Add CI, repo policies & lint foundation (closes #6)#18
Open
0xharkirat wants to merge 9 commits into
Open
Conversation
Pure whitespace/quote-style churn from running `prettier --write .` ahead of wiring `pnpm format:check` into CI. Tina-written content (`src/content/`) and `tina/__generated__` are excluded via `.prettierignore` so the editor doesn't fight CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Brings repo workflows + policies in line with the main SSW website, adapted to Global's Astro + Tina + Cloudflare Workers + pnpm stack. Lint/format foundation: - ESLint 9 flat config with eslint-plugin-astro and typescript-eslint - Prettier 3 with prettier-plugin-astro - New scripts: lint, format, format:check - .nvmrc pins Node 22.21.1 to match local; .editorconfig adopts the same shape as ssw.com.au Repo policy files (.github/): - CODEOWNERS: hark owns *; @wicksipedia @GordonBeeming @tiagov8 own /.github (matches issue cc list) - pull_request_template.md: trimmed to the items relevant for Global - ISSUE_TEMPLATE: bug, feature, tech-debt (skipped Next-specific ones) - dependabot.yml: weekly npm + github-actions; ignores Tina canary pins - settings.yml: repo metadata, labels, and branch protection for main (1 review, code-owner review, linear history, required status checks for lint-code, build, dependency-review, CodeQL, Check linked issues) - update-settings.yml: dry-runs on PR, applies on push to main CI workflows (adapted from ssw.com.au): - pr-lint-code.yml: pnpm lint + pnpm format:check - pr-build.yml: pnpm run build:local (catches Tina/Astro breakage without needing Tina Cloud creds) - pr-lint-pr.yml: ports the linked-issue check, repathed for Global (skips content-only diffs under src/content/) - pr-dependency-review.yml: critical-only CVE gate (verbatim) - codeql.yml: JS/TS scan on push/PR/weekly (verbatim) Cloudflare deploy (replaces CF Builds git integration so we own preview naming + cleanup): - main-deploy.yml: builds with Tina + Astro and runs wrangler deploy on push to main - pr-deploy-preview.yml: deploys per-PR Worker `ssw-website-global-pr-<num>` and sticky-comments the URL - pr-close-cleanup.yml: wrangler delete --force on PR close, frees the Worker slot New repo secrets required before the deploy workflows pass: - CLOUDFLARE_API_TOKEN (Account: Workers Scripts edit) - CLOUDFLARE_ACCOUNT_ID - CLOUDFLARE_WORKERS_SUBDOMAIN (the *.workers.dev subdomain prefix) Skipped from ssw.com.au (Azure/Next-specific or Ops-heavy): all template-*, weekly-*, main-build-and-deploy, main-infra, pr-push-deploy, pr-close-delete-env, pr-main-infra-check, daily-image-tests, fetch-people-profiles, notify-n8n-of-articles, auto-approve-content-changes (defer — needs gh-aw + Copilot setup). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
ssw-website-global | 5e41cd3 | Commit Preview URL Branch Preview URL |
Jun 12 2026, 06:31 AM |
…lds handles deploy + per-PR previews via its git integration, so the GHA equivalents are redundant. Removed: - main-deploy.yml - pr-deploy-preview.yml - pr-close-cleanup.yml CI remains: lint, build, dependency-review, CodeQL, linked-issue check, settings sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This reverts commit d92982b.
Per review feedback: 1. Prettier removed entirely. The mass reformat in d92982b made the PR diff unreviewable. The earlier revert already restored file contents; this commit removes the config, scripts, and devDeps: - delete .prettierrc, .prettierignore - drop prettier + prettier-plugin-astro from devDependencies - drop format, format:check scripts - drop the Prettier step from pr-lint-code.yml ESLint remains as the lint gate (configured to be lenient). 2. pr-build now runs `pnpm run build` (the same script Cloudflare Workers Builds runs) instead of `build:local`. This catches the Tina Cloud schema-sync class of bug that previously only showed up after deploy (see AGENTS.md gotchas section). Requires two new repo secrets: - PUBLIC_TINA_CLIENT_ID - TINA_TOKEN (both from app.tina.io). Without them this job will fail. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a "CI / GitHub Actions secrets" section listing the two Tina Cloud secrets the PR - Build workflow needs (PUBLIC_TINA_CLIENT_ID, TINA_TOKEN), with a direct link to the repo's Secrets page and a note that only Admin/Maintain roles can view them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
@tiagov8 — looping you in per the issue cc list. This PR brings the repo's CI + policy surface in line with ssw.com.au, adapted to the Astro + Tina + Cloudflare stack:
Cloudflare deploy + per-PR previews stay on Cloudflare Workers Builds (no GHA deploy workflow — those were dropped in Two new repo secrets (just added) drive
Documented in the README in |
Member
Author
|
@RobJT-wq , need a sysadmin/repo-admin to enable Dependency Graph at https://github.com/SSWConsulting/SSW.Website.Global/settings/security_analysis so the Right now it errors with:
Once toggled on, push an empty commit or rerun the failed check and it'll go green. This is the last remaining red check on the PR. |
There was a problem hiding this comment.
Pull request overview
Adds baseline repository governance and CI checks (lint/build/dependency review/CodeQL) for the Astro + TinaCMS + pnpm stack, plus documentation and repo metadata automation via .github/settings.yml.
Changes:
- Introduces ESLint 9 flat config and a
pnpm lintscript (plus lockfile updates for new lint deps). - Adds GitHub Actions workflows for PR linting, PR build, dependency review, CodeQL, and automated repo settings application.
- Adds repo policy files (CODEOWNERS, PR template, issue templates, Dependabot config) and documents required CI secrets.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
src/components/HeaderLink.astro |
Minor regex cleanup for path matching. |
README.md |
Documents GitHub Actions secrets required for the PR build workflow. |
package.json |
Adds ESLint-related devDependencies and a lint script. |
pnpm-lock.yaml |
Locks new ESLint / TypeScript ESLint / Astro ESLint dependencies. |
eslint.config.mjs |
Adds ESLint 9 flat configuration with TS + Astro support. |
.nvmrc |
Pins Node.js version for local/dev/CI consistency. |
.editorconfig |
Establishes editor settings (tabs by default; spaces for JSON/YAML). |
.github/workflows/pr-lint-code.yml |
PR lint workflow (currently ESLint only). |
.github/workflows/pr-build.yml |
PR build workflow running pnpm run build with Tina secrets. |
.github/workflows/pr-lint-pr.yml |
PR metadata workflow (linked-issue check with content-only skipping). |
.github/workflows/pr-dependency-review.yml |
Dependency Review gate on PRs (critical CVEs). |
.github/workflows/codeql.yml |
CodeQL analysis on PRs/push/schedule. |
.github/workflows/update-settings.yml |
Applies repo settings from .github/settings.yml. |
.github/settings.yml |
Defines repo metadata, labels, teams, and branch protections. |
.github/CODEOWNERS |
Establishes CODEOWNERS for the repo and .github/. |
.github/pull_request_template.md |
Adds PR template with Tina + build checklist. |
.github/dependabot.yml |
Configures Dependabot updates for actions + npm. |
.github/ISSUE_TEMPLATE/bug_report.md |
Adds bug report issue template. |
.github/ISSUE_TEMPLATE/feature_request.md |
Adds feature request issue template. |
.github/ISSUE_TEMPLATE/tech_debt.md |
Adds tech debt issue template. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Comments suppressed due to low confidence (1)
.github/workflows/pr-lint-code.yml:34
- PR description says
pr-lint-coderuns bothpnpm lintandpnpm format:check, but this workflow only runs ESLint. If formatting is intended to be enforced via required checks, add the format-check step (and ensure the corresponding script/config exists) so the branch protection contextlint-codeactually covers both lint + formatting.
- run: pnpm install --frozen-lockfile
- name: ESLint
run: pnpm lint
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
Dependency graph has been enabled on this repo |
4 tasks
- update-settings.yml: gate Apply step on `github.event_name !=
'pull_request'` so PR runs only dry-run (Copilot caught the apply
running on every PR). Add explicit `permissions: { contents: read,
administration: write }` so the settings action can actually write
via GITHUB_TOKEN, instead of erroring at apply time.
- pr-lint-pr.yml: diff the full PR range
(`base.sha`...`head.sha`) with `fetch-depth: 0` instead of
`git diff HEAD^ HEAD`, which only inspected the last commit and
misclassified multi-commit PRs as content-only when the latest
commit happened to be content-only.
- pr-build.yml: detect whether `TINA_TOKEN` is available and pick
`pnpm run build` (full CF parity, Tina Cloud) for same-repo PRs
vs `pnpm run build:local` (in-process datalayer) for fork PRs
where GitHub strips secrets. Fork PRs no longer fail the
required check; they still get a real build, just without the
Tina Cloud schema-sync verification (which fires again on main).
- settings.yml: drop the stale Probot Settings header comment;
document the actual mechanism (GuacamoleResearch/actions-settings
driven by update-settings.yml).
- README.md: clarify that GitHub never exposes stored secret
values to anyone — admins can create/update/rotate but not view
the current value.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GordonBeeming
requested changes
Jun 5, 2026
| @@ -0,0 +1,10 @@ | |||
| <!-- describe the change, why it is needed, and what it accomplishes --> | |||
Member
There was a problem hiding this comment.
why we not using the default pull request template from the github template?
