From 79523942b6a6d78447b3ebbde47057bb125b8d72 Mon Sep 17 00:00:00 2001
From: NiveditJain <nivedit@exosphere.host>
Date: Wed, 27 May 2026 23:20:07 -0700
Subject: [PATCH 1/2] ci: add workflow to bump platform monorepo submodule on
 merge to main

FailproofAI/platform vendors this repo as a git submodule at failproofai/oss
and currently has to bump the pinned commit by hand. This workflow makes the
bump push-driven: on every push to main here, check out platform/main with a
PAT (PLATFORM_BUMP_TOKEN, scoped contents:read+write on the platform repo),
rewrite the gitlink for failproofai/oss to github.sha via update-index
--cacheinfo (no need to fetch submodule contents), commit, and push.

Concurrency group serializes back-to-back merges so we never lose a bump,
and a rebase-and-retry loop keeps us race-safe if a human pushes to platform
main between checkout and push. Same shape works on manual workflow_dispatch.
---
 .github/workflows/bump-platform-submodule.yml | 77 +++++++++++++++++++
 CHANGELOG.md                                  |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 .github/workflows/bump-platform-submodule.yml

diff --git a/.github/workflows/bump-platform-submodule.yml b/.github/workflows/bump-platform-submodule.yml
new file mode 100644
index 0000000..a540392
--- /dev/null
+++ b/.github/workflows/bump-platform-submodule.yml
@@ -0,0 +1,77 @@
+name: Bump platform submodule pointer
+
+# When this repo's main moves, push a matching gitlink bump to the
+# FailproofAI/platform monorepo so its `failproofai/oss` submodule tracks
+# upstream automatically. Direct push to platform `main` — no PR.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+# Serialize runs so back-to-back merges produce sequential bumps,
+# not a race that loses one of them.
+concurrency:
+  group: bump-platform-submodule
+  cancel-in-progress: false
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout FailproofAI/platform main
+        uses: actions/checkout@v6
+        with:
+          repository: FailproofAI/platform
+          token: ${{ secrets.PLATFORM_BUMP_TOKEN }}
+          ref: main
+          fetch-depth: 1
+          # Don't fetch submodule contents — we only edit the gitlink.
+          submodules: false
+
+      - name: Bump failproofai/oss gitlink and push
+        env:
+          NEW_SHA: ${{ github.sha }}
+          COMMIT_SUBJECT: ${{ github.event.head_commit.message }}
+          UPSTREAM_REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          CURRENT_SHA=$(git ls-tree HEAD failproofai/oss | awk '{print $3}')
+          if [ -z "$CURRENT_SHA" ]; then
+            echo "::error::failproofai/oss is not a gitlink in platform main — aborting."
+            exit 1
+          fi
+          if [ "$CURRENT_SHA" = "$NEW_SHA" ]; then
+            echo "Already at $NEW_SHA — nothing to do."
+            exit 0
+          fi
+
+          # Rewrite the gitlink (mode 160000 = submodule entry) without
+          # needing the submodule contents on disk.
+          git update-index --add --cacheinfo "160000,$NEW_SHA,failproofai/oss"
+
+          SUBJECT_LINE=$(printf '%s\n' "${COMMIT_SUBJECT:-Manual trigger}" | head -n 1)
+          SHORT_SHA=${NEW_SHA:0:7}
+
+          git commit -m "Bump failproofai/oss to $SHORT_SHA" \
+                     -m "Upstream: $SUBJECT_LINE" \
+                     -m "https://github.com/$UPSTREAM_REPO/commit/$NEW_SHA"
+
+          # Race-safe push: if platform main moved between checkout and push,
+          # rebase the single bump commit on top and try again.
+          for attempt in 1 2 3; do
+            if git push origin main; then
+              echo "Pushed bump on attempt $attempt"
+              exit 0
+            fi
+            echo "Push failed on attempt $attempt — rebasing onto latest main"
+            git fetch origin main
+            git rebase origin/main
+          done
+
+          echo "::error::Failed to push submodule bump after 3 attempts"
+          exit 1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4e41c54..5ab575d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## 0.0.11-beta.3 — 2026-05-25
 
 ### Features
+- Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push.
 - Add a supply-chain security CI gate: OSV-Scanner (`.github/workflows/osv-scanner.yml`) scans the resolved `bun.lock` tree against OSV.dev (GitHub/npm advisories + the OpenSSF malicious-packages feed) on every PR (incl. Dependabot bumps), on pushes to `main`, and weekly, and **blocks on any known-vulnerable or malicious dependency**. Adds a Socket GitHub App behavioral early-warning layer, an `osv-scanner.toml` allow-list for unfixable advisories, a README supply-chain status badge, and a `SECURITY.md` policy/runbook. Remediates the 18 pre-existing transitive advisories surfaced by the new gate (brace-expansion, flatted, minimatch, picomatch, postcss, vite, ws) by refreshing `bun.lock` within range, with `overrides` pinning `postcss` to the patched 8.5.x line (Next.js pins the vulnerable 8.4.31) and holding `eslint-plugin-react-hooks` at main's 7.0.1 so the refresh doesn't also bump the linter (#391).
 - Stamp `product: "failproofai-oss"` on every PostHog event across all four telemetry channels — hooks/audit (`trackHookEvent`), server (`trackEvent`), web UI (`captureClientEvent`), and npm-lifecycle install/uninstall (`trackInstallEvent`) — so OSS events stay distinguishable from any future hosted surface. The value lives in a single `POSTHOG_PRODUCT` constant in `src/posthog-key.ts`, reused by the three TypeScript channels; the standalone `scripts/install-telemetry.mjs` inlines the same literal because it can't import the TS module at install time. Honors `FAILPROOFAI_TELEMETRY_DISABLED=1` like all other telemetry (#380).
 

