From 8b777933e812617e7f8b93256fcf8f8be9a225e5 Mon Sep 17 00:00:00 2001
From: Justin Beckwith <jbeckwith@openai.com>
Date: Tue, 24 Mar 2026 08:26:22 -0700
Subject: [PATCH] refactor(ci): add shared ci success

Add first-party validation and a separate CI Success workflow for the action bundle.

Co-authored-by: Codex <noreply@openai.com>
---
 .github/workflows/ci-success.yml | 22 ++++++++++++
 .github/workflows/validate.yml   | 57 ++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 .github/workflows/ci-success.yml
 create mode 100644 .github/workflows/validate.yml

diff --git a/.github/workflows/ci-success.yml b/.github/workflows/ci-success.yml
new file mode 100644
index 0000000..281587e
--- /dev/null
+++ b/.github/workflows/ci-success.yml
@@ -0,0 +1,22 @@
+name: CI Success
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  ci-success:
+    name: CI Success
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      checks: read
+      statuses: read
+    steps:
+      - name: Wait for all PR checks
+        uses: promptfoo/.github/.github/actions/ci-success@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          timeout-seconds: 300
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
new file mode 100644
index 0000000..8aba5c0
--- /dev/null
+++ b/.github/workflows/validate.yml
@@ -0,0 +1,57 @@
+name: Validate Action
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: Validate Action
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24
+
+      - name: Validate action metadata
+        run: |
+          node <<'NODE'
+          const fs = require('node:fs');
+
+          const actionYaml = fs.readFileSync('action.yml', 'utf8');
+          const requiredPatterns = [
+            { pattern: /^name:\s*['"]Promptfoo Code Scan['"]$/m, message: 'Missing expected action name' },
+            { pattern: /^description:\s*['"]Scan pull requests for LLM security vulnerabilities['"]$/m, message: 'Missing expected action description' },
+            { pattern: /^runs:\s*$/m, message: 'Missing runs section' },
+            { pattern: /^\s+using:\s*['"]node20['"]$/m, message: 'Missing expected runtime' },
+            { pattern: /^\s+main:\s*['"]dist\/index\.js['"]$/m, message: 'Missing expected action entrypoint' },
+          ];
+
+          for (const { pattern, message } of requiredPatterns) {
+            if (!pattern.test(actionYaml)) {
+              throw new Error(message);
+            }
+          }
+          NODE
+
+      - name: Ensure bundled files exist
+        run: |
+          test -f dist/index.js
+          test -f dist/sourcemap-register.js
+          test -f dist/licenses.txt
+          test -f cli-bundle/index.js
+          test -f cli-bundle/sourcemap-register.js
+
+      - name: Syntax check bundled JavaScript
+        run: |
+          node --check dist/index.js
+          node --check dist/sourcemap-register.js
+          node --check cli-bundle/index.js
+          node --check cli-bundle/sourcemap-register.js