chore: roll out rig (CI gates + harness) and slim agent docs#25
Conversation
Scaffolds rig.yaml and the per-repo committed artifacts from `rig init`: - .github/workflows: codeql (self-gate), dependency-review, leftover-grep, review-threads, secret-scan (all additive; existing ci.yml untouched). - ci/: shell companions for the gate workflows. - .claude/settings.json: harness auto-mode (defaultMode=bypassPermissions). - .gitignore: narrow `.claude/` ignore so the committed settings.json is tracked while local agent state (worktrees/, scheduled_tasks.lock) stays ignored. Global skills/hooks were already installed machine-wide (rig reported them identical); only the per-repo files are committed here. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ecifics) rig installed the agent-tools skills globally, which now self-advertise the generic engineering rules. Remove the duplicated generic blocks from AGENTS.md, keeping all tg-cli-specific content (architecture, features, gotchas, conventions). Removed: - "Worktree Trap" section — fully covered by the `worktree-base-trap` skill. - "Commit messages: conventional-commit style" line — covered by `atomic-commits`. Kept (project-specific): the live-symlink CRITICAL section (carries the concrete ~/.files/bin/tg paths), the Specs pointer (docs/specs/<feature>.md location), TDD/codex/version-bump conventions (each holds tg-cli tooling facts), and all Architecture / feature / gotcha content. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…json); rig.yaml is the committed declaration
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a20b3dda17
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened, ready_for_review] |
There was a problem hiding this comment.
In the workflow I inspected, this gate only re-runs for PR open/update lifecycle events, but GitHub documents that review and diff-comment activity is delivered through pull_request_review / pull_request_review_comment rather than pull_request/pull_request_target (https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request). If a reviewer adds an unresolved thread after review-threads has already passed for the current SHA, no new run is triggered, so a required check can remain green even though unresolved threads now exist; add review/review-comment triggers or another automatic recheck path.
Useful? React with 👍 / 👎.
| run: | | ||
| # Fetch the PR head object into the local repo so `git diff` can reach it. We do | ||
| # NOT check it out and NOT run anything from it — it's only diffed + grepped. | ||
| git fetch --no-tags --depth=1 origin "$HEAD_SHA" |
There was a problem hiding this comment.
This workflow fetches only the PR head commit, but the scanner later runs git diff "$base...$LEFTOVER_HEAD" in ci/leftover-grep/leftover-grep.sh; I checked git diff -h, which documents the <commit>...<commit> form, and with a depth-1 head fetch Git cannot find a merge base for multi-commit PRs. In that case the gate exits before scanning with fatal: ...: no merge base, so multi-commit PRs are blocked until the head history/PR ref is fetched deeply enough or the diff strategy avoids requiring a local merge base.
Useful? React with 👍 / 👎.
Pull in the fixed agent-tools CI gate templates so the new gates stop hard-failing on a fresh private repo: - dependency-review: preflight probes the Dependency Graph and skips cleanly (with a notice + enable link) when off, instead of erroring with "Dependency review is not supported on this repository". Blocks normally once enabled. - secret-scan (gitleaks): pass GITHUB_TOKEN, now required to scan PRs. - codeql self-gate: skip a matrix language cleanly when the repo has no source for it. Suppress the two by-design actions findings in leftover-grep.yml (data-only PR-head fetch) with justified markers. Also pin oven-sh/setup-bun@v2 to its commit SHA in this repo's own ci.yml (fixes the CodeQL actions/unpinned-tag finding). NOTE: the CodeQL JS/TS self-gate still reports 8 pre-existing findings in this repo's own TypeScript (sanitization / double-escaping / file-system-race in length-counting + install helpers). Those are the gate working as intended on real code, not a template defect; they need a separate fix-or-justify decision by the repo owner and are intentionally left untouched here. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ove a finding Same fix as the template: widen is_source_suppressed to scan the contiguous comment block above a flagged line so the justified # codeql[...] markers in leftover-grep.yml actually suppress the by-design actions findings. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Merging this infra-only rollout despite the red CodeQL Self-Gate (javascript-typescript), with justification:
Once #31 lands (fix or justified |
1 participant
What
Rolls out
rigto tg-cli and slims AGENTS.md of now-self-advertised generic rules.Step 1 —
chore(rig): apply rig.yaml — CI gates + harnessrig init --yesscaffoldedrig.yamland the per-repo committed artifacts. Globalskills/hooks were already installed machine-wide (rig reported them identical) — only
per-repo files are committed here:
.github/workflows/(additive — existingci.ymluntouched):codeql.yml(private-repo SARIF self-gate),dependency-review.yml,leftover-grep.yml,review-threads.yml,secret-scan.yml(gitleaks).ci/— shell companions for the gate workflows(
dep-audit.sh,leftover-grep.sh,review-threads.sh,secret-scan.sh)..claude/settings.json— harness auto-mode (defaultMode: bypassPermissions)..gitignore— narrowed.claude/ignore (.claude/*+!.claude/settings.json)so the committed harness file is tracked while local agent state
(
worktrees/,scheduled_tasks.lock) stays ignored.rig.yaml— the declarative source of truth forrig apply.Step 2 —
docs(agents): drop now-self-advertised generic rules (kept project specifics)The agent-tools skills (installed globally by rig) now self-advertise the generic
engineering rules, so they're removed from AGENTS.md (211 → 198 lines, −13):
worktree-base-trapskill.atomic-commits.Kept everything tg-cli-specific: the live-symlink CRITICAL section (concrete
~/.files/bin/tgpaths), the Specs location pointer, TDD/codex/version-bumpconventions (each holds tg-cli tooling facts), and all Architecture / feature /
gotcha content.
Verification
bun test: 997 pass, 0 fail (the stale "~578 tests" note in AGENTS.md is left as-is — soft number, not a rule).git grepconfirms no dangling internal links to the removed sections.🤖 Generated with Claude Code