Skip to content

Fix CI release pipeline + Scorecard alerts#234

Merged
s-b-e-n-s-o-n merged 5 commits intomainfrom
fix/ci-scorecard-release
Mar 30, 2026
Merged

Fix CI release pipeline + Scorecard alerts#234
s-b-e-n-s-o-n merged 5 commits intomainfrom
fix/ci-scorecard-release

Conversation

@s-b-e-n-s-o-n
Copy link
Copy Markdown
Contributor

@s-b-e-n-s-o-n s-b-e-n-s-o-n commented Mar 30, 2026

Summary

  • Auto-tag crash fix: filter pre-release tags (v1.5.0-rc2) when resolving latest stable version; surface real script errors instead of silently swallowing
  • Scorecard Token-Permissions: scope top-level permissions to {} in release-cut, release-from-tag, ci-verify
  • Scorecard Pinned-Dependencies: extract Snyk CLI into setup-snyk composite action with SHA-pinned install
  • Release tag parser: new release-tag.mjs with pre-release validation, rejects legacy rc2 format (enforces rc.2)
  • CI stability: lower load test floor 10→5 req/s, remove run_attempt from QA artifact names
  • Composite actions: wait-for-successful-branch-ci and setup-snyk

Context

RC2 release failed because: (1) auto-tag crashed on v1.5.0-rc2 pre-release tag, failing CI Verify overall; (2) release workflow couldn't find a passing CI run; (3) load test absolute floor too high for shared runners; (4) Playwright artifacts broke on re-runs.

Test plan

  • CI Verify passes (auto-tag no longer crashes)
  • Release workflow proceeds after CI passes
  • node scripts/release-tag.mjs --tag v1.5.0-rc.2 outputs correct metadata
  • node scripts/release-tag.mjs --tag v1.5.0-rc2 fails with correction message

@s-b-e-n-s-o-n
🔒 security(ci): fix Scorecard alerts + auto-tag unbound variable
d02519b 
- Token-Permissions: replace top-level permissions with job-level scoped
  permissions in release-cut.yml, release-from-tag.yml, ci-verify.yml
- Pinned-Dependencies: pin Snyk CLI install to snyk/actions/setup@SHA
  instead of npm install -g in security-snyk-weekly.yml
- Auto-tag: initialize release_level/next_version before use and add
  guard clause to prevent unbound variable crash when no releasable
  commits exist (was failing CI Verify overall conclusion)
@s-b-e-n-s-o-n
🔒 security(ci): fix Scorecard alerts + auto-tag pre-release crash
1734a1e 
- Token-Permissions: replace top-level permissions with job-level scoped
  permissions in release-cut, release-from-tag, ci-verify
- Pinned-Dependencies: pin Snyk CLI to snyk/actions/setup@SHA
- Auto-tag: filter pre-release tags (v1.5.0-rc2) when resolving latest
  stable version — release-next-version.mjs only accepts X.Y.Z
- Auto-tag: distinguish "no releasable commits" (skip) from real script
  errors (fail) instead of silently swallowing all failures
- Load test: lower request_rate floor from 10 to 5 req/s
- QA artifact: remove run_attempt suffix so re-runs find the artifact
@s-b-e-n-s-o-n
🐛 fix(ci): auto-tag filters pre-release tags + surfaces real errors
940b925 
- Filter v* tags to stable-only (X.Y.Z) when resolving latest version,
  preventing release-next-version.mjs from crashing on pre-release
  suffixes like v1.5.0-rc2
- Distinguish "no releasable commits" (expected, skip) from script
  errors (unexpected, fail) instead of silently swallowing all failures
- Lower load test request_rate floor from 10 to 5 req/s
- Remove run_attempt suffix from QA image artifact names
@s-b-e-n-s-o-n
🔒 security(ci): fix Scorecard token-permissions + pinned-dependencies
20eeccb 
- Token-Permissions: scope top-level permissions to {} in release-cut,
  release-from-tag; jobs already had job-level blocks
- Pinned-Dependencies: extract Snyk CLI setup into composite action
  (setup-snyk) with SHA-pinned snyk/actions/setup
- Extract CI wait-for-successful-branch-ci into composite action
- Refactor release-from-tag verify job to use composite actions
@s-b-e-n-s-o-n
♻️ refactor(scripts): harden release version + tag scripts
87df2ce 
- release-next-version.mjs: handle pre-release version inputs, improve
  error messages, expand test coverage
- release-tag.mjs: new script for computing release tags with stable
  version filtering
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
drydock-demo Ready Ready Preview, Comment Mar 30, 2026 3:38am
drydock-website Ready Ready Preview, Comment Mar 30, 2026 3:38am

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@s-b-e-n-s-o-n s-b-e-n-s-o-n merged commit c1b764b into main Mar 30, 2026
22 checks passed
@s-b-e-n-s-o-n s-b-e-n-s-o-n deleted the fix/ci-scorecard-release branch March 30, 2026 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biggest-littlest biggest-littlest biggest-littlest approved these changes

@ALARGECOMPANY ALARGECOMPANY ALARGECOMPANY approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@s-b-e-n-s-o-n @biggest-littlest @ALARGECOMPANY