Skip to content

fix(ci): close code scanning and verification gaps#8

Merged
JSONbored merged 1 commit into
mainfrom
codex/nightward-ci-tui-hardening
Apr 30, 2026
Merged

fix(ci): close code scanning and verification gaps#8
JSONbored merged 1 commit into
mainfrom
codex/nightward-ci-tui-hardening

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

  • fixes the current CI/code-scanning warning surface without changing Nightward's local-first trust boundary
  • expands TUI and CLI regression coverage around redaction, width safety, command behavior, no-write behavior, and workspace isolation
  • improves README structure with diagrams, callouts, and clearer command guidance

What changed

  • replaced Gitleaks and govulncheck wrapper actions with pinned Make targets managed by Renovate
  • switched Trunk Check CI to explicit CLI execution and added a fuzz smoke gate
  • tightened workflow permissions for SARIF and release jobs
  • changed Nightward policy SARIF CI to scan the workspace instead of the synthetic policy fixture home
  • fixed Raycast Markdown/code escaping to address CodeQL incomplete sanitization alerts
  • added deterministic TUI model/view tests for filters, search, help, responsive widths, details, and redaction
  • added CLI matrix tests for public command paths, parseability, expected failures, no-write behavior, and output parity
  • added MCP parser fuzz smoke coverage
  • updated SECURITY, testing, CI/security, Renovate, PR checklist, roadmap, and README docs

Why

The merged baseline was functional, but GitHub code scanning was reporting avoidable CI/tooling issues, fixture SARIF alerts, and Raycast escaping findings. This keeps the project credible before broader adoption and gives future TUI/provider work a stronger test bed.

Validation

  • make verify
  • renovate-config-validator renovate.json
  • actionlint -shellcheck= .github/workflows/*.yml
  • go run ./cmd/nw --help
  • go run ./cmd/nw policy sarif --workspace . --output - | jq '[.runs[].results[]?] | length'
  • manual TUI launch/quit smoke with a temp HOME
  • git diff --check

Notes

  • Scorecard Maintained is repository-age/activity based and cannot be fully closed by code in this PR.
  • Scorecard Code-Review depends on reviewed PR history and branch/ruleset behavior; this PR should be reviewed rather than force-merged if we want to improve that signal.
  • Scorecard CII-Best-Practices still requires a real OpenSSF Best Practices project/badge setup outside the repo.
  • Existing Nightward SARIF alerts on main should clear after this workflow runs on main, because policy SARIF now scans the workspace instead of testdata/homes/policy.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@JSONbored JSONbored self-assigned this Apr 30, 2026
@JSONbored JSONbored merged commit ca234f9 into main Apr 30, 2026
12 checks passed
@JSONbored JSONbored deleted the codex/nightward-ci-tui-hardening branch April 30, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants