chore(brand): table-cell em-dash sweep + scorecard fixes#228
Merged
Conversation
Second pass following PR #224. Three small things: 1. Em-dash sweep in table cells (12 occurrences across 9 files). PR #224's mechanical sweep protected lines starting with `|` as code structure, but table cells contain rendered prose and the voice rule applies. Each em-dash replaced contextually: period-and-capitalize, comma, or word-rewrite. The one remaining em-dash in CONTRIBUTING.md:198 is inside a Go ```go code block (a kubebuilder marker comment example), correctly preserved. 2. scorecard.yml: publish_results now uses `github.ref_name == github.event.repository.default_branch` instead of hardcoded `refs/heads/main`. Same fix as engineering-handbook PR #16 and repo-template PR #11. The default here is `main`, so no behavior change today, but the workflow is now correct regardless of which branch is set as default (consistent with the family). 3. scorecard.yml: github/codeql-action/upload-sarif SHA pin replaced. The old pin (d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e) is an imposter commit per OSSF Scorecard's anti-supply-chain check, which is why every Scorecard run since at least 2026-04-29 has failed with `error sending scorecard results to webapp: ... imposter commit ... does not belong to github/codeql-action/upload-sarif`. New pin (68bde559dea0fdcac2102bfdf6230c5f70eb485e) is the real v4 tag commit, verified via gh api. The push trigger also now fires on `develop` in addition to `main`, matching the family pattern. publish_results gating keeps the public score canonical to default-branch state. No-Linear-Issue: brand-alignment follow-up to PR #224 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-Authored-By: amcheste <13696614+amcheste@users.noreply.github.com>
This was referenced May 11, 2026
Merged
PR #228 changed the regenerated docs/reference/api/index.md to swap an em-dash for a semicolon in the MaxRestarts description, but missed the matching Go doc comment in api/v1alpha1/agentteam_types.go. The `make docs-api` regeneration step in CI then pulled the em-dash back from source and the Lint job's diff check failed. Sync the source comment to match the rendered docs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-Authored-By: amcheste <13696614+amcheste@users.noreply.github.com>
`make manifests` regenerates the CRD YAMLs from the Go type descriptions, so the MaxRestarts comment change also has to be reflected in: - charts/claude-teams-operator/crds/claude.amcheste.io_agentteams.yaml - charts/claude-teams-operator/crds/claude.amcheste.io_agentteamruns.yaml - charts/claude-teams-operator/crds/claude.amcheste.io_agentteamtemplates.yaml - config/crd/bases/claude.amcheste.io_agentteams.yaml - config/crd/bases/claude.amcheste.io_agentteamruns.yaml - config/crd/bases/claude.amcheste.io_agentteamtemplates.yaml Pure regeneration — no logic change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-Authored-By: amcheste <13696614+amcheste@users.noreply.github.com>
amcheste
added a commit
to amcheste/mac-dev-setup
that referenced
this pull request
May 12, 2026
## Summary Brand-alignment pass against the [alanchester-brand voice rules](https://github.com/amcheste/alanchester-brand/blob/main/docs/voice.md). 105 em-dashes addressed across 7 prose files, plus the now-standard Scorecard `publish_results` fix. ## 1. Em-dash sweep (7 files, 105 dashes addressed) | File | Em-dashes | |---|---| | README.md | 33 | | CONTRIBUTING.md | 11 | | CLAUDE.md | 20 | | TESTING.md | 27 | | VERSIONING.md | 8 | | CHANGELOG.md | 4 | | SECURITY.md | 2 | **87 swept mechanically** via `re.sub(r' — ([a-z])', lambda: '. ' + capitalize, ...)` with code-block and table-row protection. Same approach as [engineering-handbook PR #16](amcheste/engineering-handbook#16) and [claude-teams-operator PR #228](amcheste/kagents#228). **18 swept manually** with contextual judgment: - Mid-table appositives (`X — Y` where Y describes X) → commas. E.g. `pyenv — switch versions` → `pyenv, switch versions`. - Longer table-cell continuations → period + capitalize. E.g. `Persist facts across sessions — supplements CLAUDE.md` → `Persist facts across sessions. Supplements CLAUDE.md.` - List-introducing em-dashes → colons. E.g. `Breaking changes — tools removed, ...` → `Breaking changes: tools removed, ...` - Stable-state appositives → semicolons. E.g. `Pre-stable — actively being developed` → `Pre-stable; actively being developed`. - Two end-of-line em-dashes in CLAUDE.md (`...productive —\ntools, dotfiles...`) → commas with continuation. **One em-dash deliberately preserved**: `TESTING.md:73` (`# Dry run — show what would execute without running`) is inside a `` ```bash `` code block (a shell comment example for `act --dryrun`). Per theming-prompt rules on code structure, this stays. **Post-sweep audit clean**: 1 match on `grep -nE '\. [a-z]'` — `README.md:149` "Region (e.g. iad): iad" — abbreviation false positive (`e.g.`), left as-is. ## 2. Scorecard publish_results fix Same one-pattern fix as engineering-handbook, repo-template, and claude-teams-operator: ```diff push: - branches: [main] + branches: [main, develop] results_format: sarif - # Only publish to scorecard.dev from main — the action enforces this - publish_results: ${{ github.ref == 'refs/heads/main' }} + # Publish to scorecard.dev only from the default branch. + publish_results: ${{ github.ref_name == github.event.repository.default_branch }} - uses: github/codeql-action/upload-sarif@... # v4 - if: github.ref == 'refs/heads/main' + if: github.ref_name == github.event.repository.default_branch ``` This repo's default is currently `main`, so no behavior change today. But the workflow is now correct regardless of which branch is set as default — consistent with the family pattern and forward-compatible if you ever flip to develop as default for a pre-stable-release phase. ## Note on the codeql-action SHA The `github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7` pin on develop is **real and correct** — verified via the GitHub API. No imposter-commit issue on develop. `main` still has the older imposter SHA (`d4b3ca9f...` from when it was last updated from repo-template). That'll resolve on its own at the next release promotion (`develop → main`), since develop already has the real SHA. ## What's NOT in this PR - **Banner migration** (`assets/logo.png` → `assets/banner.svg` per banner-spec). Same follow-up as pokemon-red-ai, overleaf-mcp, etc. - **Repo topics** (`repositoryTopics: null`). Manual `gh repo edit`. ## Verification - [x] `git diff origin/develop --name-only` → 8 files. No edits to `setup.sh`, `Brewfile*`, `Formula/`, `claude-skills/`, `dotfiles/`, or `scripts/`. - [x] `grep -rn "—" *.md` → 1 result (TESTING.md:73, shell-comment example in code block). - [x] Em-dashes in newly-rewritten prose: 0. - [x] Em-dashes in code blocks / shell comments: preserved. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
amcheste
added a commit
to amcheste/repo-template
that referenced
this pull request
May 12, 2026
…in (#11) ## Summary Two scorecard.yml fixes that affect every repo born from this template. ### 1. publish_results gating The Scorecard workflow hardcoded `refs/heads/main` for both the publish gate and the `upload-sarif` `if` condition. For repos using `develop` as default branch (the documented flow for projects pre-first-stable-release), Scorecard runs were succeeding but never publishing. ```diff push: - branches: [main] + branches: [main, develop] results_format: sarif - publish_results: ${{ github.ref == 'refs/heads/main' }} + publish_results: ${{ github.ref_name == github.event.repository.default_branch }} - uses: github/codeql-action/upload-sarif@... # v4 - if: github.ref == 'refs/heads/main' + if: github.ref_name == github.event.repository.default_branch ``` ### 2. Imposter codeql-action SHA The pinned `github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e` is an **imposter commit** per OSSF Scorecard's anti-supply-chain check. The SHA doesn't belong to `github/codeql-action`. Every Scorecard run downstream of this template hits: ``` error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: workflow verification failed: imposter commit: d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e does not belong to github/codeql-action/upload-sarif ``` Fix swaps the pin to the real v4 tag commit, verified via `gh api repos/github/codeql-action/git/tags/...`: ```diff - - uses: github/codeql-action@d4b3ca9 # v4 + - uses: github/codeql-action@68bde55 # v4 ``` ## Why both go together Both bugs prevent the Scorecard badge from working for any repo using this template. Fixing one without the other still leaves the badge broken. Single PR keeps the propagation surface to one commit-stack across the family. ## Cross-repo status Same combined fix landed (or about to) in: - `claude-teams-operator` — [PR #228](amcheste/kagents#228) - `engineering-handbook` — follow-up PR queued (PR #16 already merged with the publish_results fix but the imposter SHA still in place) ## Verification - [x] `git diff main` → exactly `.github/workflows/scorecard.yml`, 4 lines. - [x] `68bde559dea0fdcac2102bfdf6230c5f70eb485e` is real: `gh api repos/github/codeql-action/git/tags/5e316336eb4f107009e477d4bfbfff13d7250fae --jq '.object'` → `{type: commit, sha: 68bde559...}`. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
amcheste
added a commit
to amcheste/engineering-handbook
that referenced
this pull request
May 12, 2026
## Summary Follow-up to [PR #16](#16). The `publish_results` fix in #16 will let the Scorecard workflow try to publish on the next Monday scheduled run (the first time this repo has published since the develop-default branch was set). But the pinned SHA on `github/codeql-action/upload-sarif` is an imposter commit per OSSF Scorecard's anti-supply-chain check, so the publish would fail at the SARIF upload step with: ``` imposter commit: d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e does not belong to github/codeql-action/upload-sarif ``` (Already verified failing on `claude-teams-operator` for the same reason since at least 2026-04-29.) ## Fix ```diff - - uses: github/codeql-action@d4b3ca9 # v4 + - uses: github/codeql-action@68bde55 # v4 ``` The new SHA is the real v4 tag commit, verified via: ``` gh api repos/github/codeql-action/git/refs/tags/v4 → tag object SHA 5e316336eb4f107009e477d4bfbfff13d7250fae gh api repos/github/codeql-action/git/tags/5e316336eb4f107009e477d4bfbfff13d7250fae → object: { type: commit, sha: 68bde559dea0fdcac2102bfdf6230c5f70eb485e } ``` ## Cross-repo status The same imposter SHA propagated from `repo-template` into every repo born from it. Companion fixes: - `repo-template` — [PR #11](amcheste/repo-template#11) (open, includes both publish_results + SHA fixes) - `claude-teams-operator` — [PR #228](amcheste/kagents#228) (open, includes table-cell em-dash sweep + scorecard fixes) ## Verification - [x] `git diff develop --name-only` → exactly `.github/workflows/scorecard.yml`. - [x] 1-line change. No-Linear-Issue: follow-up to PR #16, propagating cross-family scorecard SHA fix 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Second brand-alignment pass following PR #224. Three small fixes that the first pass either deliberately skipped (table cells, protected as code-structure) or didn't reach (scorecard workflow).
1. Table-cell em-dash sweep (9 files, 12 occurrences)
PR #224's mechanical sweep protected lines starting with
|as code structure. But table cells contain rendered prose and the voice rule applies. Each em-dash replaced contextually:Single-node fallback" — not true RWX→Single-node fallback"; not true RWX❌ — please upgrade→❌ please upgradeselector — e.g.→selector, e.g.One-off work — refactor→One-off work, e.g. refactor| — |placeholder →(any)Yes — use this,No — POSIX semantics→Yes, use this.,No. POSIX semanticsAlmost never — mailbox→Almost never. Mailboxnot subject to this limit — a lead crash→not subject to this limit; a lead crashThe single em-dash in
CONTRIBUTING.md:198is inside a ```go code block (a kubebuilder marker comment example) and stays — correctly preserved as code structure per the theming-prompt rules.2. Scorecard publish_results fix
Same fix as engineering-handbook PR #16 and repo-template PR #11.
This repo's default is currently
main, so no behavior change today. But the workflow is now correct regardless of which branch is set as default — consistent with the family pattern.3. Scorecard imposter-commit fix
Root cause of every Scorecard failure since at least 2026-04-29.
The pinned
github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277eis an imposter commit per OSSF Scorecard's anti-supply-chain check. The SHA does not belong togithub/codeql-action. Every scheduled run produces the error:Fix: swap the pin to the real v4 tag commit, verified via
gh api repos/github/codeql-action/git/tags/...:After this lands, the next scheduled Scorecard run (next Monday 01:30 UTC, or manual via
workflow_dispatch) will succeed and publish.Cross-repo follow-ups (queued in memory)
The same imposter SHA pin lives in two other repos. PR #11 (repo-template) is still open; the SHA fix will be pushed there as another commit. PR #16 (engineering-handbook) is already merged with the wrong SHA — a follow-up PR is needed there before its next Monday Scorecard run (now that PR #16's publish_results fix will let it try to publish for the first time).
Surfaces deliberately skipped
assets/banner.png→assets/banner.svgper banner-spec). Separate follow-up.repositoryTopics: null). Manualgh repo edit.Verification
git diff origin/develop --name-only→ 10 files. No edits to source code (Go), no edits to CHANGELOG, no edits to LICENSE.grep -rn "—" README.md CONTRIBUTING.md ARCHITECTURE.md SECURITY.md docs/→ 1 result (CONTRIBUTING.md:198, Go code block, intentional).gh api repos/github/codeql-action/git/refs/tags/v4→ tag points to commit68bde559dea0fdcac2102bfdf6230c5f70eb485e.No-Linear-Issue: brand-alignment follow-up to PR #224
🤖 Generated with Claude Code