fix: dev-release tag creation, dependabot coverage, go -C cli convention#730
Merged
fix: dev-release tag creation, dependabot coverage, go -C cli convention#730
Conversation
- Create git tag explicitly via API before draft release (gh release create --draft does not create tags; draft releases are tagless until published). Adds cleanup on release creation failure. - Add dependabot entry for .github/actions/setup-python-uv composite action (was missed because github-actions ecosystem only scans .github/workflows/ by default). - Switch CLI Go commands from `cd cli &&` to `go -C cli` in CLAUDE.md and pre-pr-review skill (prevents cwd poisoning across Bash calls). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
WalkthroughThe changes update Go CLI commands across documentation files to use Go's module-aware directory flag ( Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves the repository's CI/CD processes and documentation by refining how development releases are tagged, enhancing Dependabot's update coverage for GitHub Actions, and standardizing Go CLI command execution to avoid shell side effects. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces several improvements to CI and development workflows. It updates Go commands to use the go -C flag instead of cd, which is a good practice to avoid side effects. It also adds Dependabot configuration to scan a composite GitHub Action for updates, closing a coverage gap. The changes are well-explained and improve the project's tooling. I have one suggestion in CLAUDE.md to make the golangci-lint command more consistent with the other commands.
| go -C cli build -o synthorg ./main.go # build CLI | ||
| go -C cli test ./... # run tests (fuzz targets run seed corpus only without -fuzz flag) | ||
| go -C cli vet ./... # vet | ||
| (cd cli && golangci-lint run) # lint (no -C flag, use subshell) |
Contributor
There was a problem hiding this comment.
Using a subshell with cd is a valid way to scope the directory change, but for consistency with the other go -C commands, you could run golangci-lint from the root and specify the path to analyze. golangci-lint will correctly find its configuration in the cli/ directory. This avoids the subshell and makes the command style more uniform. The explanatory comment also becomes unnecessary.
Suggested change
| (cd cli && golangci-lint run) # lint (no -C flag, use subshell) | |
| golangci-lint run ./cli/... # lint |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/dev-release.yml (1)
124-146:⚠️ Potential issue | 🔴 CriticalDeleting the tag in the release-creation failure path is not a safe rollback and can leave orphaned state.
Once Line 126 creates the tag via
gh api, the downstream Docker and CLI workflows (triggered by thev*tag match) are immediately dispatched. The CLI workflow (cli.ymllines 291-300) does not have concurrency cancellation for tag-triggered runs, so it will proceed regardless of tag deletion. Both workflows modify release state: uploading assets and editing release notes. Ifgh release createfails transiently or is cancelled after the tag exists, deleting the tag at Lines 144-145 does not undo already-dispatched workflows or any artifacts they publish. The result is orphaned release assets or an unpublished draft release with no tag.Instead of deleting the tag: keep it, verify whether the release now exists, and add a reconciliation path (e.g., recreate the release or wait-and-retry) for the case where
tag exists && release missing. This avoids inconsistent state and allows future reruns to recover cleanly.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dev-release.yml around lines 124 - 146, The current rollback deletes the tag created by the gh api call (refs/tags/$DEV_TAG) on a gh release create failure, which can leave downstream workflows and uploaded assets orphaned; instead remove the gh api -X DELETE "repos/$GITHUB_REPOSITORY/git/refs/tags/$DEV_TAG" cleanup and implement a safe reconciliation: after a failed gh release create check whether the tag ($DEV_TAG) still exists and whether a release already exists for that tag, then retry gh release create with backoff or record the tag/release pair for an asynchronous reconciliation job (or emit an explicit warning/log instructing rerun), ensuring any downstream workflows triggered by the tag are allowed to complete and artifacts can be attached rather than deleting the tag outright.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/skills/pre-pr-review/SKILL.md:
- Around line 205-221: Change the ordered-list numbering in the markdown section
that currently uses explicit prefixes "10.", "11.", "12." before the code blocks
to the lint-safe repeated "1." style (i.e., replace "10. **Vet:**", "11.
**Test:**", "12. **Build check:**" with "1. **Vet:**", "1. **Test:**", "1.
**Build check:**") so the list conforms to markdownlint MD029 while keeping the
surrounding code blocks unchanged.
In `@CLAUDE.md`:
- Around line 60-67: Update the wording that currently says "Never use `cd cli`"
to clarify the distinction: instruct contributors to prefer `go -C cli` for Go
commands and to avoid changing the current shell's working directory with a
plain `cd cli`; when a `cd` is needed for a single command, show the safe
subshell form `(cd cli && ...)` as in the example. Replace the absolute "Never
use `cd cli`" phrasing with a clear sentence mentioning `go -C cli`, the
problematic `cd cli`, and the safe `(cd cli && ...)` pattern so the guidance is
not contradictory.
---
Outside diff comments:
In @.github/workflows/dev-release.yml:
- Around line 124-146: The current rollback deletes the tag created by the gh
api call (refs/tags/$DEV_TAG) on a gh release create failure, which can leave
downstream workflows and uploaded assets orphaned; instead remove the gh api -X
DELETE "repos/$GITHUB_REPOSITORY/git/refs/tags/$DEV_TAG" cleanup and implement a
safe reconciliation: after a failed gh release create check whether the tag
($DEV_TAG) still exists and whether a release already exists for that tag, then
retry gh release create with backoff or record the tag/release pair for an
asynchronous reconciliation job (or emit an explicit warning/log instructing
rerun), ensuring any downstream workflows triggered by the tag are allowed to
complete and artifacts can be attached rather than deleting the tag outright.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: b2f4ec5f-58e6-4d74-ab5a-90c333c51f57
📒 Files selected for processing (4)
.claude/skills/pre-pr-review/SKILL.md.github/dependabot.yml.github/workflows/dev-release.ymlCLAUDE.md
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (python)
🧰 Additional context used
🧠 Learnings (22)
📓 Common learnings
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:08:03.430Z
Learning: Use `/aurelio-review-pr` to handle external reviewer feedback on existing PRs
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Applies to cli/** : CLI: Go 1.26+, dependencies in cli/go.mod (Cobra, charmbracelet/huh).
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to cli/**/*.go : Go CLI (Go 1.26+) uses Cobra for commands, charmbracelet/huh for interactive CLI, charmbracelet/lipgloss for styled output. Cross-platform builds (linux/darwin/windows × amd64/arm64). GoReleaser for releases with cosign keyless signing of checksums.txt. SLSA L3 provenance attestations via actions/attest-build-provenance.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to cli/go.mod : Go CLI dependencies: Go 1.26+, Cobra (commands), charmbracelet/huh (interactive CLI), charmbracelet/lipgloss (styled output).
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: Applies to go.mod : Maintain Go 1.26+ requirement. Dependencies: Cobra (CLI framework), charmbracelet/huh and charmbracelet/lipgloss (UI), sigstore-go (code signing), go-containerregistry (container image verification), go-tuf (TUF client for Sigstore).
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:08:03.429Z
Learning: Applies to cli/go.mod : Go CLI requires Go 1.26+ with dependencies: Cobra, charmbracelet/huh, charmbracelet/lipgloss, sigstore-go, go-containerregistry, go-tuf
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T20:45:14.430Z
Learning: Shell commands: for Go CLI work, cd cli is an exception because Go tooling requires working directory to be the module root. Go commands require `cd cli` for other work, never use `cd`.
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Applied to files:
.github/workflows/dev-release.yml.github/dependabot.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Applied to files:
.github/workflows/dev-release.ymlCLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Applied to files:
.github/workflows/dev-release.ymlCLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Applies to cli/** : CLI: Go 1.26+, dependencies in cli/go.mod (Cobra, charmbracelet/huh).
