Skip to content

chore: align CI files with develop (dependabot, pr-validation, publish) #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Zaiidmo merged 1 commit into from
Apr 6, 2026
+31 −61
Merged

chore: align CI files with develop (dependabot, pr-validation, publish) #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 6 additions & 20 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,20 @@
version: 2
updates:
# npm dependencies
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
day: monday
time: "03:00"
interval: monthly
open-pull-requests-limit: 1
groups:
npm-dependencies:
patterns:
- "*"
assignees:
- CISCODE-MA/cloud-devops
- CISCODE-MA/devops
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "chore(deps)"
include: "scope"
rebase-strategy: auto
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes Dependabot updates for github-actions. Without a separate updater, action versions in workflows will no longer be kept current, which can miss security fixes and bugfixes. Consider re-adding a github-actions update entry (potentially grouped/limited similarly) if you still want automated workflow dependency maintenance.

Suggested change
rebase-strategy: auto
rebase-strategy: auto
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: monthly
open-pull-requests-limit: 1
assignees:
- CISCODE-MA/devops
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(deps)"
include: "scope"
rebase-strategy: auto

Copilot uses AI. Check for mistakes.

# GitHub Actions
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
day: sunday
time: "03:00"
assignees:
- CISCODE-MA/cloud-devops
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "ci(deps)"
11 changes: 3 additions & 8 deletions .github/workflows/pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,8 @@ permissions:

jobs:
validate:
name: CI - PR Validation (Node ${{ matrix.node-version }} / ${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
node-version: [20, 22]
name: CI - PR Validation
runs-on: ubuntu-latest

steps:
- name: Checkout
Expand All @@ -24,7 +19,7 @@ jobs:
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 22
cache: npm
Comment on lines 11 to 23
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI now runs only on Ubuntu + Node 22, but package.json declares engines.node as ">=20". If Node 20 is still supported, consider restoring a Node 20 job (and any intended OS matrix) to prevent regressions; otherwise, update the engines field to reflect the actual supported Node version(s).

Copilot uses AI. Check for mistakes.

- name: Install
Expand Down
55 changes: 22 additions & 33 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,56 +22,45 @@ jobs:

- name: Validate version tag and package.json
run: |
# Since develop→master may be a squash merge, look for the latest version tag anywhere in the repo
# This handles both regular merges and squash merges
TAG=$(git tag --list --sort=-version:refname 'v*.*.*' | head -1 || echo "")
PKG_VERSION=$(grep '"version"' package.json | head -1 | sed 's/.*"version": "\([^"]*\)".*/\1/')
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the package version via grep/sed is brittle (depends on JSON formatting and the first "version" occurrence). Consider parsing package.json with a JSON-aware approach (e.g., node -p "require('./package.json').version" after setup-node, or jq -r .version) to avoid false reads/breakage when formatting changes.

Suggested change
PKG_VERSION=$(grep '"version"' package.json | head -1 | sed 's/.*"version": "\([^"]*\)".*/\1/')
PKG_VERSION=$(jq -r '.version' package.json)

Copilot uses AI. Check for mistakes.
TAG="v${PKG_VERSION}"

if [[ -z "$TAG" ]]; then
echo "❌ ERROR: No version tag found!"
echo ""
echo "This typically happens when:"
echo " 1. You forgot to run 'npm version patch|minor|major' on develop"
echo " 2. You didn't push tags: git push origin develop --tags"
echo " 3. Tags weren't pushed to GitHub before merge"
echo ""
echo "📋 Correct workflow:"
echo " 1. On develop: npm version patch (or minor/major)"
echo " 2. On develop: git push origin develop --tags"
echo " 3. Create PR develop→master and merge (can be squash merge)"
echo " 4. Workflow automatically triggers on master with the tag"
echo ""
if [[ -z "$PKG_VERSION" ]]; then
echo "❌ ERROR: Could not read version from package.json"
exit 1
fi

# Validate tag format
if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "❌ ERROR: Invalid tag format: '$TAG'"
echo "Expected format: v*.*.* (e.g., v1.0.0, v0.2.3)"
echo "❌ ERROR: Invalid version format in package.json: '$PKG_VERSION'"
echo "Expected format: x.y.z (e.g., 1.0.0, 0.2.3)"
exit 1
fi

# Extract version from tag
TAG_VERSION="${TAG#v}" # Remove 'v' prefix
PKG_VERSION=$(grep '"version"' package.json | head -1 | sed 's/.*"version": "\([^"]*\)".*/\1/')

# Verify package.json version matches tag
if [[ "$TAG_VERSION" != "$PKG_VERSION" ]]; then
echo "❌ ERROR: Version mismatch!"
echo " Tag version: $TAG_VERSION"
echo " package.json: $PKG_VERSION"
if ! git rev-parse "$TAG" >/dev/null 2>&1; then
echo "❌ ERROR: Tag $TAG not found!"
echo ""
echo "This typically happens when:"
echo " 1. You forgot to run 'npm version patch|minor|major' on your feature branch"
echo " 2. You didn't push the tag: git push origin <feat/your-feature> --tags"
echo " 3. The tag was created locally but never pushed to remote"
echo ""
echo "📋 Correct workflow:"
echo " 1. On feat/** or feature/**: npm version patch (or minor/major)"
echo " 2. Push branch + tag: git push origin feat/your-feature --tags"
echo " 3. PR feat/** → develop, then PR develop → master"
echo " 4. Workflow automatically triggers on master push"
echo ""
echo "Fix: Make sure you ran 'npm version' before pushing"
exit 1
fi

echo "✅ Valid tag found: $TAG"
echo "✅ Version matches package.json: $PKG_VERSION"
echo "✅ package.json version: $PKG_VERSION"
echo "✅ Tag $TAG exists in repo"
Comment on lines +56 to +57
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git rev-parse "$TAG" only verifies that the tag exists somewhere in the repo; it doesn’t ensure the workflow is building the commit that the tag points to. As written, a push to master could publish from an untagged commit as long as an old vX.Y.Z tag exists. Consider requiring the current HEAD to be exactly tagged (e.g., git describe --tags --exact-match) or verifying git rev-parse "$TAG" equals git rev-parse HEAD before publishing.

Suggested change
echo "✅ package.json version: $PKG_VERSION"
echo "✅ Tag $TAG exists in repo"
TAG_COMMIT=$(git rev-parse "$TAG")
HEAD_COMMIT=$(git rev-parse HEAD)
if [[ "$TAG_COMMIT" != "$HEAD_COMMIT" ]]; then
echo "❌ ERROR: Current HEAD does not match tag $TAG"
echo ""
echo "Details:"
echo " HEAD commit: $HEAD_COMMIT"
echo " $TAG commit: $TAG_COMMIT"
echo ""
echo "The master branch must point to the exact commit tagged with $TAG"
echo "before publishing. Make sure you are building from the tagged commit."
exit 1
fi
echo "✅ package.json version: $PKG_VERSION"
echo "✅ Tag $TAG exists in repo and matches HEAD"

Copilot uses AI. Check for mistakes.
echo "TAG_VERSION=$TAG" >> $GITHUB_ENV
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TAG_VERSION is being set to the full tag string (e.g., v1.2.3) and doesn’t appear to be used elsewhere in this workflow. Either remove this environment export, or rename it to reflect it’s a tag (or export both TAG and a tag-less version) to avoid confusion for future edits.

Suggested change
echo "TAG_VERSION=$TAG" >> $GITHUB_ENV

Copilot uses AI. Check for mistakes.

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
registry-url: "https://registry.npmjs.org"
cache: "npm"

Expand Down
Loading