Skip to content

Upgrade pr.yaml to v3 (Gated)#72

Merged
Chris-Wolfgang merged 2 commits into
mainfrom
chore/upgrade-pr-yaml-v3
Apr 16, 2026
Merged

Upgrade pr.yaml to v3 (Gated)#72
Chris-Wolfgang merged 2 commits into
mainfrom
chore/upgrade-pr-yaml-v3

Conversation

@Chris-Wolfgang
Copy link
Copy Markdown
Owner

@Chris-Wolfgang Chris-Wolfgang commented Apr 15, 2026

Summary

Sync pr.yaml with repo-template v3:

  • Multi-stage gated CI (Stage 1 Linux, Stage 2 Windows, Stage 3 macOS)
  • Security hardening: trusted config fetch from main, persist-credentials: false
  • 90% coverage gate
  • Gitleaks secrets scanning
  • DevSkim security scan

🤖 Generated with Claude Code

@Chris-Wolfgang @claude
Upgrade pr.yaml to v3 (Gated)
42953f4 
Sync with repo-template: multi-stage gated CI with security hardening,
trusted config fetch from main, and 90% coverage gate.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 15, 2026 02:30
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the PR validation GitHub Actions workflow to the repo-template v3 “gated” CI model, emphasizing trusted execution (via pull_request_target), multi-stage OS testing, and additional security scanning.

Changes:

  • Switch PR trigger to pull_request_target and harden workflow by checking out PR refs while sourcing protected config from main.
  • Add a detection job to skip .NET build/test stages when no project files exist; restructure tests into 3 gated stages (Linux → Windows → macOS).
  • Add/ensure security scanning runs in parallel (gitleaks + DevSkim) and enforce a 90% coverage gate.

Comment thread .github/workflows/pr.yaml Outdated
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
Comment thread .github/workflows/pr.yaml
@Chris-Wolfgang @claude
Fix duplicate fetch steps, header comment, and restore coverlet.runse…
121dcae 
…ttings

- Remove duplicate "Fetch trusted configuration files from main branch" step
  from all 5 jobs (detect-projects, test-linux-core, test-windows,
  test-macos-core, security-scan) — each had the step twice
- Remove duplicate security note comment about configuration files in header
- Restore --settings coverlet.runsettings in Windows Stage 2 test step
- Fix trailing whitespace on test-linux-core and env lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Chris-Wolfgang Chris-Wolfgang merged commit e3810ec into main Apr 16, 2026
@Chris-Wolfgang Chris-Wolfgang deleted the chore/upgrade-pr-yaml-v3 branch April 16, 2026 00:04
Chris-Wolfgang added a commit that referenced this pull request Apr 16, 2026
@Chris-Wolfgang @claude
Revert pr.yaml trigger from pull_request_target to pull_request
7759c20 
pull_request_target never fired after PR #72 merged — GitHub received
the PR events but the workflow never ran, blocking all CI checks.

Revert to pull_request trigger which worked reliably with v2. Also
remove the ref/persist-credentials overrides that were only needed
for pull_request_target (pull_request already checks out PR code).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Chris-Wolfgang Chris-Wolfgang mentioned this pull request Apr 16, 2026
Closed
2 tasks
Chris-Wolfgang added a commit that referenced this pull request Apr 19, 2026
@Chris-Wolfgang @claude
Fix duplicate run: mapping key that prevented workflow from parsing
c040b83 
The test-linux-core job had an orphan 'run:' block on line 244 — the
'Install OpenSSL 1.1 for .NET 5.0' step lost its '- name:' line during
a prior cleanup, so YAML saw two 'run:' keys under the same step.

GitHub's YAML parser silently fails on duplicate mapping keys, which is
why pull_request_target never fired since PR #72 merged. All open PRs
(including Dependabot updates #77, #78, #79) have been blocked because
no required check ever ran.

Restoring the missing step header fixes the parse error and brings the
workflow back online. Verified with js-yaml: file now parses cleanly
and all 6 jobs are present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Chris-Wolfgang Chris-Wolfgang mentioned this pull request Apr 19, 2026
Merged
Chris-Wolfgang added a commit that referenced this pull request Apr 19, 2026
@Chris-Wolfgang @claude
Fix duplicate run: mapping key that prevented workflow from parsing
76a3e93 
The test-linux-core job had an orphan 'run:' block on line 244 — the
'Install OpenSSL 1.1 for .NET 5.0' step lost its '- name:' line during
a prior cleanup, so YAML saw two 'run:' keys under the same step.

GitHub's YAML parser silently fails on duplicate mapping keys, which is
why pull_request_target never fired since PR #72 merged. All open PRs
(including Dependabot updates #77, #78, #79) have been blocked because
no required check ever ran.

Restoring the missing step header fixes the parse error and brings the
workflow back online. Verified with js-yaml: file now parses cleanly
and all 6 jobs are present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot mentioned this pull request May 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chris-Wolfgang