fix: post-audit CI and governance cleanup #6

Merged
electron-rare merged 3 commits from fix/post-audit-cleanup into main 2026-05-18 20:23:44 +00:00
electron-rare commented 2026-05-18 20:16:16 +00:00 (Migrated from github.com)

Post-audit cleanup across three fix categories (A + H + I). The critic pass confirmed astro check returns 0 errors / 13 hints, the Tower scp deploy has been superseded by Cloudflare since PR #5, and the monthly governance report referenced a stale required check.

Changes

A — CI + workflow cleanup

  • ci.yml: removed continue-on-error: true on the Typecheck step. astro check is clean so this step must block.
  • deploy-cloudflare.yml (job name: 'Deploy to Tower'): deleted. Production has been on Cloudflare since PR #5; this workflow only fails (stale TOWER_* secrets, wrong origin).

H — Monthly cross-stack report generalised

  • monthly-cross-stack-report.yml: replaced the hardcoded probe for Cross-stack coherence (no longer in branch protection) with a dynamic dump of required_status_checks.contexts[] and required_status_checks.checks[].context. The report now reflects the live required-checks set.

I — CI quality gates

  • ci.yml: added npm run tracking:check and npm run image:budget after the Build step. Scripts already existed in package.json but were never wired into CI.

Commits

  1. ci: enforce typecheck and add quality gates (A1 + I)
  2. chore: remove obsolete Tower deploy workflow (A2)
  3. chore: monthly report tracks live required checks (H)
Post-audit cleanup across three fix categories (A + H + I). The critic pass confirmed `astro check` returns 0 errors / 13 hints, the Tower scp deploy has been superseded by Cloudflare since PR #5, and the monthly governance report referenced a stale required check. ## Changes ### A — CI + workflow cleanup - `ci.yml`: removed `continue-on-error: true` on the Typecheck step. astro check is clean so this step must block. - `deploy-cloudflare.yml` (job name: 'Deploy to Tower'): **deleted**. Production has been on Cloudflare since PR #5; this workflow only fails (stale TOWER_* secrets, wrong origin). ### H — Monthly cross-stack report generalised - `monthly-cross-stack-report.yml`: replaced the hardcoded probe for `Cross-stack coherence` (no longer in branch protection) with a dynamic dump of `required_status_checks.contexts[]` and `required_status_checks.checks[].context`. The report now reflects the live required-checks set. ### I — CI quality gates - `ci.yml`: added `npm run tracking:check` and `npm run image:budget` after the Build step. Scripts already existed in `package.json` but were never wired into CI. ## Commits 1. `ci: enforce typecheck and add quality gates` (A1 + I) 2. `chore: remove obsolete Tower deploy workflow` (A2) 3. `chore: monthly report tracks live required checks` (H)
cloudflare-workers-and-pages[bot] commented 2026-05-18 20:17:36 +00:00 (Migrated from github.com)

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
Deployment successful!
View logs
electron-rare 97e19348 Commit Preview URL

Branch Preview URL
May 18 2026, 08:17 PM
## Deploying with &nbsp;<a href="https://workers.dev"><img alt="Cloudflare Workers" src="https://workers.cloudflare.com/logo.svg" width="16"></a> &nbsp;Cloudflare Workers The latest updates on your project. Learn more about [integrating Git with Workers](https://developers.cloudflare.com/workers/ci-cd/builds/git-integration/). | Status | Name | Latest Commit | Preview URL | Updated (UTC) | | -|-|-|-|-| | ✅ Deployment successful! <br>[View logs](https://dash.cloudflare.com/?to=/cea4d5c2a2ff4545e8a2e06143c2134e/workers/services/view/electron-rare/production/builds/0f0cfae3-80a6-4a78-9874-86a457dd7a30) | electron-rare | 97e19348 | <a href='https://b50936a4-electron-rare.xzz9fwtxrb.workers.dev'>Commit Preview URL</a><br><br><a href='https://fix-post-audit-cleanup-electron-rare.xzz9fwtxrb.workers.dev'>Branch Preview URL</a> | May 18 2026, 08:17 PM |
copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed 2026-05-18 20:18:27 +00:00
copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment

Pull request overview

This PR performs post-audit cleanup of GitHub Actions workflows by tightening CI quality gates, removing an obsolete production deploy workflow, and making the monthly governance report reflect the live branch-protection required-checks configuration.

Changes:

  • Made typecheck blocking in CI and added two additional CI quality gates (tracking:check, image:budget).
  • Removed the obsolete “Deploy to Tower” workflow now that production deploys via Cloudflare.
  • Updated the monthly cross-stack report to dynamically list required branch-protection status checks instead of probing a single hardcoded check.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ci.yml Makes typecheck blocking and adds tracking/image budget checks to enforce CI quality gates.
.github/workflows/deploy-cloudflare.yml Deletes the obsolete Tower SCP/SSH deployment workflow.
.github/workflows/monthly-cross-stack-report.yml Updates governance reporting to dump the live set of required branch-protection checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

## Pull request overview This PR performs post-audit cleanup of GitHub Actions workflows by tightening CI quality gates, removing an obsolete production deploy workflow, and making the monthly governance report reflect the live branch-protection required-checks configuration. **Changes:** - Made `typecheck` blocking in CI and added two additional CI quality gates (`tracking:check`, `image:budget`). - Removed the obsolete “Deploy to Tower” workflow now that production deploys via Cloudflare. - Updated the monthly cross-stack report to dynamically list required branch-protection status checks instead of probing a single hardcoded check. ### Reviewed changes Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment. | File | Description | | ---- | ----------- | | `.github/workflows/ci.yml` | Makes typecheck blocking and adds tracking/image budget checks to enforce CI quality gates. | | `.github/workflows/deploy-cloudflare.yml` | Deletes the obsolete Tower SCP/SSH deployment workflow. | | `.github/workflows/monthly-cross-stack-report.yml` | Updates governance reporting to dump the live set of required branch-protection checks. | --- 💡 <a href="/electron-rare/electron-rare.github.io/new/main?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
@@ -58,10 +60,15 @@ jobs:
echo "Generated: $NOW_UTC"
echo "Repository: $GH_REPO"
copilot-pull-request-reviewer[bot] (Migrated from github.com) commented 2026-05-18 20:18:27 +00:00

The jq extraction can emit null entries (e.g., when a check object lacks .context), which then get rendered as a bullet like - null. Also, because jq errors are swallowed (2>/dev/null || true), a parse/API shape failure will be reported as “(none)” rather than “(unknown)”, which can make the governance report inaccurate. Consider filtering out null/empty contexts and preserving an explicit “unknown/parse-error” state when jq fails.

The jq extraction can emit `null` entries (e.g., when a check object lacks `.context`), which then get rendered as a bullet like `- null`. Also, because jq errors are swallowed (`2>/dev/null || true`), a parse/API shape failure will be reported as “(none)” rather than “(unknown)”, which can make the governance report inaccurate. Consider filtering out null/empty contexts and preserving an explicit “unknown/parse-error” state when jq fails.
Sign in to join this conversation.