chore(MCPForge): workflow hygiene — ubuntu-24.04, permissions#135

Open

KooshaPari wants to merge 54 commits into

isaacphi:mainfrom

KooshaPari:chore/workflow-hygiene-ubuntu-24

KooshaPari commented May 28, 2026

Summary

Replace ubuntu-latest with ubuntu-24.04 across all workflow files
Add minimal permissions: blocks to workflow files missing them

Test plan

CI passes on this branch
Merge after review

🤖 Generated with Claude Code

KooshaPari and others added 30 commits

March 29, 2026 06:16


          docs: add Phenotype fork differentiation header (#1)

96631ef

Co-authored-by: Claude Code <claude@anthropic.com>


          docs(org): governance onboarding for batch-3

dc76975

- CLAUDE.md: project-level governance and mandate
- AGENTS.md: local agent contract and operating loop
- docs/worklogs/README.md: work audit template
- .github/workflows: quality-gate, fr-coverage, doc-links
- FUNCTIONAL_REQUIREMENTS.md: 7 FR stubs inferred from README
- tests/smoke_test: language-specific sanity check

Commit applies org standards to newly-cloned repos per batch-3 onboarding checklist.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>


          chore: add FUNDING.yml (#2)

4e58727


          chore: add CODE_OF_CONDUCT.md (#3)

15e34e4


          chore: add OpenSSF Scorecard workflow (audit #256) (#4)

05b5404


          docs(license): add MIT license and README section

caea567


          Merge branch 'main' of https://github.com/KooshaPari/MCPForge

96fae30


          docs(security): scaffold SECURITY.md (vulnerability reporting policy)

dedb8f8

Co-authored-by: Codex <noreply@openai.com>


          docs(contrib): add CONTRIBUTING.md with Go/LSP fork workflow (#6)

0a0954d


          chore: add baseline .editorconfig (wave-16) (#7)

c510eb0


          Fix alert-sync reusable workflow reference (#8)

Co-authored-by: Codex <noreply@openai.com>


          Switch CI caller to phenoShared reusable workflow (#9)

77e2d09

Co-authored-by: Codex <noreply@openai.com>


          ci: pin phenoShared CI workflow caller (#10)

446f7f8

Pin the top-level phenoShared CI reusable workflow to an immutable commit SHA instead of tracking main.

Validation:
- actionlint .github/workflows/ci.yml
- git diff --check

Co-authored-by: Codex <noreply@openai.com>


          ci: restore phenoShared CI main ref (#11)

d87312f

Co-authored-by: Codex <noreply@openai.com>


          ci: replace deprecated Rust toolchain action (#12)

aa0bb54

Co-authored-by: Codex <noreply@openai.com>


          ci: add CodeQL Rust analysis (security scanning) (#13)

68142c7

Co-authored-by: Codex <noreply@openai.com>


          Add Taskfile (#14)

ca8a5a9

Co-authored-by: Codex <noreply@openai.com>


          add taskfile common tasks (#15)

1a74d67

Co-authored-by: Codex <noreply@openai.com>


          normalize taskfile for go repo (#16)

c6bca0a

Co-authored-by: Codex <noreply@openai.com>


          extend taskfile clean artifacts (#17)

5d9a08b

Co-authored-by: Codex <noreply@openai.com>


          Extend Taskfile lint checks (#18)

2cc8de7

Add gopls check coverage to the common lint task so Taskfile-based validation includes the repo's Go LSP diagnostics without relying on the justfile audit target.

Co-authored-by: Codex <noreply@openai.com>


          Extend Taskfile clean artifacts (#19)

c79c7b4

Remove generated snapshot diff files from integration test runs as part of the common clean task.

Co-authored-by: Codex <noreply@openai.com>


          harden Taskfile common tasks (#20)

0dade39

Co-authored-by: Codex <noreply@openai.com>


          Harden Taskfile clean target (#21)

c1feb63

Avoid clearing the shared Go build cache from the common clean task; keep test-cache expiry and generated artifact cleanup.

Co-authored-by: Codex <noreply@openai.com>


          refresh taskfile common tasks (#22)

6d7b07d

Detected the repository as Go-based and kept the Taskfile common targets aligned with Go build, test, lint, and clean flows while centralizing the binary name.

