chore: validate + harden the rig (self-CI, fixture fix, rule tuning)#11
Merged
jp-cruz merged 3 commits intoJun 18, 2026
Merged
Conversation
Validation pass over the multi-language rig. Adds end-to-end self-testing and fixes three real issues that validation surfaced. Self-test CI: - .github/workflows/ci.yml: on push/PR, invokes all 7 reusable workflows (lint/test/sast/audit/supply-chain/secrets/sbom) against the rig itself via LOCAL refs, so a PR validates its own workflow versions. The reusable workflows had never been exercised end-to-end before this. Bug fixes found by validation: - fixtures/http.py: mock_http_client passed the respx MockRouter as an httpx transport, which is not a valid transport (AttributeError: handle_async_request) on httpx 0.28 / respx 0.23 — the fixture was broken for any consumer. Now returns a plain AsyncClient intercepted by the active respx.mock(). Also drops an unused import (F401). - tests/: add the rig's first real test suite for the shipped fixtures (100% coverage of the fixtures module), which doubles as test.yml's self-test target. Rule tuning: - risky-exec: exclude full-line #-comments via pattern-not-regex so documented "curl … | bash" usage notes don't false-positive (the generic_comment_style option does not apply to pattern-regex). Add --exclude semgrep so the ruleset file doesn't self-match its own patterns; add --exclude .claude so worktree copies aren't double-scanned. - pyproject: per-file-ignore S101 (assert) for tests/ and examples/. Validated locally: ruff/mypy/bandit clean, pytest 6/6 (100% cov), risky-exec regression 10/10 on fixtures with 0 comment false positives, rig self-scan clean, all YAML parses, audit.sh shellcheck-clean. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Stacked PRs (and this one) target a feature branch, so the branches:[main] filter would skip self-CI entirely. Co-Authored-By: Claude Opus 4.8 <[email protected]>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
lint.yml runs 'pip install -e .[dev]' but the rig defined its tools only under the [analysis] extra — so ruff/bandit/mypy were never installed and self-CI lint failed with 'No module named ruff'. The rig now provides the [dev] extra its own reusable workflows expect. Co-Authored-By: Claude Opus 4.8 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #10. Validation pass over the multi-language rig — adds end-to-end self-testing and fixes three real issues validation surfaced.
Self-test CI (the headline)
The rig's 7 workflows were all
workflow_call-only and had never run end-to-end — PR #10 triggered zero GitHub Actions checks. This addsci.yml(on: push/PR) that invokes every reusable workflow against the rig itself via local refs (./.github/workflows/*.yml), so a PR validates its own workflow versions and they can't silently regress again.Bugs found by validating
fixtures/http.py— broken fixture.mock_http_clientpassed the respxMockRouteras an httpxtransport=, which isn't a valid transport on httpx 0.28 / respx 0.23 (AttributeError: handle_async_request) — broken for any consumer. Now returns a plainAsyncClientintercepted by the activerespx.mock(). (+ removed an unused import.)tests/) covering the shipped fixtures at 100%, which also serves astest.yml's self-test target.Rule tuning (from real-repo testing)
# curl … | bashusage notes. Root cause:pattern-regexis raw text and bypassesgeneric_comment_style. Fixed with apattern-not-regexexcluding full-line#-comments. Regression: 10/10 true positives kept, 0 comment FPs..ymlmatched its own regex strings; added--exclude semgrep.--exclude .claudeso.claude/worktrees/copies aren't re-scanned.pyproject: per-file-ignoreS101fortests//examples/.Local validation
ruff / mypy (strict) / bandit clean · pytest 6/6 (100% cov) · risky-exec regression green · rig self-scan clean · all YAML parses ·
audit.shshellcheck-clean.The real proof is this PR's own CI run — first time the rig tests itself.
🤖 Generated with Claude Code