Skip to content

fix(audit): detect cd.yml publish workflows by content + correct README check count#49

Merged
heznpc merged 1 commit into
mainfrom
fix/audit-tool-correctness
Jun 3, 2026
Merged

fix(audit): detect cd.yml publish workflows by content + correct README check count#49
heznpc merged 1 commit into
mainfrom
fix/audit-tool-correctness

Conversation

@heznpc
Copy link
Copy Markdown
Member

@heznpc heznpc commented Jun 3, 2026

Two real defects surfaced by the portfolio dogfooding audit (2026-06-04):

  1. detectPublishWorkflow filtered candidates by FILENAME (release|publish|deploy),
    so any repo whose CD workflow is named cd.yml / cd-ios.yml / cd-firefox.yml was
    missed -> bogus "No publish workflow detected" BLOCKED across 8 starters. Now
    also matches publish/release actions+commands in the body (npm/pnpm/yarn
    publish, vsce, ovsx, eas submit, gh-action-pypi-publish, action-gh-release,
    gh release create, twine, wrangler deploy, docker build-push) and adds cd
    to the filename fast-path. Comment-only mentions are excluded so a
    changelog-mirror workflow that merely explains the release flow is not
    misclassified.

  2. README claimed audit_security "checks 8 items / 8/8 HARDENED" (lines 18,30)
    while line 193 and the code list 9 -- self-drift for a tool whose pitch is
    README<->code parity. Reframed: 8 core CI checks (gate HARDENED) + 1 optional
    repo-author file (claude-security-guidance.md) = 9.

Tests +3 (cd.yml by content, content-only, comment-only non-match); suite 100/100.
Verified end-to-end against mcp-server / npm-package.

NOTE: the audit's "summary off-by-one" was a stale-branch artifact
(chore/code-review-fixes counts core-only; origin/main already counts all) -- no
change needed. audit_cd placeholder handling + audit_release origin-anchor /
append-only-changelog findings are real and deferred to a follow-up.

@heznpc
fix(audit): detect cd.yml publish workflows by content + correct READ…
8a5c841 
…ME check count

Two real defects surfaced by the portfolio dogfooding audit (2026-06-04):

1. detectPublishWorkflow filtered candidates by FILENAME (release|publish|deploy),
   so any repo whose CD workflow is named cd.yml / cd-ios.yml / cd-firefox.yml was
   missed -> bogus "No publish workflow detected" BLOCKED across 8 starters. Now
   also matches publish/release actions+commands in the body (npm/pnpm/yarn
   publish, vsce, ovsx, eas submit, gh-action-pypi-publish, action-gh-release,
   gh release create, twine, wrangler deploy, docker build-push) and adds `cd`
   to the filename fast-path. Comment-only mentions are excluded so a
   changelog-mirror workflow that merely explains the release flow is not
   misclassified.

2. README claimed audit_security "checks 8 items / 8/8 HARDENED" (lines 18,30)
   while line 193 and the code list 9 -- self-drift for a tool whose pitch is
   README<->code parity. Reframed: 8 core CI checks (gate HARDENED) + 1 optional
   repo-author file (claude-security-guidance.md) = 9.

Tests +3 (cd.yml by content, content-only, comment-only non-match); suite 100/100.
Verified end-to-end against mcp-server / npm-package.

NOTE: the audit's "summary off-by-one" was a stale-branch artifact
(chore/code-review-fixes counts core-only; origin/main already counts all) -- no
change needed. audit_cd placeholder handling + audit_release origin-anchor /
append-only-changelog findings are real and deferred to a follow-up.
@heznpc heznpc enabled auto-merge (squash) June 3, 2026 21:43
@heznpc heznpc merged commit daac649 into main Jun 3, 2026
6 checks passed
@heznpc heznpc deleted the fix/audit-tool-correctness branch June 3, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@heznpc