Skip to content

Centralize tool version pins and improve web provisioning#80

Merged
alexkroman merged 3 commits into
mainfrom
claude/wizardly-einstein-4fhc9k
Jun 11, 2026
Merged

Centralize tool version pins and improve web provisioning#80
alexkroman merged 3 commits into
mainfrom
claude/wizardly-einstein-4fhc9k

Conversation

@alexkroman

Copy link
Copy Markdown
Collaborator

Summary

Consolidate non-Python tool version pins into a single source of truth (scripts/gate_tool_pins.sh) shared by both CI and the web session-start hook. This ensures the same tool versions run in all environments and simplifies maintenance. Additionally, enhance the session-start hook to fully provision web containers with all gate dependencies (Go binaries, git history) and improve observability by logging verbose output separately.

Key Changes

  • New scripts/gate_tool_pins.sh: Single source of truth for markdownlint, prettier, actionlint, and gitleaks versions. Sourced by both .github/workflows/ci.yml and .claude/hooks/session-start.sh so version bumps apply everywhere automatically.

  • Enhanced .claude/hooks/session-start.sh:

    • Now installs Go gate binaries (actionlint, gitleaks) at CI's pinned versions, so web containers enforce the same gates as CI instead of silently skipping them
    • Unshallows git history (git fetch --unshallow) to provide merge base with origin/main, fixing crashes in diff-scoped tail gates (diff-cover, mutation)
    • Adds prettier installation alongside markdownlint (both now pinned to CI versions)
    • Redirects verbose output to /tmp/session-start.log to keep hook stdout terse (one line per step) and avoid bloating agent context
    • Implements soft-fail pattern: each step warns on failure but continues, allowing partially provisioned containers to remain usable while check.sh self-skips missing tools
    • Adds 600-second timeout in .claude/settings.json to prevent hanging sessions
  • Updated .github/workflows/ci.yml: Source scripts/gate_tool_pins.sh for Node and Go tool installations, replacing hardcoded versions.

  • Updated scripts/check.sh: Add shellcheck linting for the new gate_tool_pins.sh and session-start hook with -x --source-path=. flags to follow sourced files.

  • Updated AGENTS.md: Document that web containers are fully provisioned at session start and explain how to debug provisioning failures via /tmp/session-start.log.

  • Updated .claude/settings.json: Whitelist additional git and gh commands (git rev-parse, git ls-files, git grep, gh pr diff, gh pr checks, timeout 30 uv run assembly) for agent use.

Notable Details

  • Tool pins are now defined once and reused everywhere, eliminating version skew between CI and web environments
  • The hook's soft-fail approach means a partially provisioned container is still usable—check.sh will self-skip whatever is missing, but CI will still enforce it
  • Verbose provisioning output is isolated to /tmp/session-start.log to keep the hook's stdout clean (one line per step), preventing context bloat in agent sessions
  • Git unshallowing ensures diff-scoped gates work correctly in web containers, which start from shallow clones

https://claude.ai/code/session_01FUszDSwvuSLgvBXnXJQ3M7

DX improvements for Claude Code on the web sessions, mined from session
friction:

- session-start.sh now emits one line per step and sends verbose output to
  /tmp/session-start.log — the raw apt-get output previously injected ~38KB
  into the agent's context every session start.
- Provision actionlint + gitleaks (go install) and pin prettier to CI's
  version, so check.sh enforces in web sessions the same gates CI runs
  instead of self-skipping them and failing late in CI.
- Unshallow the clone at session start: a shallow clone has origin/main but
  no merge base, which crashes diff-cover/mutation with a confusing
  'fatal: no merge base' instead of self-skipping.
- Single-source the non-Python tool pins in scripts/gate_tool_pins.sh,
  sourced by both ci.yml and the hook (they can't live in pyproject —
  gitleaks/actionlint ship no PyPI distribution).
- shellcheck-gate the hook and pins file in check.sh; add an explicit
  600s hook timeout and a few safe read-only permission allowlist entries.
- Document the provisioning contract in AGENTS.md.

https://claude.ai/code/session_01FUszDSwvuSLgvBXnXJQ3M7
@alexkroman
alexkroman enabled auto-merge (squash) June 11, 2026 22:57
claude added 2 commits June 11, 2026 22:59
…ein-4fhc9k

# Conflicts:
#	.claude/hooks/session-start.sh
#	scripts/check.sh
Parallel pytest-cov runs write .coverage.vm.pid*.* files that are combined
and removed on success but linger after an interrupted run, showing up as
untracked files that trip commit hooks.

https://claude.ai/code/session_01FUszDSwvuSLgvBXnXJQ3M7
@alexkroman
alexkroman merged commit ae629da into main Jun 11, 2026
8 checks passed
@alexkroman
alexkroman deleted the claude/wizardly-einstein-4fhc9k branch June 11, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants