guard against stale SPA embed dir at verify and build time#6
Merged
Conversation
ui-verify now diffs internal/ui/dist/ against a fresh ui/dist/ build and fails if they differ (excluding .gitkeep). build gains a check-ui-embed prerequisite that refuses to compile when the embed dir is empty. Closes a class of bug where `make verify` passes on current source but the binary embeds a stale SPA bundle, silently shipping the previous UI to operators.
CodeQL's autobuild step runs the default make target on a fresh checkout. With this PR's new build: check-ui-embed prerequisite, that fails because internal/ui/dist/ is gitignored except for the .gitkeep and `make ui` hasn't run — exactly the failure mode the gate is designed to surface to developers. CodeQL doesn't need a working portal; it needs Go to compile for type tracing. Switched to build-mode: manual + `go build -v ./...`, matching the CI workflow's Build job (.github/workflows/ci.yml:114). CodeQL no longer touches Make, so future Makefile prerequisite changes won't silently break the security scan. Observed failure on PR #6's CodeQL run: Trying build command make [] FAIL: ./internal/ui/dist/index.html missing. The Go binary embeds ./internal/ui/dist via //go:embed. Without a built SPA there, the portal serves a JSON stub instead of the React UI. Run: make ui /bin/bash: fork: retry: Resource temporarily unavailable The fork: retry line is the runner exhausting itself retrying past the 30-minute timeout — not a flake.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
make ui-verifynow diffsinternal/ui/dist/against a freshui/dist/build (excluding.gitkeep) and fails if they differ. Same posture asfmt-check/mod-tidy-check.make buildgains acheck-ui-embedprerequisite that refuses to compile wheninternal/ui/dist/index.htmlis missing.make uinowtouchesinternal/ui/dist/.gitkeepafter the copy so the gitignored embed dir stays tracked across rebuilds.Why
internal/ui/dist/is embedded into the Go binary via//go:embed.make verifypreviously ranui-verify, which only ranpnpm buildand never compared the freshui/dist/against the embedded copy. Source could be current while the embedded bundle was stale, and the binary would silently serve the old SPA.With this change:
make verifylocally and in CI.make buildbefore producing a UI-less binary.Test plan
make verifypasses on this branch.make verifyfails wheninternal/ui/dist/index.htmlis removed.make buildfails with thecheck-ui-embedmessage wheninternal/ui/dist/is empty.