Skip to content

chore(ci): tighten test workflow and harden supply chain#94

Merged
krdlab merged 6 commits into
masterfrom
chore/test-yml-cleanup
May 9, 2026
Merged

chore(ci): tighten test workflow and harden supply chain#94
krdlab merged 6 commits into
masterfrom
chore/test-yml-cleanup

Conversation

@krdlab
Copy link
Copy Markdown
Owner

@krdlab krdlab commented May 9, 2026
edited
Loading

Summary

Tighten .github/workflows/test.yml against best practices. No runtime behavior change for the action itself.

  • Split lint + unit into a dedicated lint-and-unit job; the build matrix needs: it, eliminating 9× redundant npm ci && npm run test.
  • Add permissions: contents: read, concurrency, timeout-minutes, and cache: npm.
  • Pin all third-party actions (test.yml + codeql-analysis.yml) to commit SHAs. The existing .github/dependabot.yml keeps them current.
  • Add a dist/ sync check so a missed npm run dist fails CI.
  • Scope triggers to master pushes / PRs only and mirror paths-ignore on pull_request. Removes the push + pull_request double-fire on PR sync. Fork contributors can use draft PRs or workflow_dispatch.
  • Drop reference-link comments and reformat for consistency.

Test plan

  • All workflow cells green on this branch (lint-and-unit + 9 build matrix cells).
  • dist/ sync check passes against the currently committed dist/.
  • Confirm trigger scope by inspecting the run list (master push / PR open / sync).

krdlab added 6 commits May 9, 2026 15:26
@krdlab
chore(ci): tighten test workflow and split lint/unit from build matrix
08248b7 
- Split lint + unit (biome + vitest) into a dedicated `lint-and-unit`
  job on ubuntu-latest. The build matrix now `needs: lint-and-unit`
  and no longer redundantly runs `npm ci && npm run test` across all
  9 OS × Haxe cells.
- Drop `setup-node` from the build job; the local action
  (`uses: ./`) ships with `using: node20`, so the runner provides
  the Node runtime.
- Add `permissions: contents: read` to scope down `GITHUB_TOKEN`.
- Add `concurrency` keyed on workflow + ref with
  `cancel-in-progress: true` to drop superseded push/PR runs.
- Set `timeout-minutes` (lint-and-unit: 10, build: 20) to bound
  flaky download/install stages.
- Pass `cache: npm` to `actions/setup-node` to speed up `npm ci`.
- Rename the second `Install Haxe` step to make the
  re-installation idempotency check explicit in logs.
- Document that `paths-ignore: '.github/*.yml'` only matches files
  directly under `.github/`, so workflow edits still trigger CI.
@krdlab
chore(ci): pin third-party actions to commit SHAs
11c4bf4 
Pin every third-party action in test.yml and codeql-analysis.yml
to a specific commit SHA (with the matching release tag in a
trailing comment) to harden against tag-mutation. Local actions
(`uses: ./`) are unaffected.

- actions/checkout: v6 → v6.0.2 (de0fac2e)
- actions/setup-node: v4 → v4.4.0 (49933ea5)
- github/codeql-action/{init,autobuild,analyze}: v4 → v4.35.4 (68bde559)

The existing .github/dependabot.yml already runs github-actions
weekly, so dependabot will keep both the SHA and the version
comment moving forward.
@krdlab
chore(ci): verify committed dist/ matches src/ in lint-and-unit
8ecb7c9 
Append `npm run dist` (= `npm run build && npm run pack`) and
`git diff --exit-code -- dist` to the lint-and-unit job. CI now
fails if a src/ change has not been accompanied by a regenerated
dist/, which previously could slip in unnoticed because the
runtime loads dist/ directly per action.yml (`using: node20`,
`main: dist/index.js`).

Local workflow on src/ change: `npm run dist`, then commit the
updated dist/ alongside the source change.
@krdlab
chore(ci): scope CI to master pushes and PRs only
734af8b 
Stop running CI on every feature-branch push and only run on:

- direct push to master
- PR open / synchronize / reopen against master
- manual workflow_dispatch

Drop `tags-ignore` since `branches: [master]` already excludes
tag refs.

Apply the existing `paths-ignore` (**/*.md, .github/*.yml) to
the pull_request trigger as well, so a docs-only PR no longer
runs the workflow asymmetrically with push. Workflow files
under .github/workflows/ still trigger CI as before.

This also eliminates the push + pull_request double-fire on PR
sync (push to a feature branch with an open PR), since push is
now scoped to master alone.

Note for fork contributors: a feature-branch push on a fork no
longer triggers CI on its own. Open a draft PR (which fires
`pull_request.opened` against this repo) or run
`workflow_dispatch` from the fork's Actions tab to validate
changes before opening a non-draft PR.
@krdlab
chore(ci): drop reference link comments from test.yml
3babb6e 
Both pointed to external pages (workflow syntax reference and the
2020 workflow_dispatch changelog) without explaining anything
about this workflow itself. The remaining `paths-ignore` NOTE
that documents the `.github/*.yml` glob behaviour is kept since
that one captures intent that is easy to misread.
@krdlab
style(ci): reformat test.yml
fab0d85
@krdlab krdlab merged commit 7fb67f9 into master May 9, 2026
13 checks passed
@krdlab krdlab deleted the chore/test-yml-cleanup branch May 9, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@krdlab