Skip to content

refactor(ci): add shared ci success #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jbeckwith-oai wants to merge 1 commit into from
Closed

refactor(ci): add shared ci success #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/ci-success.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: CI Success

on:
pull_request:

permissions:
contents: read

jobs:
ci-success:
name: CI Success
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
checks: read
statuses: read
steps:
- name: Wait for all PR checks
uses: promptfoo/.github/.github/actions/ci-success@main
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pin the shared CI action to an immutable ref

Avoid @main for workflow actions. Referencing a moving branch lets upstream changes alter or break PR-gating behavior without changes in this repo, and if the upstream branch is compromised it can execute attacker-controlled logic in CI. Pin to a commit SHA for integrity.

Useful? React with 👍 / 👎.

with:
github-token: ${{ secrets.GITHUB_TOKEN }}
timeout-seconds: 300
57 changes: 57 additions & 0 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: Validate Action

on:
pull_request:
push:
branches:
- main

permissions:
contents: read

jobs:
validate:
name: Validate Action
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- uses: actions/setup-node@v6
with:
node-version: 24
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Run bundle syntax checks with Node 20

Use the same Node major as the action runtime when validating bundles. action.yml declares runs.using: node20, but this workflow installs Node 24 before node --check, so newer syntax can pass CI yet crash when the action executes on GitHub's Node 20 runtime.

Useful? React with 👍 / 👎.


- name: Validate action metadata
run: |
node <<'NODE'
const fs = require('node:fs');

const actionYaml = fs.readFileSync('action.yml', 'utf8');
const requiredPatterns = [
{ pattern: /^name:\s*['"]Promptfoo Code Scan['"]$/m, message: 'Missing expected action name' },
{ pattern: /^description:\s*['"]Scan pull requests for LLM security vulnerabilities['"]$/m, message: 'Missing expected action description' },
{ pattern: /^runs:\s*$/m, message: 'Missing runs section' },
{ pattern: /^\s+using:\s*['"]node20['"]$/m, message: 'Missing expected runtime' },
{ pattern: /^\s+main:\s*['"]dist\/index\.js['"]$/m, message: 'Missing expected action entrypoint' },
];

for (const { pattern, message } of requiredPatterns) {
if (!pattern.test(actionYaml)) {
throw new Error(message);
}
}
NODE

- name: Ensure bundled files exist
run: |
test -f dist/index.js
test -f dist/sourcemap-register.js
test -f dist/licenses.txt
test -f cli-bundle/index.js
test -f cli-bundle/sourcemap-register.js

- name: Syntax check bundled JavaScript
run: |
node --check dist/index.js
node --check dist/sourcemap-register.js
node --check cli-bundle/index.js
node --check cli-bundle/sourcemap-register.js
Loading