Skip to content

ci: restructure workflows to match org ruleset contract #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Nelson Spence (Fieldnote-Echo) merged 15 commits into from
Mar 11, 2026
Merged

ci: restructure workflows to match org ruleset contract #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
094c3c1
test: add e2e_fast/e2e_stress markers with proper expression evaluation
Fieldnote-Echo Mar 9, 2026
056f1ac
test: add shared e2e fixtures with LLM health check and diff corpus
Fieldnote-Echo Mar 9, 2026
4c686a4
refactor: use shared e2e fixtures for LLM endpoint config
Fieldnote-Echo Mar 10, 2026
2df5160
test: add Tier 0 hypothesis property tests for parser/retry/escaping
Fieldnote-Echo Mar 10, 2026
337d2a4
test: add Tier 1 deterministic edge diff tests
Fieldnote-Echo Mar 10, 2026
409713e
test: add Tier 1 adversarial input tests (deterministic)
Fieldnote-Echo Mar 10, 2026
5d90834
test: add Tier 2 LLM system contract tests
Fieldnote-Echo Mar 10, 2026
5e513f9
test: add Tier 3 LLM model characterization tests
Fieldnote-Echo Mar 10, 2026
b2dac91
ci: restructure workflows to match org ruleset contract
Fieldnote-Echo Mar 11, 2026
5600fd5
fix: resolve pre-existing lint errors in test files
Fieldnote-Echo Mar 11, 2026
bceb44e
style: auto-format e2e_fixtures.py
Fieldnote-Echo Mar 11, 2026
6366210
chore: trigger navi-bot approval
Fieldnote-Echo Mar 11, 2026
0fa5f1e
chore: trigger CI re-evaluation
Fieldnote-Echo Mar 11, 2026
2fba306
chore: trigger CI re-evaluation
Fieldnote-Echo Mar 11, 2026
d25e5a9
merge: resolve conflicts with e2e test hardening (#46)
Fieldnote-Echo Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 0 additions & 104 deletions .github/workflows/_build-reusable.yml
View file
Open in desktop

This file was deleted.

13 changes: 5 additions & 8 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,15 @@ permissions:
contents: read

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# CONTRACT: org ruleset requires this exact check name 'codeql'
# Do NOT add a 'name:' override or matrix strategy
codeql:
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
actions: read
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
language: ["python"]

steps:
- name: Harden runner
Expand All @@ -40,7 +37,7 @@ jobs:
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: ${{ matrix.language }}
languages: python
queries: +security-extended

- name: Autobuild
Expand All @@ -49,4 +46,4 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: "/language:${{ matrix.language }}"
category: "/language:python"
3 changes: 2 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ permissions: {}

jobs:
build:
uses: ./.github/workflows/_build-reusable.yml
uses: Project-Navi/.github/.github/workflows/_build-reusable.yml@6c4c2d8f200b1b9c3bd651ebc297425e45d5934e
with:
tag_name: ${{ github.event.release.tag_name }}
package_name: grippy
permissions:
contents: write
id-token: write
Expand Down
31 changes: 4 additions & 27 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,42 +14,19 @@ concurrency:
cancel-in-progress: false

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
timeout-minutes: 15
scorecard:
uses: Project-Navi/.github/.github/workflows/scorecard.yml@6c4c2d8f200b1b9c3bd651ebc297425e45d5934e
permissions:
contents: read
security-events: write
id-token: write
actions: read
steps:
- name: Harden runner
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}

- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload SARIF to Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: results.sarif
secrets: inherit

badge:
name: Update scorecard badge
if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
needs: analysis
needs: scorecard
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
Expand Down
Loading
Loading