catches interpolation/quoting bugs, bad `needs:` refs, and the
5+
# untrusted-input-in-run-script class of injection risk that otherwise
6+
# only surfaces at workflow-fire time.
7+
8+
on:
9+
# Runs on every PR + every push to master, not just workflow changes.
10+
# Path-filtered required checks can never report on PRs that don't
11+
# touch the filter — leaves merges permanently blocked. 30s of CI on
12+
# unrelated PRs is cheaper than that failure mode.
13+
pull_request:
14+
push:
15+
branches: [master]
16+
workflow_dispatch: {}
17+
18+
permissions:
19+
contents: read
20+
21+
jobs:
22+
actionlint:
23+
runs-on: ubuntu-latest
24+
steps:
25+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
26+
27+
- name: Install actionlint v1.7.1
28+
# Official release tarball, pinned to a specific version. CI-only
29+
# lint tool; a broken build here won't ship to users, so a
30+
# checksum pin isn't essential.
31+
run: |
32+
set -euo pipefail
33+
curl -fsSL -o actionlint.tgz \
34+
https://github.com/rhysd/actionlint/releases/download/v1.7.1/actionlint_1.7.1_linux_amd64.tar.gz
35+
tar xzf actionlint.tgz actionlint
36+
chmod +x actionlint
37+
./actionlint -version
38+
39+
- name: Run actionlint
40+
run: ./actionlint -color

.github/workflows/ci.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,15 @@ jobs:
2020
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
2121
with:
2222
node-version: ${{ matrix.node-version }}
23+
cache: 'npm'
2324
- run: npm ci
2425
env:
26+
# Skip the 100MB Chromium download — tests use a mock BrowserLike
27+
# via AgentConfig.browserFactory, and the `--help` smoke doesn't
28+
# launch a browser. Doctor's browser check would fail without it,
29+
# but that's not exercised in CI.
2530
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
31+
- run: npm run typecheck
2632
- run: npm run build
2733
- run: npm test
2834
- run: node dist/cli.js --help

.github/workflows/stale.yml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
name: Stale issue / PR housekeeping
2+
3+
# Low-key housekeeping that keeps the tracker from accumulating dead
4+
# threads. Conservative defaults for a low-volume repo: 60 days to
5+
# warn, 14 more to close. Exempt labels keep security reports and
6+
# in-flight work out of the sweep.
7+
8+
on:
9+
schedule:
10+
- cron: '30 4 * * *'
11+
workflow_dispatch: {}
12+
13+
permissions:
14+
issues: write
15+
pull-requests: write
16+
17+
jobs:
18+
stale:
19+
runs-on: ubuntu-latest
20+
steps:
21+
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
22+
with:
23+
days-before-stale: 60
24+
days-before-close: 14
25+
stale-issue-label: stale
26+
stale-pr-label: stale
27+
stale-issue-message: >
28+
No activity on this issue for 60 days. Marking as stale. If
29+
it's still relevant, leave a comment and we'll take another
30+
look — otherwise it'll auto-close in 14 days.
31+
stale-pr-message: >
32+
No activity on this PR for 60 days. Marking as stale. If
33+
it's still in flight, leave a comment or push an update —
34+
otherwise it'll auto-close in 14 days.
35+
close-issue-message: >
36+
Auto-closing after 14 days of no follow-up. Feel free to
37+
reopen if the issue recurs or you have new information.
38+
close-pr-message: >
39+
Auto-closing after 14 days of no follow-up. Feel free to
40+
reopen if you want to pick the work back up.
41+
exempt-issue-labels: security,auth,review-feedback,help-wanted,good-first-issue,pinned
42+
exempt-pr-labels: security,pinned,wip,blocked
43+
operations-per-run: 60
44+
remove-stale-when-updated: true

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
1010

1111
Streaming synthesis, `deepdive doctor`, LLM retry + per-call timeout, robots.txt respect, CI foundation parity with dario / claude-bridge, auto-release workflow preemptively ported, CodeQL pass, home-dir scrubbing on error output.
1212

13+
### CI — foundation parity with dario / claude-bridge
14+
15+
Brings deepdive's CI surface up to the maturity of the sibling repos:
16+
17+
- **`actionlint.yml`**`actionlint` v1.7.1 runs on every PR + push. No path filter (required-checks gate would never report on src-only PRs if filtered — classic footgun fixed on dario + claude-bridge already).
18+
- **`dependabot.yml`** — weekly (Monday 09:00 UTC) npm + github-actions version updates. Non-major grouped per ecosystem; majors open individually so they get real review.
19+
- **`stale.yml`**`actions/stale@v10.2.0` daily at 04:30 UTC. 60 days to warn, 14 to close. Exempts `security`/`auth`/`review-feedback`/`help-wanted`/`good-first-issue`/`pinned` for issues, plus `wip`/`blocked`/`security` for PRs.
20+
- **`ci.yml`** — added `typecheck` step (`tsc --noEmit`) as a separate CI step before `build`, so type errors surface before the tsc emit step does. Matrix stays at Node 20 / 22 (engines `>=20.0.0` rules out 18; `node --test --test-concurrency` also needs 20.11+).
21+
- **Labels**`security`, `auth`, `pinned`, `wip`, `blocked`, `review-feedback` created out-of-band to match the dario / claude-bridge vocabulary. Referenced by the stale-bot exempts above.
22+
- Repo setting `allow_update_branch` toggled on so auto-merge can rebase PRs against master without the maintainer clicking "Update branch".
23+
1324
### CI — auto-release workflow (ports the dario pattern preemptively)
1425

1526
New `.github/workflows/auto-release.yml`. Fires on merge of any PR to master; exits in ~10s unless `package.json.version` changed from the parent commit, in which case it creates the matching `vX.Y.Z` tag and GitHub release (extracting the CHANGELOG section for the version as release notes). `publish.yml` then fires on `release:published` and runs `npm publish --access public --provenance`.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
],
2323
"scripts": {
2424
"build": "tsc",
25+
"typecheck": "tsc --noEmit",
2526
"test": "node --test --test-concurrency=4 test/*.test.mjs",
2627
"dev": "tsx src/cli.ts",
2728
"start": "node dist/cli.js",

0 commit comments

Comments
 (0)