diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2627a94..a93d3b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: name: Rust engine · build + test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - name: cargo test @@ -20,9 +20,9 @@ jobs: name: TS packages · build · typecheck · test · bundle runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v6 + - uses: pnpm/action-setup@v6 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index adbc435..766b1da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: - { name: linux-x64, runner: ubuntu-22.04, target: x86_64-unknown-linux-gnu } - { name: linux-arm64, runner: ubuntu-22.04-arm, target: aarch64-unknown-linux-gnu } steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: dtolnay/rust-toolchain@stable with: targets: ${{ matrix.target }} @@ -51,8 +51,8 @@ jobs: aarch64-*) file "$bin" | grep -q "arm64" || { echo "::error::expected an arm64 binary"; exit 1; } ;; esac - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: pnpm/action-setup@v6 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm @@ -70,7 +70,7 @@ jobs: cp dist-release/mcp.cjs staging/ tar -czf "splus-${{ matrix.name }}.tar.gz" -C staging . - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 with: name: splus-${{ matrix.name }} path: splus-${{ matrix.name }}.tar.gz @@ -80,7 +80,7 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v8 with: path: artifacts merge-multiple: true diff --git a/.github/workflows/splus-review.yml b/.github/workflows/splus-review.yml deleted file mode 100644 index f058332..0000000 --- a/.github/workflows/splus-review.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Splus self-review - -# Splus reviews its own pull requests — the ultimate dogfood. -# Advisory by design: this never blocks the PR (the CI workflow is the gate). -# It runs the deterministic engine on the PR diff, writes the review to the -# Actions summary, and posts inline annotations on the changed lines. Fully -# deterministic — no secrets, no network. (Learned suppression and the optional -# LLM judgment live in the agent/MCP flow, not in this CI dogfood.) - -on: - pull_request: - -permissions: - contents: read - -concurrency: - group: splus-review-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - review: - name: Splus reviews this PR (advisory) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # need base..head history for the diff - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 - - name: Build the engine - run: cargo build --release --locked - - uses: actions/setup-node@v4 - with: - node-version: 22 - - - name: Splus review - env: - BASE_SHA: ${{ github.event.pull_request.base.sha }} - run: | - set +e - ENGINE="$PWD/target/release/splus-engine" - - # Human-readable review → the Actions run summary. - { - echo "## 🔬 Splus reviewed this PR" - echo "_deterministic engine · diff-scoped, clean-as-you-code_" - echo "" - echo '```' - "$ENGINE" review --root . --base "$BASE_SHA" --format pretty --no-color - echo '```' - } >> "$GITHUB_STEP_SUMMARY" - - # Inline annotations on the diff, from the deterministic report — - # works on any repo, no code-scanning required. - "$ENGINE" review --root . --base "$BASE_SHA" --format json > splus.json 2>/dev/null - node scripts/gh-annotate.mjs < splus.json - - exit 0 # advisory: never fail the PR diff --git a/scripts/gh-annotate.mjs b/scripts/gh-annotate.mjs deleted file mode 100644 index f6a1e2f..0000000 --- a/scripts/gh-annotate.mjs +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env node -// Read a Splus JSON report on stdin and emit GitHub Actions annotations, so -// findings show up inline on the PR diff. Works on any repo (no code-scanning -// / Advanced Security needed) — these are plain workflow commands. -// Read stdin robustly (readFileSync(0) can throw EAGAIN on a pipe). -const chunks = []; -for await (const chunk of process.stdin) chunks.push(chunk); -const raw = Buffer.concat(chunks).toString("utf8"); - -let report; -try { - report = JSON.parse(raw); -} catch { - process.exit(0); // engine errored / no JSON — stay silent, never fail CI -} - -const findings = report.findings ?? []; -const level = (s) => (s === "critical" || s === "high" ? "error" : s === "medium" ? "warning" : "notice"); -const esc = (s) => String(s).replace(/%/g, "%25").replace(/\r/g, "%0D").replace(/\n/g, "%0A"); -const escProp = (s) => esc(s).replace(/,/g, "%2C").replace(/:/g, "%3A"); - -let n = 0; -for (const f of findings) { - const body = `${f.title} — ${f.rationale ?? f.message}` + (f.suggestion ? `\nsuggested fix:\n${f.suggestion}` : ""); - const title = `Splus: ${f.rule_id}`; - const line = f.region?.start_line ?? 1; - console.log(`::${level(f.severity)} file=${escProp(f.file)},line=${line},title=${escProp(title)}::${esc(body)}`); - n++; -} -console.error(`splus: emitted ${n} inline annotation(s)`);