Org foundations: reusable CI, drift check, canonical configs, README template#1
Open
admin-raintree wants to merge 8 commits into
Open
Org foundations: reusable CI, drift check, canonical configs, README template#1admin-raintree wants to merge 8 commits into
admin-raintree wants to merge 8 commits into
Conversation
Frozen install (bun/pnpm/npm) -> pin check -> biome -> typecheck -> test -> build -> gitleaks (full history) -> Socket (when API key secret exists). Script-dependent steps skip cleanly so libraries and workers share the same workflow. All actions pinned to commit SHAs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Scheduled per repo; fails when a repo stops meeting the standard: missing README/STATUS badge, committed .env, unpinned deps, multiple lockfiles, missing biome config or engines.node, unpinned action refs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Vendored per repo and extended locally. Biome base enforces invariants (VCS, recommended lint, organized imports) leaving formatter style per repo; tsconfig base is strict + noUncheckedIndexedAccess; renovate base pins everything with a 7-day minimumReleaseAge cooldown. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
github.job_workflow_sha keeps check-pinned-deps.mjs and the drift-check engine locked to the exact workflow commit the caller pinned, instead of floating on main. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Raintree Standard — Phase 0 (org foundations)
Defines the org-wide standard once, here, so every repo can converge to it on its own
chore/raintree-standardbranch.What's added
.github/workflows/ci.yml,workflow_call): frozen install (bun/pnpm/npm) → exact-pin check → biome → typecheck → test → build → gitleaks over full history → Socket scan (activates whenSOCKET_SECURITY_API_KEYis configured). Script-dependent steps skip cleanly, so apps, libraries, and workers all call the same workflow. Every action pinned to a full commit SHA..github/workflows/drift-check.yml+scripts/drift-check.sh): scheduled per repo; fails on missing README/STATUS badge, committed.env, unpinned deps, multiple lockfiles, missing biome config /engines.node, or unpinned action refs.scripts/check-pinned-deps.mjs: fails on any^/~range across root + workspace package.json files (workspace:/catalog:protocols allowed; peerDependencies exempt).configs/biome.base.jsonc(org invariants; formatter style stays per-repo to avoid mass diffs in live repos),configs/tsconfig.base.json(strict +noUncheckedIndexedAccess),configs/renovate-base.json(pin everything, 7-dayminimumReleaseAgecooldown, weekly grouped PRs).templates/README.template.mdwith required STATUS badge (live/WIP/archived) + branding footer; CODEOWNERS for this repo.Verified
check-pinned-deps.mjs: passes on raintree-website (0 ranges), fails on next-starter (58 ranges) — correct on both.drift-check.shagainst raintree-website: exits 1 with exactly one true violation (missing STATUS badge); all other checks pass.Notes
raintree-technology(admin-raintreeis the admin user account); all references use the real org.🤖 Generated with Claude Code