Address all findings from the post-merge tooling review#9
Merged
Conversation
None of these are referenced by any tracked file or by the rendered site output: two are webp variants whose articles embed the png versions, and the other two belong to no current article. They were still being copied into the published site. Recoverable from history if ever needed again.
The hash check proved every referenced asset exists but never the inverse, so unreferenced assets sat in the tree and shipped with the site unnoticed — the stale-stylesheet failure mode again, and four orphaned images were found this way. New check (d): every tracked hashed asset's token must appear in at least one tracked text file outside the vendored trees.
Check (c) hardcoded the {_header.html, errdocs/err.html} pair, so a
future template referencing hashed assets would escape the agreement
check and could serve stale tokens undetected. Templates are now
discovered with git grep like check (b)'s sources; the two known
templates are asserted present so the check cannot silently degrade.
Full-history scans (~1,100 commits) on every push re-checked commits that are already public, adding latency without protection. The wrapper uses the PRE_COMMIT_FROM_REF..PRE_COMMIT_TO_REF range pre-commit provides at the pre-push stage and falls back to full history when no range exists, so CI's --hook-stage pre-push run keeps the exhaustive scan.
The {fonts, stagit, migration, pubkeys} list is necessarily repeated in
five files in five syntaxes (each tool's exclusion semantics differ), so
it cannot be driven from one source. Point each copy at the others so
adding or renaming a vendored tree cannot silently miss one.
always_run re-hashed every asset and re-grepped the tree on every commit, including ones touching nothing the check looks at. Gate it on the file types that participate: hashed assets themselves and the text types that reference them. The check itself still scans the full tree when triggered, and CI's --all-files run is unaffected.
The byte-preservation section enumerated only extensions present today, so the first jpg/avif/video asset would start unprotected and an editor save could break its content hash (caught at commit by check-hashes, but better not corrupted at all).
Both are preinstalled on ubuntu-latest; uv installs the same pinned versions in ~1-3s where pipx spends 5-15s per tool building a venv, and it matches how pre-commit is installed locally.
The pre-commit ecosystem GA'd in March 2026 and GitHub's docs now mark enable-beta-ecosystems as not in use. If pre-commit update jobs stop appearing in the Dependabot tab, restoring this line is the first thing to try.
uv is not preinstalled on the ubuntu-latest image after all; both jobs failed with command-not-found. setup-uv is SHA-pinned like the other actions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes all 8 findings from the code review of the quality-tooling rollout (PRs #6–#8): two coverage gaps in the hash-integrity check, push/commit latency reductions, drift guards for the duplicated exclude lists, broader editor protection for media assets, and two CI config cleanups.
Changes
check-hashes.sh: every tracked hashed asset must be referenced by a tracked text file. The four orphans it would have flagged (two unused webp variants, two unreferenced pngs — all shipping with the site) are removed first; recoverable from history._header.html/errdocs/err.htmlpair; both are asserted present so the check can't silently degrade. Note this requires any future hashed-asset-referencing template to agree exactly — loosen then if a legitimate subset-template appears.PRE_COMMIT_FROM_REF..PRE_COMMIT_TO_REF) via a wrapper script, falling back to full history when no range is provided — so CI's--hook-stage pre-pushrun keeps the exhaustive scan. Local push scan drops from ~1,100 commits to just the pushed ones.md|html|css|webmanifest+ hashed assets) instead ofalways_run; CI--all-filesunaffected.fonts/omission in.gitleaks.tomlis documented..editorconfigprotects future media types (jpg/jpeg/gif/avif/mp4/webm) up front.uvinstead of pipx (both preinstalled; ~1-3s vs 5-15s per tool, matches local tooling).enable-beta-ecosystemsfrom dependabot.yml (pre-commit ecosystem GA'd March 2026; docs mark the flag unused).Testing
pre-commit run --all-filesand--hook-stage pre-push: all hooks pass.files:filter observed skipping on config-only commits and running on content commits during this branch's commit sequence.Notes for reviewers
enable-beta-ecosystems: true(noted in the commit message).