ci: standard pipeline (bun test + security scanners + dependabot)#8
Merged
Conversation
Add the shared CI baseline, mirroring the Ix repo's workflows: - ci.yml: Bun toolchain (oven-sh/setup-bun) + `bun install` + `bun test`, fronted by a stable `CI Passed` aggregator. No build/typecheck step (the repo has no build script or tsconfig; Bun runs the TS tests directly). - secret-scan.yml: gitleaks via the free MIT binary (the Action needs a paid org license), full-history scan. - actions-lint.yml + zizmor.yml: zizmor workflow audit on workflow changes. - dependabot.yml: github-actions ecosystem only. npm is omitted because this is a Bun project (bun.lockb is unparseable by Dependabot's npm updater and no lockfile is committed). All actions SHA-pinned; least-privilege permissions; persist-credentials:false; concurrency cancellation on every workflow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The v1.4.2 migration (f9ea81e) changed plugins/ix-plugin.ts to export a named `server` Plugin function that returns a registration object (a `tool` map keyed by tool name + hook handlers like `tool.execute.after`). The PluginHookContract test block was not updated in that commit and still asserted the old default-export `{ name, tools[], hooks[] }` shape, so it failed: `import(...).default` is undefined and there is no 5-hook array. Update the three assertions to the actual contract: assert the `server` named export is a function, invoke it (the ix-unavailable startup probe is swallowed by its try/catch), and check the returned `tool` map has the 17 expected tools and a `tool.execute.after` hook handler. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stands up the shared CI baseline for this repo (it had no workflows), mirroring the Ix repo's patterns.
What's added
.github/workflows/ci.yml— installs the Bun toolchain viaoven-sh/setup-bun(SHA-pinned), runsbun installthenbun test, fronted by a stableCI Passedaggregator job so branch protection can require one stable context.concurrencycancels superseded runs; top-levelpermissions: contents: read;persist-credentials: falseon checkout.tsconfig.json, and Bun executes the TypeScript tests directly.bun testruns the offline contract/fallback suite (the@livetests are gated behindIX_LIVE_TESTS=1)..github/workflows/secret-scan.yml— gitleaks via the free MIT binary (the GitHub Action requires a paid org license), full-history scan..github/workflows/actions-lint.yml+.github/zizmor.yml— zizmor workflow audit (medium+), runs on workflow changes..github/dependabot.yml—github-actionsecosystem, weekly, grouped.Decisions
github-actionsecosystem only. This is a Bun project; the only lockfile Bun emits isbun.lockb, which Dependabot's npm updater cannot parse, and no lockfile is committed. An npm entry would open PRs bumpingpackage.jsonranges without regeneratingbun.lockb, leaving the tree drifted. Documented inline; revisit if Dependabot adds native Bun support.All actions are SHA-pinned with version comments; least-privilege permissions throughout.
🤖 Generated with Claude Code