Member
There was a problem hiding this comment.
and then adding the extras to it
Member
There was a problem hiding this comment.
All you did is pull a comment from it
https://github.com/SSWConsulting/SSW.GitHub.Template/blob/main/.github/pull_request_template.md
Responds to review on PR #18: - CODEOWNERS: use org teams instead of individuals (* -> @SSWConsulting/sswdevelopers, /.github -> @SSWConsulting/ssw-website-maintainers) - dependabot: add cooldown windows, switch weekly -> monthly, emoji commit prefixes (mirrors SSW.Woodpecker house style) - ISSUE_TEMPLATE: convert bug_report / feature_request / tech_debt from markdown templates to YAML issue forms - pull_request_template: align header to the canonical SSW template - drop settings-as-code: remove settings.yml + update-settings.yml (over-privileged administration:write token / misuse risk per review); branch protection + labels to be managed via repo settings instead Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0xharkirat
changed the title
GordonBeeming
left a comment
GordonBeeming
left a comment
Member
There was a problem hiding this comment.
Not necessarily a request changes... but comments that are optional before approval... let me know how it goes
| @@ -0,0 +1,19 @@ | |||
| name: 💸 Tech Debt | |||
| description: Report tech debt | |||
| title: '💸 {{ TITLE }}' | |||
Member
There was a problem hiding this comment.
Consider dropping the title param... otherwise every person making an issue needs to first delete it
| @@ -0,0 +1,10 @@ | |||
| <!-- describe the change, why it is needed, and what it accomplishes --> | |||
Member
There was a problem hiding this comment.
All you did is pull a comment from it
https://github.com/SSWConsulting/SSW.GitHub.Template/blob/main/.github/pull_request_template.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #6.
Brings the repo's CI + policy surface in line with the main SSW website (ssw.com.au), adapted to Global's Astro + Tina + Cloudflare Workers + pnpm stack.
What's in here
1. Lint foundation
eslint.config.mjs) witheslint-plugin-astro+typescript-eslintpnpm lint(eslint .).nvmrcpins Nodev22.21.1;.editorconfigmirrors ssw.com.aud96316d) so the Tina editor doesn't fight CI over formatting2. Repo policies (
.github/)CODEOWNERS—*owned by@SSWConsulting/sswdevelopers,/.githubowned by@SSWConsulting/ssw-website-maintainers(teams, not individuals)pull_request_template.md— canonical SSW template + Global extras (Tina-field checkbox, local build, Done video)ISSUE_TEMPLATE/—bug_report,feature_request,tech_debtas YAML issue formsdependabot.yml— monthlynpm+github-actions, withcooldownwindows (mirrors SSW.Woodpecker); ignores the Tina canary pins3. CI workflows
pr-lint-code.ymlpnpm lint(ESLint)pr-build.ymlpnpm run build(full Cloudflare-parity, talks to Tina Cloud); fork PRs fall back tobuild:local(no creds). This is the gate that would have caught the #14 → #15 Tina schema regressionpr-lint-pr.ymlpr-dependency-review.ymlcodeql.yml4. Deploy
Stays on Cloudflare Workers Builds — its native git integration handles deploy + per-PR previews. The GHA deploy/cleanup workflows from the first draft were dropped (
0159a45) as redundant.Required repo secrets
Drive
pr-buildon same-repo PRs (documented in the README,eb37809):PUBLIC_TINA_CLIENT_IDTINA_TOKENManual repo config (settings-as-code dropped per review)
settings.yml+update-settings.ymlwere removed (5e41cd3) — theadministration:writetoken they needed was an over-privileged misuse vector for set-once config. Configure these in the repo UI instead:main: 1 approval, require code-owner review, linear history; required checks:Check linked issues,dependency-review,lint-code,build,CodeQLType: *set — noteType: Dependencies(referenced by Dependabot) needs creatingsswdevelopers(push),ssw-website-maintainers(maintain) — must have repo access, or the CODEOWNERS entries are silently ignoredWhat was skipped (from ssw.com.au)
All Azure/Next-specific workflows and content automation (
fetch-people-profiles,notify-n8n-of-articles,template-*,weekly-*,daily-image-tests, the gh-aw AI content reviewer, etc.) — defer until Global's volume justifies them.Checks
lint-codepasses (ESLint)buildpasses (Tina + Astro)dependency-reviewrunsCodeQLrunsCheck linked issuesrecognises the link to Bring repo workflows & policies in line with the main SSW website (ssw.com.au) #6🤖 Generated with Claude Code