Skip to content

ci: inline the fleet-canonical CI workflow + exact-floor override gate#293

Open
John-David Dalton (jdalton) wants to merge 12 commits into
mainfrom
ci/inline-fleet-canonical
Open

ci: inline the fleet-canonical CI workflow + exact-floor override gate#293
John-David Dalton (jdalton) wants to merge 12 commits into
mainfrom
ci/inline-fleet-canonical

Conversation

@jdalton

@jdalton John-David Dalton (jdalton) commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

What

Brings socket-registry's CI to fleet convention, closes a coverage hole, and un-reds six pre-existing main breakages the new pipeline surfaced.

1. Inline the fleet-canonical CI workflow

Replaces the Layer-3 reusable ci.yml + _local-not-for-reuse-ci.yml wrapper pair with the fleet-canonical inlined workflow — verbatim wheelhouse template block, repo-owned jobs below the end marker, matching every other fleet member (socket-lib's ci.yml is byte-identical to the template).

  • Old @sha pins to the removed reusable keep resolving (SHA-pinned refs are immutable).
  • Required-checks note: job names change from Run CI Pipeline / … to 🔎 Check, 🧪 Test, 🧪 Test NPM Packages — branch protection needs the new names.
  • Legacy Layer-3/4 docs, hooks (shared-workflow-cascade, no-hand-edit-registry-pin-guard), skills, and README badges updated in the same change.

2. Floor-node gate for the npm overrides (floor-node-smoke)

All 131 overrides declare engines.node: >=24, but CI only ever ran a newer current-line Node — nothing proved the floor. The new gate side-installs the exact floor release (Node 24.0.0, pinned version + sha256 via lib-stable httpDownload's verified/atomic download — the binary never touches PATH) and dynamic-imports every override's node entry under it, including the JSON-module entries (date, es-iterator-helpers) via with { type: 'json' }.

131 imported, 0 skipped, 0 failed in CI. A companion law, floor-node-pin-matches-engines (auto-discovered by check --all), locks the pin to the overrides' declared floor: every engines.node range's minimum must equal FLOOR_NODE_VERSION, so an engines bump without a pin bump (or vice versa) fails instead of leaving the gate proving the wrong floor.

3. Soak-aware override currency + es-iterator-helpers sync

npm-overrides-are-current demanded the raw npm latest, while the 7-day minimumReleaseAge soak forbids installing it — a red check nothing could legally fix for up to the whole window (es-iterator-helpers 1.4.0, published 2 days ago, deadlocked it). The law now targets the newest soak-cleared release (packument time + the shared soak-rules.mts policy; prereleases below latest never win; degraded metadata falls back to raw latest). Report format: 1.2.1 -> 1.3.3 (latest 1.4.0 still soaking).

With the target legal, the sync driver reconciled es-iterator-helpers 1.2.1 → 1.3.3: new Iterator.prototype.includes module (implementation/polyfill/shim/types), package wiring, and tests updated in lock-step; package test green; floor gate re-verified.

4. Pre-existing main breakages fixed en route

Each surfaced by the new pipeline's check --all on the merge ref:

  • zizmor template-injection (2 high) in agentics-maintenance.ymlinputs.* now env-indirected.
  • action-pins-are-current reported phantom UNREACHABLE pins on fetch-depth-25 clones — now --unshallows and retests before declaring a pin unreachable (also fixed at the wheelhouse source).
  • Type errors in sync-npm-overrides.mts + scripts/repo/util/packages.mts.
  • gh-aw .lock.yml drift from a main-side md-only edit — locks recompiled.
  • registry/package.json carried a bare "test": "vitest" with no test tree (silent-green/unfixable-red footgun) — removed per the test-scripts-defer-to-mts rule; registry's tests run from the root wrapper.

Fleet-wide finding (fixed upstream)

The canonical template's test job ran bare pnpm test, which resolves to the modified scope — on a clean CI checkout that's zero files, so every member's Test matrix passed while running nothing (socket-lib main run 29165499582 logs No modified source files … skipping tests). The wheelhouse template now passes --all explicitly, and a new fleet law (workflow-scripts-are-explicit-scope) makes the class unrepresentable; members pick both up on the next cascade. This PR's block already carries the fix.

Follow-ups (not in this PR)

  • weekly-update.yml + its _local wrappers remain sanctioned workflow_call reusables (fleet law); gh-aw .lock.yml artifacts stay as generated.
  • Fleet-wide advisories unrelated to this PR: stale pricing snapshot (/update-pricing), unused _shared/ helper-export review list.

Replace the Layer-3 reusable ci.yml + _local-not-for-reuse-ci.yml
wrapper pair with the fleet-canonical inlined workflow (verbatim
wheelhouse template block, including the 'pnpm run test --all' fix —
bare 'pnpm test' resolves to the modified scope and skips everything
on a clean CI checkout). Repo-owned jobs live below the end marker,
matching every other fleet member. Old @sha pins to the removed
reusable keep resolving (SHA-pinned refs are immutable).

Required-checks note: job names change from 'Run CI Pipeline / ...'
to '🔎 Check', '🧪 Test', '🧪 Test NPM Packages'.
All 131 overrides declare engines.node >=24, but CI only ever ran a
newer current-line Node — nothing proved the floor. The new
floor-node-smoke gate side-installs Node 24.0.0 (pinned version +
sha256 verified against nodejs.org's SHASUMS256 before extraction;
the binary never touches PATH) and dynamic-imports every override's
node entry under it, including the JSON-module entries (date,
es-iterator-helpers) via 'with { type: json }'. Verified locally:
131 imported, 0 failed.
…tion)

Two pre-existing high findings — inputs.operation / inputs.run_url
expanded directly inside run: — fail the setup-and-install zizmor audit
in every CI job, on main too (main CI is currently red on them). Route
both through step env vars.
ci.yml is now the fleet-canonical inlined workflow, so:
- README badges point at ci.yml (the _local wrapper is gone)
- shared-workflow-cascade hook watches the real Layer-3 reusables
  (weekly-update / publish-npm / get-green) instead of ci.yml and the
  never-existent provenance.yml — an inlined-ci edit no longer demands a
  cross-repo cascade
- updating-workflows reference, repo architecture doc, pin-guard header,
  and the fleet cleaning-ci/agent-ci skills describe the current split:
  inlined fleet block for CI, @sha pins only for the surviving reusables
  (also fixes the stale provenance.yml name — the file is publish-npm.yml)

Audit verdict on the rest: weekly-update.yml + publish-npm.yml +
get-green.yml stay workflow_call BY DESIGN (the wheelhouse template
itself delegates to them); .lock.yml files are gh-aw-owned;
agentics-maintenance.yml's workflow_call trigger has no callers but is
dormant and harmless — left as-is.
…repin weekly-update wrapper

action-pins-are-current tests reachability with merge-base
--is-ancestor, but CI's fetch-depth-25 checkout truncates history — any
pin older than ~25 commits reported UNREACHABLE as phantom rot (the June
propagation-SHA pins aged out as main advanced). The check now deepens
once (--unshallow) on a shallow repo and retests before failing. Also
lands the one genuinely stale pin's --fix repin.
Pre-existing on main since the sync-overrides commit landed (Check
never ran far enough to report them until the agentics and shallow-pin
layers were fixed): getPackageVersionSpec called with 1 arg while its
options param was required; fetchPackageManifest returns unknown, so
manifest?.version failed; unused __dirname/_ecosystem bindings; and the
null-proto spread idiom trips excess-property freshness checks when
destructured directly — split through an intermediate so the idiom
keeps its Object-pollution guard and satisfies tsc.
Merged origin/main (its a90a436 edited get-green.md and
weekly-update.md without running gh aw compile, so the committed
.lock.yml body_hash no longer matched — main's Check is red on it, and
PR merge refs inherit it). Recompiled both locks with gh-aw v0.79.6 and
committed the refreshed actions-lock entries. Type, lint, pin, and
gh-aw drift gates all pass on the merged tree.
@socket-security

socket-security Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​es-iterator-helpers@​1.2.1 ⏵ 1.3.399 +110010087 -2100

View full report

@socket-security-staging

socket-security-staging Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​es-iterator-helpers@​1.2.1 ⏵ 1.3.399 +110010087100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant