Skip to content

ci: add GitHub workflows and scanner configs for v2#384

Open
harmjeff wants to merge 2 commits into
v2from
ci/github-workflows
Open

ci: add GitHub workflows and scanner configs for v2#384
harmjeff wants to merge 2 commits into
v2from
ci/github-workflows

Conversation

@harmjeff

Copy link
Copy Markdown
Contributor

Summary

Adds GitHub CI/CD to v2: markdownlint, a 6-scanner security suite, an evaluator test/lint workflow, Dependabot, and the scanner config files. The rebased v2 had no .github/ at all, so this is purely additive.

PR 2 of 2 — companion to #383 (the evaluator). Merge #383 first: evaluator-tests.yml runs pytest on evaluator/** and the SAST/SCA scanners are scoped to evaluator/, so they need that dir to exist. (The scanners themselves no-op gracefully on a missing dir — bandit/grype exit 0 — but the test job needs it.)

Workflows

  • ci.yml — markdownlint (markdownlint-cli2-action, SHA-pinned)
  • security-scanners.yml — gitleaks, semgrep, grype, bandit, checkov, clamav; SARIF → GitHub Security tab; SHA-pinned actions; version-pinned tools; clamav as a service container
  • evaluator-tests.yml — ruff / format / vulture / pip-audit / pytest on evaluator/**

Scope decisions (for the unified v2 monorepo)

  • SAST/SCA/IaC scanners scoped to evaluator/ (semgrep, grype, checkov, bandit). The new v2 TS monorepo (core/, harness/, dist/) has its own tooling (biome/knip) and is out of scope for this gate.
  • gitleaks + clamav stay repo-wide — zero-noise hygiene scans, valuable everywhere (both verified clean).
  • markdownlint scoped to evaluator/ + top-level docs; v2 framework dirs ignored.

Config

  • dependabot.yml: uv (evaluator) + github-actions + pre-commit + docker + npm (new — covers the root bun/TS monorepo), all with cooldowns.
  • Root scanner configs: .gitleaks.toml (+ baseline), .grype.yaml, .bandit, .markdownlint-cli2.yaml, .pre-commit-config.yaml.

README

Aligned the 3 tables (MD060) and fixed two pre-existing findings (MD028 stacked-admonition spacing, MD040 code-fence language). No prose/meaning changes — table formatting + one trailing space only.

Verification

  • markdownlint clean; all workflow + config YAML valid; Dependabot schema accepted (semver cooldown tiers only on semver ecosystems).

bgagent added 2 commits June 17, 2026 11:07
PR 2 of 2 (merge AFTER the evaluator PR — these workflows reference evaluator/).

- ci.yml: markdownlint (markdownlint-cli2-action, SHA-pinned)
- security-scanners.yml: gitleaks/semgrep/grype/bandit/checkov/clamav, SARIF upload.
  SAST/SCA/IaC scanners (semgrep, grype, checkov, bandit) scoped to evaluator/;
  gitleaks + clamav stay repo-wide (zero-noise hygiene). The unified v2 TS
  monorepo (core/, harness/, dist/) keeps its own tooling and is out of scope.
- evaluator-tests.yml: ruff/format/vulture/pip-audit/pytest on evaluator/**.
- dependabot.yml: uv + github-actions + pre-commit + docker + npm (root bun/TS
  monorepo) with cooldowns.
- markdownlint config scoped to evaluator/ + top-level docs; v2 framework dirs
  ignored. Aligned the 3 README tables (MD060) and fixed pre-existing MD028/MD040.

Verified: markdownlint clean, all YAML valid, dependabot schema accepted.
CLAUDE.md is a one-line import pointer (@AGENTS.md) with no H1; MD041 should not
require a top-level heading for pointer/import or banner-first docs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant