Commit Graph
45 Commits
Author SHA1 Message Date
Kai (Tam Nhu) TranandGitHub e7ce699dc2 fix(ci): reviewer loop 6 — REV12 compose image parsing, REV13 fork bypass, REV14 :full audit (#1278)
* fix(ci): breaking-change-guard handles \${VAR:-default} compose image syntax (REV12)

The sed 's/:.*//' pattern truncated at the first colon in the
\${CCS_IMAGE:-ghcr.io/...} expression, yielding "\${CCS_IMAGE" as the
image name instead of the actual registry path. Any change to the default
image namespace was therefore undetectable.

Introduce extract_image_name() that first strips the \${VAR:-default}
wrapper with a sed -E expression, then strips only the trailing :tag
suffix using a pattern that preserves internal colons (e.g. registry:5000/
owner/repo). Applied to both OLD_RAW and NEW_RAW extraction paths.

* fix(ci): breaking-change-guard runs on ubuntu-latest to cover forked PRs (REV13)

The trusted-author gate (COLLABORATOR|MEMBER|OWNER) caused forked-PR
contributors to bypass the breaking-change check entirely. A forked
contributor could rename services.ccs or change the image namespace
without a feat!/fix! marker and the guard would never run.

This workflow is a documented exception to the self-hosted-first policy:
it performs ONLY pure YAML diff parsing (git show / awk / sed). No build,
install, or arbitrary PR-branch scripts are executed. The checkout uses
persist-credentials: false. There is no untrusted code execution, so
ubuntu-latest is safe and necessary for universal fork coverage.

Update self-hosted-runner-policy.test.ts to:
- Introduce GITHUB_HOSTED_RUNNER_EXCEPTIONS registry with required
  justification comments for each entry
- Skip exception workflows in the "keeps active workflows on local runners"
  and "gates pull-request workflows" assertions
- Add a new "documented exceptions use github-hosted runners" test that
  verifies each exception entry actually uses a GitHub-hosted runner
  (prevents stale entries accumulating without cleanup)
2026-05-17 06:01:25 -04:00
Kai (Tam Nhu) TranandGitHub 78004746be fix: address upstream reviewer findings + failing CI checks (#1261 loop 1) (#1271)
* fix(ci): breaking-change-guard skips missing base files (CI-1)

Guard each git-show call with git cat-file -e existence check before
attempting to read docker/compose.yaml from the base branch. When the
file doesn't exist on the base (new file in this PR), the script would
crash with "fatal: path exists on disk but not in origin/dev". New
files can't cause a contract regression, so we exit early with
breaking=0.

* style: prettier reformat unrelated drift (CI-2)

Two files had minor formatting drift from earlier umbrella PRs:
- src/cliproxy/quota/quota-manager.ts
- src/management/checks/image-analysis-check.ts

No logic changes — formatter-only pass to unblock CI format:check.

* fix(test): update trusted-author gate count to 4 in ci-workflow test (CI-3)

PR #1260 added a compose-parity job to ci.yml. That job runs on
self-hosted runners using PR-provided checkout, so it legitimately
requires the trusted-author guard (same as validate, build, test).

The test expected 3 occurrences; the correct count is now 4:
  validate (matrix), build, test, compose-parity.

* fix(ci): smoke-test passes compose path + image ref to network-contract (REV-1)

network-contract.sh signature is: <compose-file> [image-ref]
The smoke-test job was calling it as:
  bash tests/docker/network-contract.sh "${{ steps.image.outputs.ref }}"
which placed the image ref in the compose-file position ($1), causing
the script to try docker compose -f <image-ref> which fails.

Corrected to:
  bash tests/docker/network-contract.sh docker/compose.yaml "${{ steps.image.outputs.ref }}"

Also removes publish-dashboard from smoke-test.needs (REV-2): when
publish-dashboard is SKIPPED on prerelease events, GitHub Actions
propagates the skip to downstream jobs, so smoke-test and
promote-mutable-tags were silently skipped on every rc.N publish.
smoke-test only verifies the integrated image; it has no dependency
on the legacy dashboard image job.

