Skip to content

[codex] Harden installer, docs, and release governance #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jbdevprimary wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[codex] Harden installer, docs, and release governance #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e98268b
feat: harden installer, docs, and release governance
Apr 16, 2026
fb532c9
fix: keep bootstrap bash path clean
Apr 16, 2026
536f696
fix: address review hardening feedback
Apr 16, 2026
8495235
fix: remove final rg dependency from verifier
Apr 16, 2026
2f79f7d
fix: make ci tool paths portable
Apr 16, 2026
e456c27
fix: detect brew path in ci setup
Apr 16, 2026
7dc6807
fix: harden supply-chain verifier invocation
Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed .DS_Store
View file
Open in desktop
Binary file not shown.
10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@ updates:
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
timezone: "Etc/UTC"
groups:
actions:
patterns:
- "*"
commit-message:
prefix: "ci"
labels:
- "dependencies"
- "ci"
open-pull-requests-limit: 10
7 changes: 4 additions & 3 deletions .github/workflows/automerge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,15 @@ on:
pull_request:
types: [labeled, opened, synchronize, reopened]

permissions:
pull-requests: write
contents: write
permissions: {}

jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
permissions:
pull-requests: write
contents: write
steps:
- name: Dependabot metadata
id: metadata
Expand Down
172 changes: 165 additions & 7 deletions .github/workflows/cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,7 @@ on:
push:
branches: [main]

permissions:
contents: write
pages: write
id-token: write
pull-requests: write
permissions: {}

concurrency:
group: "pages"
Expand All @@ -18,17 +14,174 @@ jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
permissions:
contents: write
issues: write
pull-requests: write
steps:
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
- id: release
uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ secrets.CI_GITHUB_TOKEN || github.token }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json

build-release:
name: Build And Validate Draft Release
needs: release-please
if: needs.release-please.outputs.release_created == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout release tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.release-please.outputs.tag_name }}
persist-credentials: false

- name: Extract version
id: ver
shell: bash
env:
RAW_TAG: ${{ needs.release-please.outputs.tag_name }}
run: echo "version=${RAW_TAG#v}" >> "$GITHUB_OUTPUT"

- name: Validate docs contract
run: ./scripts/validate-docs.sh

- name: Build release archives
shell: bash
run: |
mkdir -p dist/release
bash scripts/build_release_artifact.sh '${{ steps.ver.outputs.version }}' dist/release

- name: Validate archives, manifests, and docs installer
shell: bash
run: |
bash scripts/release_validate.sh '${{ steps.ver.outputs.version }}' dist/release

- name: Upload release dist
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: release-dist
path: |
dist/release/get-bashed-${{ steps.ver.outputs.version }}-unix.tar.gz
dist/release/get-bashed-${{ steps.ver.outputs.version }}-unix.tar.gz.sha256
dist/release/get-bashed-${{ steps.ver.outputs.version }}-windows.zip
dist/release/get-bashed-${{ steps.ver.outputs.version }}-windows.zip.sha256
dist/release/checksums.txt
retention-days: 7

- name: Upload package manifests
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: package-manifests
path: |
dist/release/pkg/get-bashed.rb
dist/release/pkg/get-bashed.json
dist/release/pkg/get-bashed.nuspec
dist/release/pkg/chocolateyInstall.ps1
dist/release/pkg/VERIFICATION.txt
retention-days: 7

publish-release:
name: Attest, Publish, And Verify Release
needs:
- release-please
- build-release
if: needs.release-please.outputs.release_created == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
attestations: write
steps:
- name: Checkout release tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.release-please.outputs.tag_name }}
persist-credentials: false

- name: Download release dist
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: release-dist
path: dist/release

- name: Attest release artifacts
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: |
dist/release/*.tar.gz
dist/release/*.zip
dist/release/checksums.txt

- name: Upload assets to draft release and publish
shell: bash
env:
GH_TOKEN: ${{ secrets.CI_GITHUB_TOKEN || github.token }}
RAW_TAG: ${{ needs.release-please.outputs.tag_name }}
GH_REPO: ${{ github.repository }}
run: |
bash scripts/publish_draft_release.sh "${RAW_TAG}" dist/release "${GH_REPO}"

- name: Verify published assets, checksum, attestation, and smoke path
shell: bash
env:
GH_TOKEN: ${{ secrets.CI_GITHUB_TOKEN || github.token }}
GH_REPO: ${{ github.repository }}
RAW_TAG: ${{ needs.release-please.outputs.tag_name }}
OWNER: ${{ github.repository_owner }}
run: |
bash scripts/verify_published_release.sh "${RAW_TAG}" "${GH_REPO}" "${OWNER}"

publish-packages:
name: Publish To jbcom/pkgs
needs:
- release-please
- build-release
- publish-release
if: needs.release-please.outputs.release_created == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout release tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.release-please.outputs.tag_name }}
persist-credentials: false

- name: Extract version
id: ver
shell: bash
env:
RAW_TAG: ${{ needs.release-please.outputs.tag_name }}
run: echo "version=${RAW_TAG#v}" >> "$GITHUB_OUTPUT"

- name: Download validated manifests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: package-manifests
path: out

- name: Open PR against jbcom/pkgs
shell: bash
env:
GH_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
run: |
bash scripts/publish_pkg_pr.sh '${{ steps.ver.outputs.version }}' out

docs:
name: Docs Deployment
runs-on: ubuntu-latest
needs: release-please
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
Expand All @@ -38,6 +191,8 @@ jobs:
run: ./scripts/ci-setup.sh "shdoc"
- name: Generate shell docs
run: ./scripts/gen-docs.sh
- name: Validate docs surface
run: ./scripts/validate-docs.sh
- name: Build Sphinx docs
run: uvx tox -e docs
- name: Upload pages artifact
Expand All @@ -49,6 +204,9 @@ jobs:
name: Deploy Docs
runs-on: ubuntu-latest
needs: docs
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
Expand Down
108 changes: 93 additions & 15 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,114 @@ on:
pull_request:
types: [opened, synchronize, reopened]

jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: CI setup (get-bashed)
run: ./scripts/ci-setup.sh "shellcheck,actionlint,bashate,pre_commit,shdoc"
- name: Pre-commit
run: ./scripts/pre-commit-ci.sh
permissions: {}

tests:
name: Tests
runs-on: ubuntu-latest
concurrency:
group: ci-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
quality:
name: Quality (${{ matrix.os }})
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
with:
enable-cache: true
- name: CI setup (get-bashed)
run: ./scripts/ci-setup.sh "bats"
run: ./scripts/ci-setup.sh "bats,shdoc,actionlint,shellcheck,bashate,pre_commit"
- name: Fetch Bats helpers
run: ./scripts/test-setup.sh
- name: Pre-commit
run: pre-commit run --all-files
- name: Run tests
run: bats tests
- name: Verify install wiring
run: ./scripts/verify-install.sh
- name: Generate shell docs
run: ./scripts/gen-docs.sh
- name: Validate docs surface
run: ./scripts/validate-docs.sh
- name: Build Sphinx docs and linkcheck
run: uvx tox -e docs,docs-linkcheck
- name: Verify supply chain posture
run: bash ./scripts/supply_chain_verify.sh

wsl-quality:
name: Quality (wsl-ubuntu)
runs-on: windows-2025
timeout-minutes: 45
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Ensure Ubuntu WSL
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
$distro = 'Ubuntu'
$installed = @(
wsl.exe --list --quiet 2>$null |
ForEach-Object { $_.Trim() } |
Where-Object { $_ }
)

if (-not ($installed -contains $distro)) {
wsl.exe --install --distribution $distro --no-launch --web-download
}

$ready = $false
for ($attempt = 0; $attempt -lt 30; $attempt++) {
wsl.exe -d $distro --user root --exec true 2>$null
if ($LASTEXITCODE -eq 0) {
$ready = $true
break
}
Start-Sleep -Seconds 2
}

if (-not $ready) {
throw "WSL distro $distro did not become ready"
}

wsl.exe --list --verbose
- name: Install WSL base packages
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
wsl.exe -d Ubuntu --user root --exec bash -lc 'export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install -y bash ca-certificates curl git make python3 python3-pip python3-venv'
- name: Clone repository into WSL workspace
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
$distro = 'Ubuntu'
$source = (wsl.exe -d $distro --user root --exec wslpath -a $env:GITHUB_WORKSPACE).Trim()
$workspace = (wsl.exe -d $distro --user root --exec bash -lc 'workspace="$HOME/get-bashed"; rm -rf "$workspace"; printf "%s" "$workspace"').Trim()

wsl.exe -d $distro --user root --exec bash -lc "git clone --no-local '$source' '$workspace' && cd '$workspace' && git checkout --force '$env:GITHUB_SHA'"

Add-Content -Path $env:GITHUB_ENV -Value "WSL_DISTRO=$distro"
Add-Content -Path $env:GITHUB_ENV -Value "WSL_WORKSPACE=$workspace"
- name: Run WSL quality checks
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
wsl.exe -d $env:WSL_DISTRO --user root --exec bash -lc "cd '$env:WSL_WORKSPACE' && ./scripts/wsl-quality.sh"

sonarqube:
name: SonarQube Scan
needs: [lint, tests]
needs: [quality, wsl-quality]
runs-on: ubuntu-latest
if: success()
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
Loading
Loading