Skip to content

ci: enforce PR-title lint, drop Lighthouse no-op, add npm Dependabot (#234)#249

Merged
williamzujkowski merged 1 commit into
mainfrom
ci/tighten-gates-234
Jun 30, 2026
Merged

ci: enforce PR-title lint, drop Lighthouse no-op, add npm Dependabot (#234)#249
williamzujkowski merged 1 commit into
mainfrom
ci/tighten-gates-234

Conversation

@williamzujkowski

Copy link
Copy Markdown
Collaborator

Closes #234.

Tightens three advisory/no-op CI gates flagged in #234.

Changes

  • ci.yml — replace the per-commit Validate commit messages step (which ran continue-on-error and only warned) with an enforced Validate PR title step. The repo squash-merges, so the PR title is the commit subject that release-please parses; that's the string worth linting. The untrusted title is passed via env: and piped to npx commitlint (never interpolated into the shell — same hardening class as security(ci): sync-law.yml inlines scraped OLRC strings into run: shells (script-injection vector) #229).
  • deploy-site.yml — drop the empty budgetPath: '' no-op and the placeholder "Report scores" step from the Lighthouse job. The audit stays informational (report uploaded to temporary public storage; link in the action logs).
  • dependabot.yml — add an npm ecosystem (weekly, grouped minor/patch, open-pull-requests-limit: 5) so workspace deps get update PRs, not just GitHub Actions. Dependabot reads pnpm-lock.yaml and honours pnpm.overrides.

Verification

  • All three YAML files parse (yaml.safe_load).
  • No untrusted ${{ github.event.* }} interpolated into a run: body.

🤖 Generated with Claude Code

…234)

The repo squash-merges, so the PR title is the commit subject release-please
parses — lint that title and fail CI on a malformed one, instead of the old
per-commit advisory check that only warned. Untrusted title passed via env.

Drop the empty `budgetPath` no-op and the placeholder "Report scores" step
from the Lighthouse job; the audit stays informational (temporary public
storage link in the logs).

Add an npm Dependabot ecosystem (weekly, grouped minor/patch, capped at 5
open PRs) so workspace deps get update PRs, not just GitHub Actions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@williamzujkowski williamzujkowski requested a review from a team as a code owner June 30, 2026 02:00
@williamzujkowski williamzujkowski merged commit dc6224b into main Jun 30, 2026
3 checks passed
@williamzujkowski williamzujkowski deleted the ci/tighten-gates-234 branch June 30, 2026 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: tighten advisory/no-op gates (commitlint enforcement, Lighthouse budget, npm Dependabot)

1 participant