From a378de790f899d61befcbcdb7eb7c4656aaca1ce Mon Sep 17 00:00:00 2001
From: Nikita Agarwal <niki.darj@gmail.com>
Date: Thu, 28 May 2026 09:16:22 -0700
Subject: [PATCH 2/2] ci: harden bump-platform-submodule checkout (CodeRabbit)

Pin actions/checkout to v6.0.1 SHA (matching osv-scanner.yml) and set
persist-credentials: false so the cross-repo PAT isn't written to git
config; auth the push/fetch in the retry loop inline via
http.extraheader. Adds #394 to the CHANGELOG entry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/bump-platform-submodule.yml | 12 +++++++++---
 CHANGELOG.md                                  |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/bump-platform-submodule.yml b/.github/workflows/bump-platform-submodule.yml
index a540392..2253a9d 100644
--- a/.github/workflows/bump-platform-submodule.yml
+++ b/.github/workflows/bump-platform-submodule.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout FailproofAI/platform main
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: FailproofAI/platform
           token: ${{ secrets.PLATFORM_BUMP_TOKEN }}
@@ -28,15 +28,21 @@ jobs:
           fetch-depth: 1
           # Don't fetch submodule contents — we only edit the gitlink.
           submodules: false
+          # Don't persist the cross-repo token in git config; auth is
+          # set inline on the push/fetch commands below.
+          persist-credentials: false
 
       - name: Bump failproofai/oss gitlink and push
         env:
           NEW_SHA: ${{ github.sha }}
           COMMIT_SUBJECT: ${{ github.event.head_commit.message }}
           UPSTREAM_REPO: ${{ github.repository }}
+          PLATFORM_BUMP_TOKEN: ${{ secrets.PLATFORM_BUMP_TOKEN }}
         run: |
           set -euo pipefail
 
+          AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}"
+
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
@@ -64,12 +70,12 @@ jobs:
           # Race-safe push: if platform main moved between checkout and push,
           # rebase the single bump commit on top and try again.
           for attempt in 1 2 3; do
-            if git push origin main; then
+            if git -c http.extraheader="$AUTH_HEADER" push origin main; then
               echo "Pushed bump on attempt $attempt"
               exit 0
             fi
             echo "Push failed on attempt $attempt — rebasing onto latest main"
-            git fetch origin main
+            git -c http.extraheader="$AUTH_HEADER" fetch origin main
             git rebase origin/main
           done
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5ab575d..40039d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,7 @@
 ## 0.0.11-beta.3 — 2026-05-25
 
 ### Features
-- Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push.
+- Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push (#394).
 - Add a supply-chain security CI gate: OSV-Scanner (`.github/workflows/osv-scanner.yml`) scans the resolved `bun.lock` tree against OSV.dev (GitHub/npm advisories + the OpenSSF malicious-packages feed) on every PR (incl. Dependabot bumps), on pushes to `main`, and weekly, and **blocks on any known-vulnerable or malicious dependency**. Adds a Socket GitHub App behavioral early-warning layer, an `osv-scanner.toml` allow-list for unfixable advisories, a README supply-chain status badge, and a `SECURITY.md` policy/runbook. Remediates the 18 pre-existing transitive advisories surfaced by the new gate (brace-expansion, flatted, minimatch, picomatch, postcss, vite, ws) by refreshing `bun.lock` within range, with `overrides` pinning `postcss` to the patched 8.5.x line (Next.js pins the vulnerable 8.4.31) and holding `eslint-plugin-react-hooks` at main's 7.0.1 so the refresh doesn't also bump the linter (#391).
 - Stamp `product: "failproofai-oss"` on every PostHog event across all four telemetry channels — hooks/audit (`trackHookEvent`), server (`trackEvent`), web UI (`captureClientEvent`), and npm-lifecycle install/uninstall (`trackInstallEvent`) — so OSS events stay distinguishable from any future hosted surface. The value lives in a single `POSTHOG_PRODUCT` constant in `src/posthog-key.ts`, reused by the three TypeScript channels; the standalone `scripts/install-telemetry.mjs` inlines the same literal because it can't import the TS module at install time. Honors `FAILPROOFAI_TELEMETRY_DISABLED=1` like all other telemetry (#380).