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-15T20:45:14.430Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T20:45:14.430Z
Learning: Shell commands: for Go CLI work, cd cli is an exception because Go tooling requires working directory to be the module root. Go commands require `cd cli` for other work, never use `cd`.
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to cli/go.mod : Go CLI dependencies: Go 1.26+, Cobra (commands), charmbracelet/huh (interactive CLI), charmbracelet/lipgloss (styled output).
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to cli/**/*.go : Go CLI (Go 1.26+) uses Cobra for commands, charmbracelet/huh for interactive CLI, charmbracelet/lipgloss for styled output. Cross-platform builds (linux/darwin/windows × amd64/arm64). GoReleaser for releases with cosign keyless signing of checksums.txt. SLSA L3 provenance attestations via actions/attest-build-provenance.
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-19T11:30:29.217Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:30:29.217Z
Learning: Applies to cli/**/*.go : Run Go lint via `golangci-lint run`, vet via `go vet`, tests via `go test ./...`, and fuzz via `go test -fuzz=FuzzTarget -fuzztime=30s`
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-22T14:08:03.429Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:08:03.429Z
Learning: Applies to cli/**/*.go : Run `golangci-lint` for linting and `go vet` for code vetting in the Go CLI
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-16T19:52:03.656Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T19:52:03.656Z
Learning: Applies to cli/**/*.go : Lint CLI Go code with golangci-lint and go vet; test with go test -race; check vulnerabilities with govulncheck
Applied to files:
CLAUDE.md.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: Applies to cli/**/*.go : Use native Go testing with `testing.F` fuzz functions (`Fuzz*`) for fuzz testing.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:08:03.429Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:08:03.429Z
Learning: Applies to cli/**/*.go : Use native `testing.F` fuzz functions (`Fuzz*`) for property-based testing in Go CLI
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: Applies to cli/**/*.go : Lint Go code with `golangci-lint` and `go vet`. Run tests with `-race` flag to detect race conditions.
Applied to files:
.claude/skills/pre-pr-review/SKILL.md
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Pre-push hooks: mypy type-check + pytest unit tests + golangci-lint + go vet + go test (CLI, conditional on cli/**/*.go) (fast gate before push, skipped in pre-commit.ci — dedicated CI jobs already run these).
Applied to files:
.claude/skills/pre-pr-review/SKILL.md.github/dependabot.yml
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.
Applied to files:
.github/dependabot.yml
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Pre-commit hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting).
Applied to files:
.github/dependabot.yml
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Applies to .github/workflows/**/*.yml : Path filtering: dorny/paths-filter detects Python/dashboard/docker changes; jobs only run when their domain is affected. CLI has its own workflow (cli.yml).
Applied to files:
.github/dependabot.yml
📚 Learning: 2026-03-22T14:08:03.429Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:08:03.429Z
Learning: Applies to pyproject.toml : Organize dependencies into groups: `test` (pytest + plugins, hypothesis), `dev` (includes test + ruff, mypy, pre-commit, commitizen, pip-audit). Install with `uv sync`
Applied to files:
.github/dependabot.yml
🪛 markdownlint-cli2 (0.21.0)
.claude/skills/pre-pr-review/SKILL.md
[warning] 211-211: Ordered list item prefix
Expected: 1; Actual: 11; Style: 1/1/1
(MD029, ol-prefix)
[warning] 217-217: Ordered list item prefix
Expected: 1; Actual: 12; Style: 1/1/1
(MD029, ol-prefix)
🔇 Additional comments (3)
.github/dependabot.yml (1)
42-60: Good addition: composite action Dependabot coverage is correctly configured.This new
github-actionsentry is consistent with your existing policy (daily cadence, grouped minor/patch updates, reviewer/label metadata) and appropriately targets/.github/actions/setup-python-uv.Based on learnings: Dependabot should run daily for
github-actionswith groupedminor/patchupdates.CLAUDE.md (1)
63-65: Goodgo -C climigration for Go commandsThese command updates correctly avoid persistent cwd side effects and match the PR objective.
Also applies to: 67-67
.claude/skills/pre-pr-review/SKILL.md (1)
208-220:go -C cliupdates look correctThe vet/test/build commands now avoid shell cwd poisoning and keep behavior explicit.
Comment on lines
205
to
221
| 10. **Vet:** | ||
|
|
||
| ```bash | ||
| cd cli && go vet ./... | ||
| go -C cli vet ./... | ||
| ``` | ||
|
|
||
| 11. **Test:** | ||
|
|
||
| ```bash | ||
| cd cli && go test ./... | ||
| go -C cli test ./... | ||
| ``` | ||
|
|
||
| 12. **Build check:** | ||
|
|
||
| ```bash | ||
| cd cli && go build ./... | ||
| go -C cli build ./... | ||
| ``` |
There was a problem hiding this comment.
Fix ordered-list prefixes to satisfy markdownlint MD029
This section mixes explicit numeric prefixes (10/11/12) where the configured style expects 1/1/1.
Proposed lint-safe diff
-10. **Vet:**
+1. **Vet:**
@@
-11. **Test:**
+1. **Test:**
@@
-12. **Build check:**
+1. **Build check:**🧰 Tools
🪛 markdownlint-cli2 (0.21.0)
[warning] 205-205: Ordered list item prefix
Expected: 1; Actual: 10; Style: 1/1/1
(MD029, ol-prefix)
[warning] 211-211: Ordered list item prefix
Expected: 1; Actual: 11; Style: 1/1/1
(MD029, ol-prefix)
[warning] 217-217: Ordered list item prefix
Expected: 1; Actual: 12; Style: 1/1/1
(MD029, ol-prefix)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.claude/skills/pre-pr-review/SKILL.md around lines 205 - 221, Change the
ordered-list numbering in the markdown section that currently uses explicit
prefixes "10.", "11.", "12." before the code blocks to the lint-safe repeated
"1." style (i.e., replace "10. **Vet:**", "11. **Test:**", "12. **Build
check:**" with "1. **Vet:**", "1. **Test:**", "1. **Build check:**") so the list
conforms to markdownlint MD029 while keeping the surrounding code blocks
unchanged.
Comment on lines
+60
to
+67
| Note: Go tooling requires the module root as cwd. Use `go -C cli` which changes directory internally without affecting the shell. Never use `cd cli` -- it poisons the cwd for all subsequent Bash calls. | ||
|
|
||
| ```bash | ||
| cd cli && go build -o synthorg ./main.go # build CLI | ||
| cd cli && go test ./... # run tests (fuzz targets run seed corpus only without -fuzz flag) | ||
| cd cli && go vet ./... # vet | ||
| cd cli && golangci-lint run # lint | ||
| cd cli && go test -fuzz=FuzzYamlStr -fuzztime=30s ./internal/compose/ # fuzz example | ||
| go -C cli build -o synthorg ./main.go # build CLI | ||
| go -C cli test ./... # run tests (fuzz targets run seed corpus only without -fuzz flag) | ||
| go -C cli vet ./... # vet | ||
| (cd cli && golangci-lint run) # lint (no -C flag, use subshell) | ||
| go -C cli test -fuzz=FuzzYamlStr -fuzztime=30s ./internal/compose/ # fuzz example |
There was a problem hiding this comment.
Clarify cd guidance to avoid contradiction
Line 60 says “Never use cd cli”, but Line 66 immediately uses cd (in a subshell). This is safe technically, but the wording is self-contradictory and can confuse contributors.
Proposed wording fix
-Note: Go tooling requires the module root as cwd. Use `go -C cli` which changes directory internally without affecting the shell. Never use `cd cli` -- it poisons the cwd for all subsequent Bash calls.
+Note: Go tooling requires the module root as cwd. Prefer `go -C cli` for Go commands because it does not mutate the parent shell cwd. If a tool lacks an equivalent flag (e.g., `golangci-lint`), use a subshell form `(cd cli && <cmd>)` so cwd changes do not leak to subsequent commands.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLAUDE.md` around lines 60 - 67, Update the wording that currently says
"Never use `cd cli`" to clarify the distinction: instruct contributors to prefer
`go -C cli` for Go commands and to avoid changing the current shell's working
directory with a plain `cd cli`; when a `cd` is needed for a single command,
show the safe subshell form `(cd cli && ...)` as in the example. Replace the
absolute "Never use `cd cli`" phrasing with a clear sentence mentioning `go -C
cli`, the problematic `cd cli`, and the safe `(cd cli && ...)` pattern so the
guidance is not contradictory.
Aureliolo
added a commit
that referenced
this pull request
Mar 22, 2026
🤖 I have created a release *beep* *boop* --- ## [0.4.7](v0.4.6...v0.4.7) (2026-03-22) ### Features * add system user for CLI-to-backend authentication ([#710](#710)) ([dc6bd3f](dc6bd3f)) * dev channel builds with incremental pre-releases between stable releases ([#715](#715)) ([0e8a714](0e8a714)) * replace hardcoded name pools with Faker multi-locale name generation ([#714](#714)) ([5edc6ec](5edc6ec)) ### Bug Fixes * dev-release tag creation, dependabot coverage, go -C cli convention ([#730](#730)) ([7634843](7634843)) * improve name generation step UX and fix sentinel expansion bug ([#739](#739)) ([f03fd05](f03fd05)) * settings page UX polish -- toggle bug, source badges, form improvements ([#712](#712)) ([d16a0ac](d16a0ac)) * switch dev tags to semver and use same release pipeline as stable ([#729](#729)) ([4df6b9b](4df6b9b)), closes [#713](#713) * unify CLI image discovery and standardize Go tooling ([#738](#738)) ([712a785](712a785)) * use PAT in dev-release workflow to trigger downstream pipelines ([#716](#716)) ([d767aa3](d767aa3)) ### CI/CD * bump astral-sh/setup-uv from 7.4.0 to 7.6.0 in /.github/actions/setup-python-uv in the minor-and-patch group ([#731](#731)) ([7887257](7887257)) * bump the minor-and-patch group with 3 updates ([#735](#735)) ([7cd253a](7cd253a)) * bump wrangler from 4.75.0 to 4.76.0 in /.github in the minor-and-patch group ([#732](#732)) ([a6cafc7](a6cafc7)) * clean up all dev releases and tags on stable release ([#737](#737)) ([8d90f5c](8d90f5c)) ### Maintenance * bump the minor-and-patch group across 2 directories with 2 updates ([#733](#733)) ([2b60069](2b60069)) * bump the minor-and-patch group with 3 updates ([#734](#734)) ([859bc25](859bc25)) * fix dependabot labels and add scope tags ([#736](#736)) ([677eb15](677eb15)) * remove redundant pytest.mark.timeout(30) markers ([#740](#740)) ([9ec2163](9ec2163)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gh release create --draftdoes not create a git tag (draft releases are tagless until published). Now creates the tag explicitly via the GitHub API first (using PAT to trigger downstream Docker + CLI workflows), then creates the draft release pointing at it. Adds tag cleanup on release creation failure.github-actionsecosystem entry for.github/actions/setup-python-uvcomposite action, which was missed because Dependabot only scans.github/workflows/by default. The composite action was stuck on[email protected]while workflows hadv7.6.0.cd cli && go <cmd>togo -C cli <cmd>in CLAUDE.md and pre-pr-review skill. Thecdapproach poisons the shell cwd for all subsequent Bash calls, breaking git/uv/npm commands.go -C clichanges directory internally with no side effects.Test plan
gh api repos/Aureliolo/synthorg/git/matching-refs/tags/vfor the tag)setup-uvin the composite action (check next daily run or trigger manually)go -C cli test ./...works in pre-pr-review skill executionSkipped agent review (CI/docs-only changes, no substantive code).
🤖 Generated with Claude Code