Skip to content

chore: validate + harden the rig (self-CI, fixture fix, rule tuning)#11

Merged
jp-cruz merged 3 commits into
feat/multi-language-supply-chainfrom
chore/validate-and-harden-rig
Jun 18, 2026
Merged

chore: validate + harden the rig (self-CI, fixture fix, rule tuning)#11
jp-cruz merged 3 commits into
feat/multi-language-supply-chainfrom
chore/validate-and-harden-rig

Conversation

@jp-cruz

@jp-cruz jp-cruz commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Stacked on #10. Validation pass over the multi-language rig — adds end-to-end self-testing and fixes three real issues validation surfaced.

Self-test CI (the headline)

The rig's 7 workflows were all workflow_call-only and had never run end-to-end — PR #10 triggered zero GitHub Actions checks. This adds ci.yml (on: push/PR) that invokes every reusable workflow against the rig itself via local refs (./.github/workflows/*.yml), so a PR validates its own workflow versions and they can't silently regress again.

Bugs found by validating

  • fixtures/http.py — broken fixture. mock_http_client passed the respx MockRouter as an httpx transport=, which isn't a valid transport on httpx 0.28 / respx 0.23 (AttributeError: handle_async_request) — broken for any consumer. Now returns a plain AsyncClient intercepted by the active respx.mock(). (+ removed an unused import.)
  • No tests existed. Added the rig's first real suite (tests/) covering the shipped fixtures at 100%, which also serves as test.yml's self-test target.

Rule tuning (from real-repo testing)

  • Comment false-positives — risky-exec flagged documented # curl … | bash usage notes. Root cause: pattern-regex is raw text and bypasses generic_comment_style. Fixed with a pattern-not-regex excluding full-line #-comments. Regression: 10/10 true positives kept, 0 comment FPs.
  • Self-match — the ruleset .yml matched its own regex strings; added --exclude semgrep.
  • Worktree double-scan — added --exclude .claude so .claude/worktrees/ copies aren't re-scanned.
  • pyproject: per-file-ignore S101 for tests//examples/.

Local validation

ruff / mypy (strict) / bandit clean · pytest 6/6 (100% cov) · risky-exec regression green · rig self-scan clean · all YAML parses · audit.sh shellcheck-clean.

The real proof is this PR's own CI run — first time the rig tests itself.

🤖 Generated with Claude Code

jp-cruz and others added 2 commits June 17, 2026 22:04
Validation pass over the multi-language rig. Adds end-to-end self-testing
and fixes three real issues that validation surfaced.

Self-test CI:
- .github/workflows/ci.yml: on push/PR, invokes all 7 reusable workflows
  (lint/test/sast/audit/supply-chain/secrets/sbom) against the rig itself
  via LOCAL refs, so a PR validates its own workflow versions. The
  reusable workflows had never been exercised end-to-end before this.

Bug fixes found by validation:
- fixtures/http.py: mock_http_client passed the respx MockRouter as an
  httpx transport, which is not a valid transport (AttributeError:
  handle_async_request) on httpx 0.28 / respx 0.23 — the fixture was
  broken for any consumer. Now returns a plain AsyncClient intercepted by
  the active respx.mock(). Also drops an unused import (F401).
- tests/: add the rig's first real test suite for the shipped fixtures
  (100% coverage of the fixtures module), which doubles as test.yml's
  self-test target.

Rule tuning:
- risky-exec: exclude full-line #-comments via pattern-not-regex so
  documented "curl … | bash" usage notes don't false-positive (the
  generic_comment_style option does not apply to pattern-regex). Add
  --exclude semgrep so the ruleset file doesn't self-match its own
  patterns; add --exclude .claude so worktree copies aren't double-scanned.
- pyproject: per-file-ignore S101 (assert) for tests/ and examples/.

Validated locally: ruff/mypy/bandit clean, pytest 6/6 (100% cov),
risky-exec regression 10/10 on fixtures with 0 comment false positives,
rig self-scan clean, all YAML parses, audit.sh shellcheck-clean.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Stacked PRs (and this one) target a feature branch, so the
branches:[main] filter would skip self-CI entirely.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

lint.yml runs 'pip install -e .[dev]' but the rig defined its tools only
under the [analysis] extra — so ruff/bandit/mypy were never installed and
self-CI lint failed with 'No module named ruff'. The rig now provides the
[dev] extra its own reusable workflows expect.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
@jp-cruz jp-cruz merged commit 30564f6 into feat/multi-language-supply-chain Jun 18, 2026
13 checks passed
@jp-cruz jp-cruz deleted the chore/validate-and-harden-rig branch June 18, 2026 03:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants