fix(security): remove inert curl-pipe deny rules from settings template #138
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI gate for every push and PR: test matrix (Node 20/22 — matches the ">=20" engines | |
| # field; 18 is EOL), Biome lint+format, ShellCheck, the zero-runtime-dependency assertion, | |
| # the version-drift guard, and dependency review. All must pass to merge. | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| name: Test (Node ${{ matrix.node }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: [20, 22] | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: npm | |
| - run: npm ci | |
| - run: npm test | |
| lint: | |
| name: Lint & format (Biome) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - run: npm run check | |
| - run: npm run typecheck | |
| - run: npm audit --audit-level=critical | |
| shellcheck: | |
| name: ShellCheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| # Fail only on errors; the guards trip style/warning false-positives (e.g. SC2034 on | |
| # vars used cross-file via the sourced _guardlib.sh). | |
| - run: shellcheck --severity=error $(git ls-files '*.sh') | |
| no-runtime-deps: | |
| name: Assert zero runtime dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - run: node -e "process.exit(Object.keys(require('./package.json').dependencies||{}).length)" | |
| - run: npm pack --dry-run | |
| version-drift: | |
| name: Version fields agree | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| # package.json, package-lock.json, .claude-plugin/plugin.json, .codex-plugin/plugin.json, | |
| # and CITATION.cff must all carry the same version (scripts/bump.mjs keeps them in sync). | |
| - run: node scripts/bump.mjs check | |
| docs-drift: | |
| name: Docs match code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| with: | |
| fetch-depth: 0 # the CHANGELOG check compares src vs CHANGELOG.md commit times | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| # Commands, env vars, MCP tools, and CHANGELOG reconciled against the code — | |
| # a feature can't merge with its docs missing (src/docs_check.js). | |
| - run: node src/cli.js docs check | |
| dependency-review: | |
| name: Dependency review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@v7 | |
| # Advisory: needs the repo's Dependency graph enabled (Settings → Security & analysis). | |
| # continue-on-error keeps the CHECK green until then — this project has zero runtime deps. | |
| - uses: actions/dependency-review-action@v5 | |
| continue-on-error: true |