Skip to content

fix: audit and clean up GitHub Actions CI workflows#57

Draft
Copilot wants to merge 2 commits intomasterfrom
copilot/audit-github-actions-setup
Draft

fix: audit and clean up GitHub Actions CI workflows#57
Copilot wants to merge 2 commits intomasterfrom
copilot/audit-github-actions-setup

Conversation

Copy link
Contributor

Copilot AI commented Mar 18, 2026
edited
Loading

Five correctness issues in ci.yml that together allowed broken or ineffective checks to silently pass, plus unnecessary secret exposure across six jobs.

Changes

Triggers

  • Removed work from push/PR branch triggers — branch doesn't exist; leftover noise

Node version

  • node-version: 22'20' to match package.json engines: { node: "20.x" }

lint job

  • Replaced npx eslint --no-ignore + hardcoded file list with npm run lint (eslint .)
  • The old form bypassed ignorePatterns and silently missed any file not in the list

typecheck job

  • Replaced npx tsc --strict --noEmit with npm run typecheck (tsc -b)
  • Root tsconfig.json has "files": [] and only references — the old command type-checked nothing; tsc -b is required to follow project references

Secrets scope (least privilege)

  • Removed DATABASE_URL, TRUSTSIGNAL_JWT_SECRET, TRUSTSIGNAL_JWT_SECRETS, POLYGON_RPC_URL from lint, typecheck, web-build, rust-build, secret-scan, dependency-audit
  • Only test and signed-receipt-smoke actually consume those values

Not changed: scorecard.yml (correctly SHA-pinned), dependabot.yml (correct and minimal), all 8 jobs retained (each justified by actual repo content)

AI Disclosure (optional)

  • AI-assisted changes are included in this PR

Review Checklist

  • Human review requested
  • Tests added or updated where appropriate
  • No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
  • Security impact and remaining risks are described

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@vercel
Copy link

vercel bot commented Mar 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
api Ready Ready Preview, Comment Mar 18, 2026 3:44am
trustsignal Ready Ready Preview, Comment Mar 18, 2026 3:44am

@chrismaz11
fix: audit and clean up GitHub Actions CI workflows
98871f5 
- Remove unused `work` branch from push/PR triggers
- Fix node-version 22 → '20' to match package.json engines constraint
- Fix lint job: replace brittle hardcoded file list with `npm run lint`
- Fix typecheck job: replace `npx tsc --strict --noEmit` (which
  type-checks nothing on a project-references tsconfig) with
  `npm run typecheck` (`tsc -b`)
- Remove unnecessary secrets injection from lint, typecheck, web-build,
  rust-build, secret-scan, and dependency-audit jobs (least privilege)

Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix GitHub Actions workflows for optimal CI setup fix: audit and clean up GitHub Actions CI workflows Mar 18, 2026
Copilot AI requested a review from chrismaz11 March 18, 2026 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrismaz11 chrismaz11 Awaiting requested review from chrismaz11

Assignees

@chrismaz11 chrismaz11

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrismaz11