ci: add GitHub workflows and scanner configs for v2#384
Open
harmjeff wants to merge 2 commits into
Open
Conversation
added 2 commits
June 17, 2026 11:07
PR 2 of 2 (merge AFTER the evaluator PR — these workflows reference evaluator/). - ci.yml: markdownlint (markdownlint-cli2-action, SHA-pinned) - security-scanners.yml: gitleaks/semgrep/grype/bandit/checkov/clamav, SARIF upload. SAST/SCA/IaC scanners (semgrep, grype, checkov, bandit) scoped to evaluator/; gitleaks + clamav stay repo-wide (zero-noise hygiene). The unified v2 TS monorepo (core/, harness/, dist/) keeps its own tooling and is out of scope. - evaluator-tests.yml: ruff/format/vulture/pip-audit/pytest on evaluator/**. - dependabot.yml: uv + github-actions + pre-commit + docker + npm (root bun/TS monorepo) with cooldowns. - markdownlint config scoped to evaluator/ + top-level docs; v2 framework dirs ignored. Aligned the 3 README tables (MD060) and fixed pre-existing MD028/MD040. Verified: markdownlint clean, all YAML valid, dependabot schema accepted.
CLAUDE.md is a one-line import pointer (@AGENTS.md) with no H1; MD041 should not require a top-level heading for pointer/import or banner-first docs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds GitHub CI/CD to v2: markdownlint, a 6-scanner security suite, an evaluator test/lint workflow, Dependabot, and the scanner config files. The rebased v2 had no
.github/at all, so this is purely additive.PR 2 of 2 — companion to #383 (the evaluator). Merge #383 first:
evaluator-tests.ymlruns pytest onevaluator/**and the SAST/SCA scanners are scoped toevaluator/, so they need that dir to exist. (The scanners themselves no-op gracefully on a missing dir — bandit/grype exit 0 — but the test job needs it.)Workflows
evaluator/**Scope decisions (for the unified v2 monorepo)
evaluator/(semgrep, grype, checkov, bandit). The new v2 TS monorepo (core/,harness/,dist/) has its own tooling (biome/knip) and is out of scope for this gate.evaluator/+ top-level docs; v2 framework dirs ignored.Config
.gitleaks.toml(+ baseline),.grype.yaml,.bandit,.markdownlint-cli2.yaml,.pre-commit-config.yaml.README
Aligned the 3 tables (MD060) and fixed two pre-existing findings (MD028 stacked-admonition spacing, MD040 code-fence language). No prose/meaning changes — table formatting + one trailing space only.
Verification