* docs(docker): annotate /root/.ccs path in compose volume (REV-3 clarification)

The reviewer raised a concern that the compose volume mounts /root/.ccs
but the entrypoint might default to /home/node/.ccs. This is a false
positive: the integrated image uses entrypoint-integrated.sh (not
entrypoint.sh), which runs under supervisord with user=root and
explicitly mkdir -p /root/.ccs. HOME is /root inside the container.
The volume mount at /root/.ccs is correct.

Added an inline comment documenting the reasoning so future reviewers
do not confuse entrypoint.sh (legacy dashboard image) with
entrypoint-integrated.sh (integrated image).

* fix(ci): gate docs-parity pull_request job to trusted authors

docs-parity.yml runs on a self-hosted runner and checks out PR code.
The self-hosted-runner-policy test requires any such workflow to include
the trusted-author guard. The workflow was missing the guard, causing
bun test:fast to fail with 1 failure.

Allow push events (no author check needed — push is to own branch)
and trusted-contributor PRs only.
2026-05-16 13:57:50 -04:00
Kai (Tam Nhu) TranandGitHub 2273757c83 fix(ci): harden self-hosted workflow trust boundaries
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.
2026-05-12 12:34:15 -04:00
Tam Nhu Tran 33a1553431 test: include colocated cliproxy tests in buckets 2026-04-30 12:49:57 -04:00
Tam Nhu Tran 4458774d5c fix(ci): align stable release runner 2026-04-28 23:30:33 -04:00
Tam Nhu Tran 0381fa9b52 fix(ci): align release sync with protected dev checks 2026-04-28 23:14:25 -04:00
Kai (Tam Nhu) TranandGitHub 8d4a7761b1 fix(ci): guard generated dev release commits 2026-04-28 22:33:14 -04:00
Kai (Tam Nhu) TranandGitHub fea7f18687 fix(ci): keep dev release commits visible to PR checks 2026-04-28 22:18:45 -04:00
Tam Nhu Tran aa4a05e859 ci: preserve fast test budget summary on failure 2026-04-23 19:52:12 -04:00
Tam Nhu Tran 4c677507d0 ci: add fast test budget warning 2026-04-23 17:25:48 -04:00
Tam Nhu Tran 5081231667 test(ci): keep split browser MCP suites in slow bucket 2026-04-22 23:20:11 -04:00
Tam Nhu Tran 6d4dcc1174 fix(ci): keep fast bucket stable for commonjs tests 2026-04-22 16:00:39 -04:00
Tam Nhu Tran 5af639ddf7 fix(ci): tighten slow bucket guardrails 2026-04-22 15:54:07 -04:00
Tam Nhu Tran cf5fc96b7d test(ci): cover pr workflow coverage 2026-04-22 15:23:00 -04:00
Tam Nhu Tran b9f5783fac test(ci): cover push quality workflow 2026-04-22 15:06:55 -04:00
Tam Nhu Tran 06fffd3025 fix(ci): use PAT token for dev release pushes
- align dev-release workflow with protected-branch bypass used by release.yml

- add a workflow regression test so checkout and release auth do not drift back to github.token
2026-04-20 14:56:25 -04:00
Tam Nhu Tran 4c63f1a0db feat(ci): make PR-Agent reviews more verbose 2026-04-14 17:59:01 -04:00
Tam Nhu Tran 4bd16b89ce fix(ci): restore PR-Agent reviewer bot identity 2026-04-14 17:22:50 -04:00
Tam Nhu Tran c4ad2cae10 fix(ci): raise PR-Agent custom model budget 2026-04-14 15:41:25 -04:00
Tam Nhu Tran 9a91901a9b fix(ci): allow PR-Agent dispatch bot reruns 2026-04-14 14:19:28 -04:00
Tam Nhu Tran 0d2ce7d1b3 fix(ci): restore trusted PR review dispatch 2026-04-14 13:47:55 -04:00
Tam Nhu Tran d6ec5eeebd fix(ci): preserve AI review variable contract 2026-04-14 13:28:29 -04:00
Tam Nhu Tran e1271e2dbf fix(ci): restrict self-hosted PR-Agent comment triggers 2026-04-14 12:43:25 -04:00
Tam Nhu Tran 25216eaf33 feat(ci): migrate AI review to self-hosted PR-Agent 2026-04-14 12:39:52 -04:00
Tam Nhu Tran 72d8f36b5d test(ci): update ai-review workflow runtime assertions 2026-04-13 11:38:09 -04:00
Tam Nhu Tran f954f0f8ab hotfix: update ai-review workflow model budget
- switch the reviewer workflow from glm-5-turbo to glm-5.1

- increase workflow timeout to 20 minutes and max turns to 45

- lock the workflow test to the full reviewer model configuration

Closes #922
2026-04-07 16:43:30 -04:00
Tam Nhu Tran 58a0fc43e6 hotfix(ci): restore default ai review output 2026-04-02 14:36:12 -04:00
Tam Nhu Tran 80e22515b0 hotfix(ci): separate ai review evidence blocks 2026-04-02 03:20:26 -04:00
Tam Nhu Tran 0be4ef7a0d hotfix(ci): expand ai review comment layout 2026-04-02 03:14:49 -04:00
Tam Nhu Tran 25dddf4707 hotfix(ci): compact ai review comments and switch to glm-5-turbo 2026-04-02 01:07:03 -04:00
Tam Nhu Tran f6779a503a hotfix(ci): preserve literal snippet indentation in ai review comments 2026-04-02 00:48:14 -04:00
Tam Nhu Tran 07b4275543 hotfix(ci): render fenced evidence snippets in ai review comments 2026-04-02 00:44:44 -04:00
Tam Nhu Tran 164a8af82a hotfix(ci): improve ai review comment formatting 2026-04-02 00:35:03 -04:00
Tam Nhu Tran f47e7ae5a7 hotfix(ci): clean up ai review reruns and logging 2026-04-02 00:31:51 -04:00
Tam Nhu Tran 5b9427f8a0 hotfix(ci): restore reliable structured ai review comments 2026-04-02 00:24:29 -04:00
Tam Nhu Tran 4e05488c19 hotfix(ci): keep ai review feedback fast and deterministic 2026-04-01 22:20:55 -04:00
Tam Nhu Tran 3935574494 fix(ci): degrade timed-out ai reviews gracefully 2026-04-01 20:38:14 -04:00
Tam Nhu Tran 44e2a49650 fix(ci): resolve self-hosted Claude path dynamically 2026-04-01 20:24:52 -04:00
Tam Nhu Tran 09276518a7 fix(ci): repair ai review fallback scope script 2026-04-01 20:18:28 -04:00
Tam Nhu Tran 0883b9a8fe fix(ci): use self-hosted Claude binary for ai review 2026-04-01 20:13:03 -04:00
Tam Nhu Tran 7396179c72 feat(ci): bound ai review runtime for large PRs
- add trusted scope generation for bounded ai-review runs
- restrict large PR reviews to a prepared read-only workspace
- render explicit mode, scope, and budget metadata in review comments

Closes #880
2026-04-01 19:54:11 -04:00
Tam Nhu Tran fa37f391c1 fix: harden ai review comment formatting 2026-03-30 16:08:21 -04:00
Tam Nhu Tran 4950be7fc0 fix(ci): harden ai review output
- replace raw assistant-text fallback with structured output normalization

- simplify the review prompt toward a tighter findings-only contract

- add tests for malformed output, safe fallback, and markdown escaping
2026-03-30 14:22:59 -04:00
Tam Nhu Tran e6617726cb fix: harden CCS backlog sync pagination and recovery 2026-03-28 09:51:53 -04:00
Tam Nhu Tran 65a1d8ae2c fix(hardening): handle regex literals after else/do 2026-02-12 15:20:22 +07:00