diff --git a/.github/workflows/bump-platform-submodule.yml b/.github/workflows/bump-platform-submodule.yml new file mode 100644 index 0000000..2253a9d --- /dev/null +++ b/.github/workflows/bump-platform-submodule.yml @@ -0,0 +1,83 @@ +name: Bump platform submodule pointer + +# When this repo's main moves, push a matching gitlink bump to the +# FailproofAI/platform monorepo so its `failproofai/oss` submodule tracks +# upstream automatically. Direct push to platform `main` — no PR. + +on: + push: + branches: [main] + workflow_dispatch: + +# Serialize runs so back-to-back merges produce sequential bumps, +# not a race that loses one of them. +concurrency: + group: bump-platform-submodule + cancel-in-progress: false + +jobs: + bump: + runs-on: ubuntu-latest + steps: + - name: Checkout FailproofAI/platform main + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + repository: FailproofAI/platform + token: ${{ secrets.PLATFORM_BUMP_TOKEN }} + ref: main + fetch-depth: 1 + # Don't fetch submodule contents — we only edit the gitlink. + submodules: false + # Don't persist the cross-repo token in git config; auth is + # set inline on the push/fetch commands below. + persist-credentials: false + + - name: Bump failproofai/oss gitlink and push + env: + NEW_SHA: ${{ github.sha }} + COMMIT_SUBJECT: ${{ github.event.head_commit.message }} + UPSTREAM_REPO: ${{ github.repository }} + PLATFORM_BUMP_TOKEN: ${{ secrets.PLATFORM_BUMP_TOKEN }} + run: | + set -euo pipefail + + AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}" + + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + CURRENT_SHA=$(git ls-tree HEAD failproofai/oss | awk '{print $3}') + if [ -z "$CURRENT_SHA" ]; then + echo "::error::failproofai/oss is not a gitlink in platform main — aborting." + exit 1 + fi + if [ "$CURRENT_SHA" = "$NEW_SHA" ]; then + echo "Already at $NEW_SHA — nothing to do." + exit 0 + fi + + # Rewrite the gitlink (mode 160000 = submodule entry) without + # needing the submodule contents on disk. + git update-index --add --cacheinfo "160000,$NEW_SHA,failproofai/oss" + + SUBJECT_LINE=$(printf '%s\n' "${COMMIT_SUBJECT:-Manual trigger}" | head -n 1) + SHORT_SHA=${NEW_SHA:0:7} + + git commit -m "Bump failproofai/oss to $SHORT_SHA" \ + -m "Upstream: $SUBJECT_LINE" \ + -m "https://github.com/$UPSTREAM_REPO/commit/$NEW_SHA" + + # Race-safe push: if platform main moved between checkout and push, + # rebase the single bump commit on top and try again. + for attempt in 1 2 3; do + if git -c http.extraheader="$AUTH_HEADER" push origin main; then + echo "Pushed bump on attempt $attempt" + exit 0 + fi + echo "Push failed on attempt $attempt — rebasing onto latest main" + git -c http.extraheader="$AUTH_HEADER" fetch origin main + git rebase origin/main + done + + echo "::error::Failed to push submodule bump after 3 attempts" + exit 1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e41c54..40039d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 0.0.11-beta.3 — 2026-05-25 ### Features +- Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push (#394). - Add a supply-chain security CI gate: OSV-Scanner (`.github/workflows/osv-scanner.yml`) scans the resolved `bun.lock` tree against OSV.dev (GitHub/npm advisories + the OpenSSF malicious-packages feed) on every PR (incl. Dependabot bumps), on pushes to `main`, and weekly, and **blocks on any known-vulnerable or malicious dependency**. Adds a Socket GitHub App behavioral early-warning layer, an `osv-scanner.toml` allow-list for unfixable advisories, a README supply-chain status badge, and a `SECURITY.md` policy/runbook. Remediates the 18 pre-existing transitive advisories surfaced by the new gate (brace-expansion, flatted, minimatch, picomatch, postcss, vite, ws) by refreshing `bun.lock` within range, with `overrides` pinning `postcss` to the patched 8.5.x line (Next.js pins the vulnerable 8.4.31) and holding `eslint-plugin-react-hooks` at main's 7.0.1 so the refresh doesn't also bump the linter (#391). - Stamp `product: "failproofai-oss"` on every PostHog event across all four telemetry channels — hooks/audit (`trackHookEvent`), server (`trackEvent`), web UI (`captureClientEvent`), and npm-lifecycle install/uninstall (`trackInstallEvent`) — so OSS events stay distinguishable from any future hosted surface. The value lives in a single `POSTHOG_PRODUCT` constant in `src/posthog-key.ts`, reused by the three TypeScript channels; the standalone `scripts/install-telemetry.mjs` inlines the same literal because it can't import the TS module at install time. Honors `FAILPROOFAI_TELEMETRY_DISABLED=1` like all other telemetry (#380).