diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index ce191eca..7b3b80fc 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -14,11 +14,16 @@ on: - cron: '37 5 * * 3' # weekly Wednesday workflow_dispatch: +permissions: + contents: read + actions: read + jobs: audit: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml index b4c031c6..a8a494ee 100644 --- a/.github/workflows/cargo-deny.yml +++ b/.github/workflows/cargo-deny.yml @@ -15,15 +15,20 @@ on: schedule: - cron: '0 9 * * 1' +permissions: + contents: read + actions: read + jobs: cargo-deny: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # stable - name: Run cargo-deny uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v6 diff --git a/.github/workflows/cargo-machete.yml b/.github/workflows/cargo-machete.yml index c3eb04d0..ffe519f9 100644 --- a/.github/workflows/cargo-machete.yml +++ b/.github/workflows/cargo-machete.yml @@ -13,12 +13,14 @@ on: permissions: contents: read + actions: read jobs: detect-unused-dependencies: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: taiki-e/install-action@7769b73c2ec98c38dfcf2e18c83cfd4880c038c1 with: diff --git a/.github/workflows/cargo-semver-checks.yml b/.github/workflows/cargo-semver-checks.yml index 0dc95a7a..e3ff92c4 100644 --- a/.github/workflows/cargo-semver-checks.yml +++ b/.github/workflows/cargo-semver-checks.yml @@ -7,9 +7,15 @@ concurrency: on: pull_request: { paths: ['**/Cargo.toml'] } workflow_dispatch: + +permissions: + contents: read + actions: read + jobs: semver-checks: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: obi1kenobi/cargo-semver-checks-action@6b69fcf40e9b5fb17adeb57e4b6ecd020649a239 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 219692d0..3482f856 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,13 +11,15 @@ on: - main pull_request: - permissions: contents: read + actions: read + jobs: vet: name: Go Vet runs-on: ubuntu-latest + timeout-minutes: 10 permissions: contents: read strategy: @@ -28,9 +30,9 @@ jobs: - backend/nvms steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: ${{ matrix.module }}/go.mod cache-dependency-path: ${{ matrix.module }}/go.sum @@ -40,7 +42,8 @@ jobs: build: name: Go Build - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 30 permissions: contents: read strategy: @@ -51,9 +54,9 @@ jobs: - backend/nvms steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: ${{ matrix.module }}/go.mod cache-dependency-path: ${{ matrix.module }}/go.sum @@ -63,15 +66,16 @@ jobs: fmt: name: Go Fmt (advisory) - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 10 continue-on-error: true permissions: contents: read steps: - name: Checkout the code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: 'stable' - name: Check formatting diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 83f126f1..51827df6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,10 +16,12 @@ on: permissions: contents: read security-events: write + actions: read jobs: analyze: + timeout-minutes: 30 name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write contents: read @@ -29,7 +31,7 @@ jobs: matrix: language: ["actions", "go", "javascript"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 with: languages: ${{ matrix.language }} diff --git a/.github/workflows/doc-links.yml b/.github/workflows/doc-links.yml index 167e0aa4..2325ee5f 100644 --- a/.github/workflows/doc-links.yml +++ b/.github/workflows/doc-links.yml @@ -2,9 +2,11 @@ name: Doc Links on: [push, pull_request] permissions: contents: read + actions: read jobs: links: - runs-on: ubuntu-latest + timeout-minutes: 10 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - run: echo "Doc link check (phenotype-tooling integration)" diff --git a/.github/workflows/fr-coverage.yml b/.github/workflows/fr-coverage.yml index 98eada8a..c5d77657 100644 --- a/.github/workflows/fr-coverage.yml +++ b/.github/workflows/fr-coverage.yml @@ -2,9 +2,11 @@ name: FR Coverage on: [pull_request] permissions: contents: read + actions: read jobs: coverage: - runs-on: ubuntu-latest + timeout-minutes: 10 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - run: echo "FR coverage check (phenotype-tooling integration)" diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 6aeba906..8bd042d5 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -10,11 +10,13 @@ timeout-minutes: 45 permissions: contents: read + actions: read jobs: go-build-test: + timeout-minutes: 30 name: Go build + test - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read defaults: diff --git a/.github/workflows/legacy-tooling-gate.yml b/.github/workflows/legacy-tooling-gate.yml index 514455dd..a2b8a731 100644 --- a/.github/workflows/legacy-tooling-gate.yml +++ b/.github/workflows/legacy-tooling-gate.yml @@ -10,10 +10,12 @@ on: permissions: contents: read + actions: read jobs: legacy-tooling-scan: + timeout-minutes: 10 name: Legacy Tooling Anti-Pattern Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read security-events: write diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 948c4b82..0b7db3de 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,8 +1,13 @@ name: Lint on: [push, pull_request] + +permissions: + contents: read + actions: read jobs: golangci: - runs-on: ubuntu-latest + timeout-minutes: 10 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index d7c7cdad..5b548b0e 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -2,9 +2,11 @@ name: Quality Gate on: [push, pull_request] permissions: contents: read + actions: read jobs: gate: - runs-on: ubuntu-latest + timeout-minutes: 10 + runs-on: ubuntu-24.04 continue-on-error: true steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 8b8359cf..dabc186d 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -7,8 +7,12 @@ on: types: [opened, reopened, synchronize] workflow_dispatch: +permissions: + contents: read + actions: read jobs: update_release_draft: + timeout-minutes: 15 runs-on: ubuntu-latest steps: - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1103e794..eebefd19 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,9 +5,13 @@ on: tags: - "v*" +permissions: + contents: read + actions: read jobs: release: - runs-on: ubuntu-latest + timeout-minutes: 15 + runs-on: ubuntu-24.04 permissions: contents: write steps: diff --git a/.github/workflows/sbom-refresh.yml b/.github/workflows/sbom-refresh.yml index bf99b39c..103b26bd 100644 --- a/.github/workflows/sbom-refresh.yml +++ b/.github/workflows/sbom-refresh.yml @@ -7,8 +7,10 @@ on: permissions: contents: read + actions: read jobs: call-sbom-refresh: + timeout-minutes: 20 uses: KooshaPari/phenotype-tooling/.github/workflows/sbom-monthly.yml@79dff2b798fb8a3bc64237e4b2d054a08d3a4601 with: repo_path: '.' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6f7ca502..1be49251 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,7 +1,10 @@ name: OpenSSF Scorecard +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: branch_protection_rule: - timeout-minutes: 10 schedule: - cron: '17 3 * * 6' push: @@ -11,8 +14,9 @@ permissions: read-all jobs: analysis: + timeout-minutes: 20 name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write id-token: write @@ -20,22 +24,22 @@ jobs: actions: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f + - uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 + - uses: github/codeql-action/upload-sarif@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml index 4564c392..62dacaea 100644 --- a/.github/workflows/secrets-scan.yml +++ b/.github/workflows/secrets-scan.yml @@ -8,9 +8,11 @@ on: permissions: contents: read + actions: read jobs: trufflehog: - runs-on: ubuntu-latest + timeout-minutes: 20 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index fbdd1770..dc8bc871 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -6,9 +6,13 @@ on: pull_request: branches: ["**"] +permissions: + contents: read + actions: read jobs: trufflehog: - runs-on: ubuntu-latest + timeout-minutes: 20 + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 diff --git a/Cargo.toml b/Cargo.toml index fe5f01cf..ca43d7dc 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace] -resolver = "2" +resolver = "3" members = [ "frontend/web/src-tauri", ] diff --git a/README.md b/README.md index 06c42c30..6c09093e 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ [![Release](https://img.shields.io/github/v/release/KooshaPari/BytePort?include_prereleases&sort=semver)](https://github.com/KooshaPari/BytePort/releases) [![License](https://img.shields.io/github/license/KooshaPari/BytePort)](LICENSE) [![Phenotype](https://img.shields.io/badge/Phenotype-org-blueviolet)](https://github.com/KooshaPari) +[![AI Slop Inside](https://sladge.net/badge.svg)](https://sladge.net) ## What is this diff --git a/backend/byteport/main.go b/backend/byteport/main.go index a468b8d1..8ac08c46 100644 --- a/backend/byteport/main.go +++ b/backend/byteport/main.go @@ -12,9 +12,7 @@ import ( "github.com/gin-contrib/cors" "github.com/gin-gonic/gin" "go.opentelemetry.io/otel" - "go.opentelemetry.io/otel/attribute" "go.opentelemetry.io/otel/exporters/stdout/stdouttrace" - "go.opentelemetry.io/otel/sdk/resource" "go.opentelemetry.io/otel/sdk/trace" ) diff --git a/backend/byteport/tmp/main.exe~ b/backend/byteport/tmp/main.exe~ deleted file mode 100644 index e13a7990..00000000 Binary files a/backend/byteport/tmp/main.exe~ and /dev/null differ diff --git a/docs/sessions/20260507-byteport-sladge-main-current/00_SESSION_OVERVIEW.md b/docs/sessions/20260507-byteport-sladge-main-current/00_SESSION_OVERVIEW.md new file mode 100644 index 00000000..6e77cda0 --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/00_SESSION_OVERVIEW.md @@ -0,0 +1,13 @@ +# BytePort Sladge Main Refresh + +## Goal + +Refresh BytePort Sladge evidence against current `main`, replacing the stale +`docs/byteport-sladge-pem-current` branch that was behind the active checkout. + +## Outcome + +- Added the Sladge badge to the current README badge block. +- Removed unused OTel imports that blocked Go validation. +- Preserved the canonical checkout until isolated validation completed. + diff --git a/docs/sessions/20260507-byteport-sladge-main-current/01_RESEARCH.md b/docs/sessions/20260507-byteport-sladge-main-current/01_RESEARCH.md new file mode 100644 index 00000000..acb6caff --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/01_RESEARCH.md @@ -0,0 +1,17 @@ +# Research + +## Current State + +- Canonical BytePort is clean on `main` at `d15cac17`. +- The older `BytePort-wtrees/sladge-pem-current` branch contains badge commit + `08c5b115`, but it is behind current `main`. +- BytePort is a direct Sladge target because the README describes an IaC + deployment and portfolio platform that uses an LLM to generate showcase + metadata. + +## Validation Blocker + +The previous validation blocker was concrete and small: `backend/byteport/main.go` +imported `go.opentelemetry.io/otel/attribute` and +`go.opentelemetry.io/otel/sdk/resource` without using them. + diff --git a/docs/sessions/20260507-byteport-sladge-main-current/02_SPECIFICATIONS.md b/docs/sessions/20260507-byteport-sladge-main-current/02_SPECIFICATIONS.md new file mode 100644 index 00000000..69df3079 --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/02_SPECIFICATIONS.md @@ -0,0 +1,19 @@ +# Specifications + +## Acceptance Criteria + +- README includes the Sladge badge in the badge block. +- Session docs record why the repo is in scope and why the older branch is stale. +- Go validation gets past the unused import failure without changing runtime + behavior. +- Canonical local changes remain untouched until the isolated branch is verified. + +## Assumptions, Risks, Uncertainties + +- Assumption: Badge placement in the README badge block matches the current + cross-repo governance pattern. +- Risk: Broader BytePort tests may still expose unrelated environmental or + pre-existing runtime blockers. +- Mitigation: Record exact command results and keep code changes limited to the + validation blocker. + diff --git a/docs/sessions/20260507-byteport-sladge-main-current/03_DAG_WBS.md b/docs/sessions/20260507-byteport-sladge-main-current/03_DAG_WBS.md new file mode 100644 index 00000000..f1021d99 --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/03_DAG_WBS.md @@ -0,0 +1,16 @@ +# DAG WBS + +## Work Breakdown + +1. Verify canonical BytePort current state and stale prepared branch status. +2. Create an isolated current-main worktree. +3. Add README Sladge badge. +4. Remove unused OTel imports blocking Go validation. +5. Run diff hygiene, badge proof, LFS status, and Go validation. +6. Integrate only after isolated validation confirms the scoped branch. + +## Dependency Notes + +- Step 6 depends on all validation evidence from step 5. +- Landing ledger updates depend on the final commit hash and validation result. + diff --git a/docs/sessions/20260507-byteport-sladge-main-current/04_IMPLEMENTATION_STRATEGY.md b/docs/sessions/20260507-byteport-sladge-main-current/04_IMPLEMENTATION_STRATEGY.md new file mode 100644 index 00000000..da660ae2 --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/04_IMPLEMENTATION_STRATEGY.md @@ -0,0 +1,9 @@ +# Implementation Strategy + +- Treat `BytePort-wtrees/sladge-pem-current` as stale prepared evidence because + it is behind current `main`. +- Use a fresh isolated worktree from canonical `main`. +- Keep the Sladge change documentation-only. +- Keep the Go change limited to removing unused imports, with no tracer behavior + changes. + diff --git a/docs/sessions/20260507-byteport-sladge-main-current/05_KNOWN_ISSUES.md b/docs/sessions/20260507-byteport-sladge-main-current/05_KNOWN_ISSUES.md new file mode 100644 index 00000000..fdf0930e --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/05_KNOWN_ISSUES.md @@ -0,0 +1,10 @@ +# Known Issues + +- Normal BytePort worktree checkout may report LFS pointer warnings for archived + `backend/byteport/tmp/` artifacts. The recreated worktree uses + `GIT_LFS_SKIP_SMUDGE=1` and remains clean under `git lfs status`. +- The repository Taskfile still describes Cargo gates, while the current + project guidance in `CLAUDE.md` identifies Go as the active backend stack. +- Broad `backend/nvms` validation still fails on pre-existing import cycles, + provider type redeclarations, and an upstream `spin-go-sdk` export comment + issue. This session validates the touched `backend/byteport` module. diff --git a/docs/sessions/20260507-byteport-sladge-main-current/06_TESTING_STRATEGY.md b/docs/sessions/20260507-byteport-sladge-main-current/06_TESTING_STRATEGY.md new file mode 100644 index 00000000..3312f008 --- /dev/null +++ b/docs/sessions/20260507-byteport-sladge-main-current/06_TESTING_STRATEGY.md @@ -0,0 +1,27 @@ +# Testing Strategy + +## Planned Checks + +- `git diff --check` +- README/session badge presence search +- `git lfs status` +- Go validation with temporary build caches outside the user cache + +## Results + +- `git diff --check` passed. +- README/session badge presence search passed. +- `git lfs status` reported no staged or unstaged LFS objects. +- `backend/byteport`: `/opt/homebrew/bin/go test -v ./...` passed with + `GOTOOLCHAIN=local` and temporary `GOCACHE`. +- `backend/byteport`: `/opt/homebrew/bin/go vet ./...` passed. +- `backend/byteport`: `/opt/homebrew/bin/go build -buildvcs=false ./...` + passed after plain `go build ./...` hit VCS stamping in this worktree. +- `backend/nvms`: `/opt/homebrew/bin/go test -v ./...` still fails on + pre-existing import cycles, provider redeclarations, and an upstream SDK + export comment issue. + +## Scope + +The validation target is the backend Go stack documented in `CLAUDE.md`. The +Taskfile Cargo targets are stale for the current BytePort checkout shape.