Commit Graph

3 Commits

Author SHA1 Message Date
Devin Foley 9d1f1f5e33 revert(ci): remove dependabot dependency grouping (#7560)
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies, so its
automation and CI surfaces need to stay reliable enough for agent-driven
maintenance work.
> - Dependabot configuration is part of that maintenance path because it
determines how dependency updates reach the repo and CI.
> - PR #7483 changed `.github/dependabot.yml` to group all npm
patch/minor updates by dependency type.
> - That immediately produced a 26-package grouped PR that was difficult
to merge and contradicted the board's decision to return to
one-PR-per-bump.
> - This pull request reverts only the grouping behavior while
preserving the rest of the Dependabot schedule, labels, limits, and
ignore rules.
> - The benefit is a narrower, more reviewable Dependabot flow that
restores the previous operational behavior without changing unrelated CI
settings.

## What Changed

- Removed the npm `groups:` block from `.github/dependabot.yml`.
- Left the existing weekly schedule, labels, open PR limit, and
major-version ignore rules unchanged.
- Isolated the revert onto a clean branch containing only commit
`446453516c` so this PR does not include unrelated local CI work.

## Verification

- `ruby -e 'require "yaml"; YAML.load_file(".github/dependabot.yml")'`
- `git diff --check origin/master..PAPA-522-revert-dependabot-grouping`
- Inspect the PR diff and confirm only `.github/dependabot.yml` changed.

## Risks

- Low risk. This only removes the grouping stanza and restores previous
Dependabot behavior.
- Operationally, this returns to a higher number of smaller Dependabot
PRs, which is the intended tradeoff for easier mergeability and triage.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex via the local `codex_local` Paperclip adapter,
GPT-5-based coding agent backend with tool use and shell execution
enabled. The exact backend model ID/context window is not exposed by
this adapter run.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [ ] I have run tests locally and they pass
- [ ] I have added or updated tests where applicable
- [ ] If this change affects the UI, I have included before/after
screenshots
- [ ] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
2026-06-04 21:54:17 -07:00
Devin Foley 69e513efe1 ci(dependabot): bundle npm patch/minor updates by dependency type (#7483)
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies
> - Dependabot keeps the JS/TS dependency tree up to date so the agents
and UI run on supported package versions
> - When a sibling package family shares peer dependencies (lexical core
+ `@lexical/*`, `@codemirror/*`, `@radix-ui/*`, `@assistant-ui/*`,
etc.), bumping one without the others leaves the lockfile with two
installed copies of the core package
> - That trips TypeScript: nodes from one version are not assignable to
types from the other, and the UI build fails — observed concretely on PR
#7330 (lexical 0.35 → 0.45) once PAPA-490 stopped masking it
> - The first cut (per-scope `groups` for each sibling-package family)
works but requires maintenance whenever a new scope is added
> - This pull request goes broader: it groups *all* npm patch/minor
updates by dependency type (production vs development), so any
sibling-package family is bundled regardless of scope
> - The benefit is a single weekly PR per dep type, no per-scope
maintenance, and no more partial peer bumps

## What Changed

- Replaced the lexical-specific `groups` entry with two type-based
groups in `.github/dependabot.yml`:
- `production-dependencies`: bundles all patch/minor `dependencies`
updates into one PR
- `development-dependencies`: bundles all patch/minor `devDependencies`
updates into one PR
- Majors continue to land as individual PRs (and are already ignored by
the existing `version-update:semver-major` rule).

## Verification

- After merge, the next Dependabot run (Monday 06:00 weekly, or on
`@dependabot recreate`) should open at most two new npm PRs —
`chore(deps): bump the production-dependencies group` and
`chore(deps-dev): bump the development-dependencies group` — each
combining many bumps. The existing per-package PRs (#7318–#7331) will be
closed and superseded by the grouped PRs.
- Sanity-check by inspecting the resulting lockfile diff: `lexical` and
`@lexical/link` should always move together to the same version.

## Risks

- Low risk for CI config itself. The trade-off is larger weekly PRs that
are harder to bisect when one bump breaks the batch — but Dependabot
also publishes per-package failure reports inside the grouped PR, so
triage stays tractable.
- If a future package genuinely needs to stay ungrouped (e.g. a noisy
one that breaks often), it can be moved out via `exclude-patterns` on
the group.

## Model Used

- Claude (Anthropic), claude-opus-4-7, tool-use enabled.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [ ] I have run tests locally and they pass — N/A, YAML-only CI config
change
- [ ] I have added or updated tests where applicable — N/A
- [ ] If this change affects the UI, I have included before/after
screenshots — N/A
- [ ] I have updated relevant documentation to reflect my changes — N/A
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
2026-06-03 23:16:04 -07:00
brandonburr 96feaa331a feat(commitperclip): add automated PR quality and security gates (#6469)
Fixes #6470

## Thinking Path

> - Paperclip is an open-source AI agent platform receiving a high
volume of community PRs — currently 2,398 open
> - The contributor experience is broken: PRs sit for months with no
feedback, contributors don't know why they're stuck, and maintainers
spend review time on PRs that are missing basics
> - Common problems: no linked issue, no test coverage, incomplete PR
template, manually-edited lockfile — all catchable before human review
> - At the same time, accepting untrusted PRs from unknown contributors
is a real attack surface: malicious packages, secret injection,
tampering with CI scripts, and code touching the sensitive paths from
the April security advisories
> - This PR adds automated gates that run on every PR: quality failures
get a clear comment telling contributors exactly what to fix, security
concerns are silently flagged as draft advisories and block merge via a
pending check run
> - The benefit is a dramatically faster feedback loop for good-faith
contributors and a meaningful security layer for the maintainers
reviewing them

## What Changed

- **`.github/workflows/commitperclip-review.yml`** — new workflow using
`pull_request_target` (runs in base branch context, has secrets, never
executes PR code). Runs quality gates + security gates on every PR
open/update.
- **`.github/dependabot.yml`** — weekly automated dependency
vulnerability PRs for npm and GitHub Actions.
- **`.github/scripts/get-bot-token.mjs`** — generates a short-lived
commitperclip installation token from `COMMITPERCLIP_KEY` secret.
- **`.github/scripts/run-quality-gates.mjs`** — orchestrates 5 quality
gates, posts/updates a single consolidated comment on the PR.
- **`.github/scripts/check-pr-template.mjs`** — validates all 5 required
template sections, Thinking Path depth (≥3 sentences), Model Used not
placeholder.
- **`.github/scripts/check-pr-linked-issue.mjs`** — requires `Fixes
#NNN` or issue URL in PR body.
- **`.github/scripts/check-pr-test-coverage.mjs`** — requires at least
one test file in the diff.
- **`.github/scripts/check-pr-lockfile.mjs`** — blocks manual
`pnpm-lock.yaml` edits (only the refresh bot may change it).
- **`.github/scripts/check-pr-dependencies.mjs`** — informational
comment when new npm packages are added.
- **`.github/scripts/check-pr-security.mjs`** — 6 silent security
checks: secret patterns, CI workflow tampering, build script changes,
supply chain (new packages in lockfile), suspicious test patterns
(outbound network/shell exec/env var reads), and changes to the 9
sensitive path prefixes from the April advisories. When any fire:
creates a draft security advisory + sets `security-review` check to
`in_progress` (blocks merge). When clean: sets `security-review` to
`success`.
- **`actions/dependency-review-action@v4`** — per-PR dependency
vulnerability check (fails if new dep has known CVE).
- **44 unit tests** across all gate modules (`node:test`, no external
deps).

## Verification

Run all unit tests locally:
```bash
node --test .github/scripts/tests/*.test.mjs
```
Expected: 44 pass, 0 fail.

End-to-end: open a PR missing the template, linked issue, and test files
→ commitperclip posts a consolidated comment listing all failures. Open
a PR with all gates satisfied → ` All checks passing` comment posted,
all check runs green.

## Risks

**`pull_request_target` security model:** This workflow runs in base
branch context and has access to secrets. It explicitly checks out `ref:
master` (never PR code) and reads the PR diff via GitHub API only — no
PR code is ever executed. This is the correct pattern for running
secret-bearing checks on fork PRs; deviating from it (e.g. checking out
the PR branch) would be a security vulnerability.

**False positives on security gates:** The sensitive-path gate flags any
PR touching the 9 path prefixes from the April advisories. Legitimate
fixes to those paths will trigger draft advisories. This is intentional
— those paths warrant a human look regardless. The `security-review`
check can be manually resolved by a maintainer once reviewed.

**commitperclip not yet installed:** Until the app is installed on this
repo and the `COMMITPERCLIP_KEY` secret is added, the workflow will fail
on the token generation step. The quality gate comment won't post, but
Dependency Review will still run independently.

## Model Used

Claude Sonnet 4.5, 200k context window, extended thinking enabled, tool
use: read/edit files, bash execution, GitHub API calls

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass (44/44)
- [x] I have added or updated tests where applicable (44 unit tests
across all gate modules)
- [ ] If this change affects the UI, I have included before/after
screenshots (N/A — CI only)
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---

## One-time setup needed from you, Dotta

1. **Install commitperclip app** on this repo:
https://github.com/apps/commitperclip/installations/new
2. **Add `COMMITPERCLIP_KEY`** as a repository secret (Actions →
Secrets) — ask @brandonburr for the key
3. **Add `security_advisories: write` and `checks: write`** to the
commitperclip app permissions (commit-capital org → Settings → Apps →
commitperclip → Permissions)
4. **Install Socket.dev** from GitHub Marketplace for supply chain
scanning
5. **Branch protection** (optional but recommended): require
`commitperclip-review` and `security-review` checks to pass before merge

## Dashboard integration note

The `commitperclip-review` check run result maps cleanly to your PR
triage dashboard. A single filter on your Worker:

```javascript
const gatesCheck = checkRuns.find(r => r.name === 'commitperclip-review');
if (gatesCheck?.conclusion === 'failure') return null; // filter from queue
```

For security flags: `GET
/repos/paperclipai/paperclip/security-advisories?state=draft` — advisory
titles include `PR #NNN` for cross-referencing. PRs with a matching
draft advisory have `security-review` in `in_progress` state (grey
spinner, can't merge via branch protection).

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Devin Foley <devin@devinfoley.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-06-01 09:52:53 -07:00