Skip to content

chore(eddy): modernization sweep — CI, attestations, governance, BibTeX#2

Merged
heznpc merged 1 commit into
mainfrom
chore/modernize-2026-05-21
May 21, 2026
Merged

chore(eddy): modernization sweep — CI, attestations, governance, BibTeX#2
heznpc merged 1 commit into
mainfrom
chore/modernize-2026-05-21

Conversation

@heznpc
Copy link
Copy Markdown
Owner

@heznpc heznpc commented May 21, 2026

Summary

Repo-modernization sweep covering everything outside the prior README/positioning pass. No P0 findings; this PR clears the P1 list and the P2 items the user opted to apply now.

CI / supply chain

  • Bump and SHA-pin all GitHub Actions:
    • `actions/checkout` v4 → v6.0.2 (`de0fac2e`)
    • `actions/upload-artifact` v4 → v7.0.1 (`043fb46d`)
    • `xu-cheng/latex-action` v3 → v4.1.0 (`6549dc21`)
  • Workflow default `permissions: contents: read`; job-level opt-in to `contents: write` (commit step), `attestations: write` + `id-token: write` (SLSA).
  • New: SLSA build provenance attached to `paper/main.pdf` on push-to-main via `actions/attest-build-provenance@v4.1.0` (`a2bbfa25`).
  • Workflow also runs on `pull_request` (paths-filtered) so PRs surface build failures.

Security

  • `.github/workflows/gitleaks.yml` — push / PR / weekly cron. Defense-in-depth over GitHub-native push protection.
  • `SECURITY.md` — scope, contact (heznpc@gmail.com), 7-day ack / 30-day disposition window, coordinated-disclosure preference.

Governance / discoverability

  • `.github/dependabot.yml` — github-actions ecosystem, weekly, minor+patch grouped.
  • `.zenodo.json` — metadata for the existing DOI 10.5281/zenodo.19074337 (keywords, communities, related_identifiers).
  • `CITATION.cff` — enables GitHub's "Cite this repository" UI; preferred-citation block points at the Zenodo DOI.
  • README: build-pdf CI status badge.

Manuscript maintainability

  • Inline `\begin{thebibliography}{37}` (37 entries, ~190 lines) → `paper/main.bib` (BibTeX) + `\bibliographystyle{ACM-Reference-Format}` + `\bibliography{main}`. CI `latexmk` runs the bibtex pass automatically; no workflow change required.

Out of scope (deferred per user decision)

  • `acmart.cls` version pin (conflicts with current .gitignore policy — separate decision).
  • `experiments/` Makefile scaffold (defer until pilot code exists).

Out of scope (logged decisions retained)

  • `paper/main.pdf` auto-commit-by-CI (planning/decisions.md 2026-04-19).

Test plan

  • CI builds the PDF with the new BibTeX pipeline and the bibliography renders in ACM-Reference-Format
  • `paper/main.pdf` artifact is uploaded
  • Build provenance attestation appears under repo Attestations
  • gitleaks workflow runs on this PR and reports no findings
  • After merge: apply branch protection (`build` required check) via `gh api`

@heznpc
chore(eddy): modernization sweep — CI, attestations, governance, BibTeX
e30aa67 
- build-pdf: bump actions to checkout v6 / upload-artifact v7 / xu-cheng
  latex-action v4.1.0, all pinned by SHA. Workflow default permissions
  read-only; job-level write + attestations + id-token for SLSA build
  provenance attached to paper/main.pdf on push-to-main. Also runs on PR.
- Add Dependabot config for github-actions ecosystem (weekly).
- Add gitleaks workflow as defense-in-depth over push protection
  (push / PR / weekly cron).
- Add .zenodo.json + CITATION.cff for the published DOI
  (10.5281/zenodo.19074337). Author field uses legal name per Paper
  layer CLAUDE.md exemption.
- Add SECURITY.md with disclosure policy + scope.
- README: add build-pdf CI status badge.
- Convert inline thebibliography (37 entries) to paper/main.bib +
  \bibliography{main} with ACM-Reference-Format style. CI latexmk
  handles the bibtex pass automatically.
@heznpc heznpc merged commit b6971b9 into main May 21, 2026
2 checks passed
@heznpc heznpc deleted the chore/modernize-2026-05-21 branch May 21, 2026 12:34
@heznpc heznpc mentioned this pull request May 28, 2026
Merged
6 tasks
heznpc added a commit that referenced this pull request May 28, 2026
@heznpc
chore(eddy): fix code-review findings — workflow split, et al. trunca…
78785ab 
…tion (#3)

Addresses all 8 findings from /code-review on PR #2.

[CONFIRMED, HIGH]
1. build-pdf.yml: drop pull_request paths filter so the required status
   check fires on every PR (not only paper/** PRs). Avoids future
   non-paper PRs being blocked by missing required check.

2. paper/main.bib: replace full author lists in faraone2021 and
   cortese2025 with `and others` (BibTeX `et al.` idiom honored by
   ACM-Reference-Format). Restores the truncation the original inline
   thebibliography had, prevents 8-page sigconf limit overrun for
   ASSETS 2026.

[PLAUSIBLE]
3. UTF-8 / LaTeX-escape mix in main.bib resolved as side effect of
   fix #2 — the only previous UTF-8 entries (Bölte, Søren, César,
   Døpfner, etc.) lived inside faraone2021's expanded author list,
   which is now `and others`. Remaining diacritic `Dah{\`o}` is the
   sole LaTeX-escape entry; consistent.

4. build-pdf.yml: split into two jobs. `build` (contents:read +
   attestations:write + id-token:write) runs on all triggers. New
   `publish-pdf` job (needs: build, contents:write) gated to push to
   main does the auto-commit. SLSA attestation stays in `build`.
   contents:write no longer leaks into compile/attest/upload steps.

5. .zenodo.json: verified against current Zenodo InvenioRDM vocabulary
   (https://zenodo.org/api/vocabularies/resourcetypes). Legacy field
   `publication_type: workingpaper` maps to canonical
   `publication-workingpaper`. No code change required — finding
   downgraded to verified-correct.

6. gitleaks.yml: add `branches: [main]` to the pull_request trigger so
   it is symmetric with the push trigger. Prevents double-scanning if
   feature branches with their own PR cycles appear later.

7. CITATION.cff: change preferred-citation.type from `article` to
   `preprint`; add `repository` and `institution.name: Zenodo`.
   Citation managers (Zotero/Mendeley) now classify correctly.

8. .gitignore: add `*.bcf` and `*.run.xml` for biber/biblatex
   artifacts. Covers a future migration without leaking aux files.

Branch-protection note: required check context renamed from
`Compile and (on main push) publish PDF` → `build` (updated via
gh api before this PR was opened).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@heznpc