Co-authored-by: Codex <noreply@openai.com>


          Align Taskfile lint checks (#23)

db51493

Co-authored-by: Codex <noreply@openai.com>


          Refine Taskfile common tasks (#24)

659873c

Co-authored-by: Codex <noreply@openai.com>


          stabilize taskfile test target (#25)

f693cf8

Keep the common Taskfile test target on deterministic Go packages while leaving the real-filesystem watcher harness to its explicit package command. This keeps build, test, lint, and clean usable as a local common task set.\n\nValidation: task build test lint clean\n\nCo-authored-by: Codex <noreply@openai.com>


          Refine Go Taskfile command configuration (#26)

1958a1f

Co-authored-by: Codex <noreply@openai.com>


          Refine Taskfile clean cache handling (#27)

5f3d42a

Detected Go tooling from go.mod and validated the common Taskfile tasks. Update clean so it clears both build and test caches before removing generated artifacts.

Co-authored-by: Codex <noreply@openai.com>

KooshaPari and others added 24 commits

April 28, 2026 09:44


          Stabilize Taskfile clean target

2153b2f

Use Go test-cache expiry for the clean task while keeping repo artifact cleanup intact. Avoid purging the shared Go build cache from this task because that can fail on active local cache directories.

Validated locally with task build, task test, task lint, and task clean.

Co-authored-by: Codex <noreply@openai.com>


          Improve Go Taskfile clean task (#29)

07f0296

Update the common clean task to clear both Go build and test caches so local build cache corruption can be repaired through the Taskfile workflow.

Co-authored-by: Codex <noreply@openai.com>


          Harden Taskfile clean task (#30)

09a9d22

Add retry handling around Go cache cleanup so the common clean task tolerates transient cache directory races after tool invocations.

Co-authored-by: Codex <noreply@openai.com>


          chore: add standard issue templates (#31)

659413d

* chore: add standard issue templates

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: add standard issue templates

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: add standard issue templates

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: add standard issue templates

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>


          chore: pin GitHub Actions to fixed SHAs (#33)

12495ad

* docs: add sladge badge

Co-authored-by: Codex <noreply@openai.com>

* chore: pin GitHub Actions to fixed SHAs

Pin GitHub Actions to immutable SHAs:
- checkout@v4: 34e114876b0b11c390a56381ad16ebd13914f8d5
- setup-go@v5: be666c2fcd27ec809703dec50e508c2fdc7f6654
- setup-node@v4: 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
- setup-python@v5: a26af69be951a213d495a4c3e4e4022e16d87065

* chore: pin GitHub Actions to specific SHAs

---------

Co-authored-by: Codex <noreply@openai.com>


          docs: add journey-traceability + iconography implementation (#34)

d7aeddb

Co-authored-by: Phenotype Agent <agent@phenotype.ai>


          ci: SHA-pin GitHub Actions (normalize to canonical SHAs)

726e8d0

Pin all action refs to immutable SHAs across workflow files:
- checkout@v4 → @11bd71901bbe5b1630ceea73d27597364c9af683
- checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd
- setup-node@v4/v5, setup-python@v4/v5, setup-go@v5
- upload-artifact@v4/v7, download-artifact@v4
- cache@v3/v4, github-script@v7
- configure-pages@v5/v6, deploy-pages@v4/v5
- upload-pages-artifact@v3/v5, dependency-review-action@v4

Fixes version-tag normalization (add v4/v5 tags where missing).
Fixes double-SHA corruption artifacts from prior patching rounds.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          ci: add trufflehog secrets scan

cfe015f


          chore: bootstrap CLAUDE.md + trufflehog.yml (#35)

5cd23c7

- Add CLAUDE.md with Go MCP language server conventions
- Add .trufflehog.yml secrets scanning config

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>


          chore: stage lsp_test.go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          docs: add CHANGELOG.md stub with Unreleased section (#32)

59281ed

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>


          docs: add CODEOWNERS


          chore: add pre-commit-hooks baseline config

1489c50


          chore: bootstrap FUNDING.yml

b45d8f7


          chore: add FUNDING.yml [org-bootstrap-2026-05-03]

f02ad5c


          security(ci): replace trufflehog/actions/setup with go install + setu…

4cb2358

…p-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          ci(repo): add golangci-lint configuration

61671ec

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          chore: add concurrency to CI workflows

fbf2844

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          ci(MCPForge): add golangci-lint configuration

af7e846

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          chore(mcpforge): commit pending audit updates

9aa75f7


          chore: pin gopls version to v0.22.0 for reproducible Go tooling

faffc7a


          chore: harden workflows - pin actions and add permissions

6e337a9

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>


          chore: add missing governance files

2ae01c5


          chore(MCPForge): workflow hygiene — ubuntu-24.04, permissions

71eba02

Copilot AI review requested due to automatic review settings

May 28, 2026 08:30

Copilot AI reviewed

View reviewed changes

Copilot AI left a comment

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet