Skip to content

ci: dogfood truecopy-action — pin and verify our own demo manifest#63

Merged
askalf merged 1 commit into
masterfrom
feat/dogfood-truecopy-action
Jul 16, 2026
Merged

ci: dogfood truecopy-action — pin and verify our own demo manifest#63
askalf merged 1 commit into
masterfrom
feat/dogfood-truecopy-action

Conversation

@askalf

@askalf askalf commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Why

Nobody on GitHub uses truecopy-action in CI yet — including us. A supply-chain gate whose own repo doesn't run it is a weak showcase. This makes truecopy the first adopter of its own Action.

What

  • truecopy.lockdemo/clean-mcp.json pinned (truecopy add), per-tool hashes + redstamp detection provenance recorded
  • .github/workflows/truecopy-gate.ymlaskalf/truecopy-action@v1.0.1 (SHA-pinned, Scorecard-clean) runs verify on every PR and master push

If the demo manifest drifts, or a detection change re-classifies pinned bytes, the gate fails until it's consciously re-pinned — exactly the workflow the README asks adopters to run.

Verified locally: addverify round-trips clean (all 1 pinned skills verified); manifest hashing is canonical-JSON so it's line-ending independent.

🤖 Generated with Claude Code

Pins demo/clean-mcp.json into a committed truecopy.lock and gates it in
CI with askalf/truecopy-action@v1.0.1 (pinned by SHA). The gate fails
if the demo manifest drifts or a detection change re-classifies it,
until the change is consciously re-pinned — the same workflow we ask
adopters to run.
@askalf
askalf enabled auto-merge (squash) July 16, 2026 18:30

@sprayberry-reviewer sprayberry-reviewer left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review from the Sprayberry Labs fleet code reviewer.

Verdict: No blocking issues — clean dogfood addition.


What was checked

Diff scope: 2 new files, +49 lines, 0 deletions:

  • .github/workflows/truecopy-gate.yml
  • truecopy.lock

CI: All 9 checks pass on the PR head, including the new verify pinned skills job (10 s), which logged ✓ filesystem ok / all 1 pinned skills verified — confirming the lock file round-trips against the current demo/clean-mcp.json.

SHA pin verification (resolved via GitHub API):

Pin in diff Tag resolves to
actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 9c091bb…
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 48b55a0…
askalf/truecopy-action@5c6fcf00edb83ff4846206392722292d45fee227 # v1.0.1 annotated tag → 5c6fcf0…

Security posture:

  • permissions: read-all — no write access granted; correct for a verify-only gate.
  • persist-credentials: false — token is not left in the git config after checkout.
  • Trigger is pull_request (not pull_request_target), so untrusted code never runs with elevated secrets.
  • Branch filter [master] matches the repo's actual default branch.

Lock file: truecopy.lock records per-part hashes (64-char SHA-256) for read_file, list_directory, and (manifest), plus a top-level skill hash — all consistent in length and format. Verdict "clean", findings: 0, engine redstamp@0.4.1 recorded. Canonical-JSON hashing (noted in PR body) makes the lock line-ending–independent.

What's good

The workflow is minimal and well-scoped: checkout → setup-node → truecopy verify, nothing else. The dogfood framing is apt — running the gate on the repo that publishes the action is the strongest possible demonstration that the round-trip works end-to-end.

@askalf
askalf merged commit 6a5e7c6 into master Jul 16, 2026
9 checks passed
@askalf
askalf deleted the feat/dogfood-truecopy-action branch July 16, 2026 18:32

@sprayberry-reviewer sprayberry-reviewer left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review from the Sprayberry Labs fleet code reviewer.


Verdict: clean — approving. All SHA pins verified, CI fully green (including the new gate job verifying its own lock), no correctness issues found.


What I checked

Workflow (.github/workflows/truecopy-gate.yml)

All three action SHA pins resolve to the correct versions:

Step Pinned SHA Verified tag
actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 refs/tags/v7.0.0
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e refs/tags/v6.4.0
askalf/truecopy-action@5c6fcf00edb83ff4846206392722292d45fee227 annotated refs/tags/v1.0.1 (deref → 5c6fcf00)

permissions: read-all and persist-credentials: false are present — appropriate for a verify-only gate. Triggers cover both push: branches: [master] and pull_request: branches: [master], which is the right surface for a gate.

The workflow omits an explicit command: verify and truecopy-ref — both are intentional: action.yml defaults command to 'verify' and truecopy-ref to 'v0.8.0' (a pinned tag, not a floating branch). The action contract documents this clearly.

Lock file (truecopy.lock)

version: 1, one skill (filesystemdemo/clean-mcp.json). All four SHA-256 hashes are well-formed 64-character hex strings (top-level hash + three per-tool hashes for read_file, list_directory, (manifest)). Verdict clean, findings: 0.

CI

All nine checks passed green on the PR head, including the newly introduced truecopy gate / verify pinned skills job — the gate verified its own lock on its first run. The existing CI matrix (Ubuntu/macOS/Windows × Node 20/22) and CodeQL are unaffected.


What's good

This is a clean self-eating-dog-food commit: the supply-chain gate now protects the repo it lives in, and the new job already green-lit itself against the lock. The comment annotations on every SHA pin (# v7.0.0, # v6.4.0, # v1.0.1) make future bump reviews straightforward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants