[chore] follow-ups omnibus: SHA-pin Actions + idiom sweep + cleanup#55
Merged
Conversation
…leanup Bundles 8 ready-now items from docs/FOLLOWUPS.md whose triggers were satisfied. Two further items were verified stale during execution and closed in the FOLLOWUPS file rather than re-implemented. CI / release-pipeline hardening: - SHA-pin every GitHub Actions ref across all workflows (checkout, setup-go, upload-artifact, codeql-action/*, setup-qemu-action, govulncheck-action). Dependabot's github-actions group keeps these bumped weekly as one grouped PR. - Reconcile actions/upload-artifact major-version drift: callsites were split across @v5 (chaos / kernelevents-integration / nccl-fr-fuzz-nightly) and @v7.0.1 (release / ci). Unified on v7.0.1. - Tighten cosign verify-blob smoke check with --certificate-github-workflow-ref refs/tags/$TAG and --trigger push. Strictly tighter than the prior IDENTITY_REGEXP-only check; binds to this exact tag and rejects workflow_dispatch bundles. - Mirror the tightened flags in docs/reproducibility.md step 5; add --source-ref / --source-digest to step 6's gh attestation verify. - Emit Rekor logIndex URL into the release body so transparency-log audits don't require bundle archaeology. - Wire `make mod-verify` into `make ci` (cheap GOPROXY defense). Code-quality sweeps: - Convert ~49 C-style `for i := 0; i < N; i++` loops to Go 1.22+ `for i := range N` (or `for range N` when the index is unused). 6 holdouts have non-convertible conditions (compound &&, non-unit `i += 2`, or non-`i` predicate). - Backfill 18 raw "Normal"/"Warning" sites in components/receivers/ k8sevents tests to use EventTypeNormal / EventTypeWarning constants. - Export k8sevents.ComponentType = "k8s_events"; convert 8 test callsites of pipeline.MustNewType("k8s_events") to use the constant. - Lock the no-Server-header invariant with TestServer_NoServerHeader in internal/telemetry. (Audit: Go's net/http does not emit a default Server header in any path; the FOLLOWUPS row "Server: header strip" has nothing to strip — the test prevents future regression.) Closed-as-stale (no code change, FOLLOWUPS updated with rationale): - Next-up #1 `make doc-check`: shipped previously (Makefile:192, in `make ci` chain) but FOLLOWUPS still listed it as next-up. - M8 opportunistic "promote build-tags to pr-validation.yml": ci.yml:37 already runs `make build-tags` as its own named step and no `pr-validation.yml` workflow exists in the tree. Verification: - `make ci` exit 0 on the worktree branch. - Coverage above floor on every package, govulncheck clean, doc-check + alert-check pass, vet clean across default + dcgm build tags. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Tri Lam <trilamsr@gmail.com>
3 tasks
trilamsr
added a commit
that referenced
this pull request
May 18, 2026
## What this PR does Backfills documentation tracking that PR #55 (the follow-ups omnibus) didn't touch: 1. **`CHANGELOG.md`** — new `### Security` section under `[Unreleased]` with the SHA-pin / cosign-flag-tightening entries; new `### Changed` rows for the Rekor `logIndex` URL emission in release notes and `mod-verify` wired into `make ci`. 2. **`docs/notes/pr-workflow.md`** — repo-wide lesson: audit `docs/FOLLOWUPS.md` rows for staleness *before* implementing. 2 of 10 omnibus items were already shipped but still listed; trust the code, not the row. 3. **`.claude/notes/automation.md`** — agent-internal lesson: don't escape backticks inside a single-quoted HEREDOC. PR #55's body fed the `pr-lint` awk regex literal backslashes instead of triple-backticks; the required check went red until the body was re-edited via `gh pr edit`. No code changes; `make doc-check` clean. ## Linked issue(s) _No linked issue._ ## Release notes ```release-notes NONE ``` ## Checklist - [x] No code change; docs-only - [x] `make doc-check` passes - [x] Commits are signed off 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
Adds actionlint (https://github.com/rhysd/actionlint) as a CI gate covering all `.github/workflows/*.yml` files. Catches yaml syntax issues and shellcheck violations in `run:` blocks before they break a PR's required-check. Wired via the existing repo convention: `go get -tool` adds it to the go.mod tool stanza (alongside golangci-lint, gofumpt, addlicense, goimports, govulncheck). `make actionlint` invokes `go tool actionlint`, so the version is pinned in go.sum and Dependabot's weekly go-deps group keeps it bumped. Audit result: zero findings on current workflows. The PR #55 sweep (SHA-pin all Actions) had no actionlint validating it; this gate ensures the next workflow yaml edit doesn't ship a regression. Closes the actionlint half of the FOLLOWUPS "CI Actions linters" row. zizmor remains open as a separate follow-up — it surfaces a different finding class (expression injection, untrusted input in run-blocks, over-broad permissions) and is expected to produce real findings on release.yml's 400 lines. Verification: - `make actionlint` exit 0 (10 workflow files clean) - `make ci` exit 0 end-to-end Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Tri Lam <trilamsr@gmail.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
## What this PR does Adds [actionlint](https://github.com/rhysd/actionlint) as a CI gate covering `.github/workflows/*.yml`. Catches yaml syntax issues and shellcheck violations in `run:` blocks before they break a PR's required-check. Wired via the existing repo convention: `go get -tool` adds it to the go.mod tool stanza (alongside golangci-lint, gofumpt, addlicense, goimports, govulncheck). `make actionlint` invokes `go tool actionlint`, so the version is pinned in go.sum and Dependabot's weekly go-deps group keeps it bumped. **Audit result: zero findings on current workflows.** The PR #55 sweep (SHA-pin all Actions) had no actionlint validating it; this gate ensures the next workflow yaml edit doesn't ship a regression. Closes the actionlint half of the FOLLOWUPS "CI Actions linters" row. zizmor remains open as a separate follow-up — different finding class (expression injection, untrusted input in run-blocks, over-broad permissions) and expected to produce real findings on release.yml's 400 lines. ## Linked issue(s) _No linked issue._ ## Release notes ```release-notes NONE ``` ## Checklist - [x] `make actionlint` exit 0 (10 workflow files clean) - [x] `make ci` exit 0 end-to-end - [x] go.mod / go.sum tidied (`make tidy-check` passes) - [x] Commits are signed off ## Test plan - [x] Local `make ci` green - [ ] CI green on this PR - [ ] After merge: a future PR that introduces a yaml syntax error or shellcheck-flagged `run:` block fails the new gate 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 19, 2026
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
## What this PR does Follow-up to #64 (zizmor security-lint gate). Trims comments that didn't pass the six-months-cold-reader test. The commit was prepared on the #64 branch but pushed seconds after that PR auto-merged, so it never made it in — re-applying as a standalone follow-up. Comments trimmed: - `scripts/zizmor.sh`: dropped per-flag descriptions in the header block — `--no-progress` and `--config` don't need explainers; the WHY for `--min-severity=high` stays. Also fixed a stale error- message prefix copied from register-lint. - `.github/zizmor.yml`: 6 lines → 3. Kept the one load-bearing claim ("ignores live inline"). - `release.yml` cache-poisoning ignores: 6 lines → 2. Kept the WHY (cache keyed on go.sum, trust root M3 already validates); dropped the meta-pointer to zizmor.yml (which no longer carries the rationale) and the audit-confidence parens. - `release.yml` INPUT_TAG env comment: 4 lines → 2. No behavior change. `make ci` exit 0 (one transient kernelevents flake on first run, passed on retry — same intermittent test seen in this session's PRs #55, #60, #62, #63, #64). ## Linked issue(s) _No linked issue._ Follows up #64. ## Release notes ```release-notes NONE ``` ## Checklist - [x] `make ci` exit 0 - [x] No behavior change; pure documentation hygiene - [x] Commits are signed off 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
#68) ## What this PR does Two small fixes that turn this session's lessons into code instead of notes-to-self: ### 1. Deflake `TestJournaldSource_StreamsMockOutput` The 2s deadline for the mock-journalctl test was tight on loaded macOS / CI runners — subprocess spawn + fixture read + goroutine schedule could miss it. The test flaked on 5 of 5 PRs in this session that exercised the full suite (#55, #60, #62, #63, #64). Bumped the deadline 2s → 5s. The non-flake budget for "no record ever emitted" regressions stays well under the deadline; 5s just absorbs runner jitter without hiding real bugs. ### 2. Warn locally when `shellcheck` isn't on PATH `actionlint` silently skips run-block shellcheck when shellcheck isn't on PATH (macOS doesn't ship shellcheck by default). PR #62 passed `make actionlint` locally and then surfaced 4 shellcheck findings in CI — exactly the failure mode the gate is supposed to prevent. `make actionlint` now prints a `WARNING: shellcheck not on PATH; actionlint will skip run-block shellcheck.` line with `brew install` / `apt-get install` hints when the binary is missing. The underlying lint still runs; the warning just makes the gap visible to the macOS dev. ## Linked issue(s) _No linked issue._ ## Release notes ```release-notes NONE ``` ## Checklist - [x] `make ci` exit 0 (test passes deterministically with new deadline) - [x] `make actionlint` shows the warning when shellcheck is uninstalled (verified locally) - [x] No behavior change in CI (shellcheck already on Linux runners) - [x] Commits are signed off 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Tri Lam <trilamsr@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Bundles 8 ready-now items from
docs/FOLLOWUPS.mdwhose triggers weresatisfied; closes 2 more as already-shipped or already-satisfied. Three
themes: CI/release-pipeline hardening, code-quality sweeps, and
FOLLOWUPS hygiene.
CI / release-pipeline hardening:
github-actionsgroup keeps these bumped weekly as one grouped PR.actions/upload-artifactmajor-version drift: callsiteswere split between
@v5and@v7.0.1. Unified on v7.0.1.cosign verify-blobsmoke check with--certificate-github-workflow-ref refs/tags/$TAGand--trigger push. Strictly tighter than the priorIDENTITY_REGEXP-only check.docs/reproducibility.mdstep 5; add--source-ref/--source-digestto step 6'sgh attestation verify.logIndexURL into release notes so transparency-log audits don't require bundle archaeology.make mod-verifyintomake ci.Code-quality sweeps:
for i := 0; i < N; i++loops to Go 1.22+for i := range N(orfor range Nwhen the index is unused). 6 holdouts have non-convertible conditions (compound&&,i += 2, or non-ipredicate)."Normal"/"Warning"sites in k8sevents tests to useEventTypeNormal/EventTypeWarningconstants.k8sevents.ComponentType = "k8s_events"; convert 8 test callsites.Server-header invariant ininternal/telemetrywith a test. (Audit finding: Go'snet/httpdoes not emit a defaultServerheader in any path; the FOLLOWUPS row had nothing to strip — the test prevents future regression.)Closed-as-stale (no code change, FOLLOWUPS updated with rationale):
make doc-check: already shipped (Makefile:192, inmake cichain).ci.yml:37already runsmake build-tagsdirectly; nopr-validation.ymlexists.Linked issue(s)
No linked issue.
Release notes
Checklist
TestServer_NoServerHeader; existing tests continue to pass)make cipasses on the worktree branch (exit 0)Test plan
make ciexit 0 (coverage above floor, govulncheck clean, doc-check + alert-check pass, vet clean across default +dcgmbuild tags)workflow_dispatchonce merged or at next tag cut.🤖 Generated with Claude Code