Skip to content

chore: harden CI and fix org-move leftovers#13

Open
GrAv3n-Code wants to merge 2 commits into
mainfrom
chore/org-move-ci-hardening
Open

chore: harden CI and fix org-move leftovers#13
GrAv3n-Code wants to merge 2 commits into
mainfrom
chore/org-move-ci-hardening

Conversation

@GrAv3n-Code

Copy link
Copy Markdown

Post-move maintenance for the techlotse-AI org.

What changed

  • Dependabot (.github/dependabot.yml) — weekly npm (root workspaces), github-actions, and docker updates.
  • Trivy CRITICAL gate in CI — filesystem + built-image scans, ignore-unfixed, fail on CRITICAL.
  • Release on v* tags (.github/workflows/release.yml) — verifies tag == VERSION, builds/pushes techlotse/tl-recipe-core:v<x> + :latest (SBOM + provenance), and cuts a GitHub Release with notes from CHANGELOG.md.
  • Stale org-move refs fixed — README CI badge (was Techlotse/TL-Recipy-Core) → techlotse-AI/TL-Recipe; all 0.5.9 version strings → 0.8.1 (README badge, .env.example, docker-compose.yml, docker-publish.yml fallback, both workspace package.jsons, lockfile).

Validation

npm run lint ✅ · npm test 45/45 ✅ · npm run build ✅ · workflow YAML parses ✅

Notes for reviewer

  • release.yml reuses the same ORG_DOCKERHUB_USER/ORG_DOCKERHUB_KEY secrets as the existing (working) docker-publish.yml. Heads-up: the org's CLI-visible Actions secrets are named DOCKERHUB_USER/DOCKERHUB_TOKEN — please confirm ORG_DOCKERHUB_* exist in org Settings → Secrets.
  • npm audit: 3 non-critical vulns (undici/vite high, qs moderate) — Dependabot will now pick these up.

🤖 Generated with Claude Code

GrAv3n-Code and others added 2 commits July 5, 2026 19:40
Post-move to the techlotse-AI org:
- Add Dependabot (npm workspaces, github-actions, docker)
- Add Trivy CRITICAL gate to CI (filesystem + built image, ignore-unfixed)
- Add release.yml: build/push image and cut a GitHub Release on v* tags
- Fix stale README CI badge (old Techlotse/TL-Recipy-Core) and version badge
- Bump stale 0.5.9 refs to 0.8.1 (env, compose, workspace package.json, lock)

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Reference ORG-visible DOCKERHUB_USER / DOCKERHUB_TOKEN instead of
ORG_DOCKERHUB_USER / ORG_DOCKERHUB_KEY so login matches the secrets
that actually exist in the techlotse-AI org.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant