ci(audit): wire audit-ci-cache-paths.ts as lint job — closes #1404 follow-up#1406
Merged
ci(audit): wire audit-ci-cache-paths.ts as lint job — closes #1404 follow-up#1406
Conversation
…llow-up Wires the structural cache-path audit (shipped in #1404) into CI as a dedicated lint workflow. The audit fires on: - Any change to .github/workflows/** (catches new workflow files that might introduce broad cache paths) - Any change to tools/hygiene/audit-ci-cache-paths.ts (catches bugs in the audit itself before they affect future PRs) - workflow_dispatch (manual triage) Job runs the .ts audit; non-zero exit fails the workflow, blocking merge if any actions/cache path overlaps with git-tracked files. This closes the not-lucky-next-time loop: future PRs that introduce the silent-clobber bug class CANNOT pass this gate. The audit's detailed violation output (workflow + step + tracked file + 'Why this is a bug' + 'How to fix') makes the failure self- diagnosing. Local verification: 13 workflows audited (including this new one); no overlap. The audit returns clean as a baseline. Composes with #1404 (the audit tool itself), #1403 (the gate.yml fix that proved the bug), the math-proofs assessment's test- fidelity discipline.
There was a problem hiding this comment.
Pull request overview
This PR adds a dedicated GitHub Actions workflow to run the cache-path audit introduced in the earlier CI fix work. Its role in the codebase is to catch actions/cache configurations that overlap tracked files before they can silently corrupt CI validation by restoring stale source into the workspace.
Changes:
- Adds a new standalone workflow,
ci-cache-paths-lint, under.github/workflows/. - Triggers the audit on workflow changes, audit-script changes, pushes to
main, and manual dispatch. - Installs the toolchain via
tools/setup/install.shand runsbun tools/hygiene/audit-ci-cache-paths.ts.
Comment on lines
+29
to
+39
| on: | ||
| pull_request: | ||
| paths: | ||
| - ".github/workflows/**" | ||
| - "tools/hygiene/audit-ci-cache-paths.ts" | ||
| push: | ||
| branches: [main] | ||
| paths: | ||
| - ".github/workflows/**" | ||
| - "tools/hygiene/audit-ci-cache-paths.ts" | ||
| workflow_dispatch: {} |
| @@ -0,0 +1,77 @@ | |||
| name: ci-cache-paths-lint | |||
Comment on lines
+66
to
+67
| run: ./tools/setup/install.sh | ||
|
|
2 tasks
AceHack
added a commit
that referenced
this pull request
May 3, 2026
…silent-clobber bug class) (#1407) * memory: cache-paths-mutually-exclusive-with-git-ls-files discipline (silent-clobber bug class) Captures the durable substrate for the discipline rule the session surfaced via the CircuitRegistration cache-clobber discovery (#1403 + #1404 + #1406): *actions/cache paths must be mutually exclusive with git ls-files — cache only DERIVED files (downloaded jars, built artefacts, user-home tool state), never source-controlled content.* Memory file structure (per chat-is-assertion-channel discipline + substrate-or-it-didn't-happen): - Rule (carved sentence) - Why this is load-bearing (the silent + invisible failure mode) - Triggering case (CircuitRegistration B-0180 fix; verbatim error text) - How to apply (3 layers: workflow-author-time + verify-then-claim- time + structurally enforced via audit + lint gate) - Composes with (DST + verify-then-claim + test-fidelity contract + CI-on-CI audit pattern) - Tooling lineage (4 substrate refs) - Future-Otto reference (when-tempted + when-CI-fails) - Reasoning lineage (Aaron's 'lucky catch' question) MEMORY.md updated with newest-first pointer. Composes with the earlier cluster (#1403 cache fix + #1404 audit tool + #1406 CI lint gate) — this memory file is the chat→substrate discipline-encoding step that closes the loop. * memory(cache-paths): add bug-locus disambiguation per Aaron's question — usage-bug not GitHub-bug Aaron 2026-05-03: 'is the a real github bug or was a bug in our code?' Honest answer: NOT a GitHub bug, IS a bug in our workflow config. actions/cache does exactly what its docs promise — restores cached files at the configured paths. We asked it to cache a path that contained source-controlled files; it did. The fix is on our side: narrow the cache path. Added 'Bug-locus disambiguation' section to the memory file clarifying: - This is a usage bug in workflow configuration, not a tool bug - The existing actions/cache behavior is documented - A reasonable upstream feature request (warn-on-overlap-with-git) would be an enhancement, not a bug fix Future-Otto reading this memory: don't pattern-match the discovery as 'GitHub broken' when reaching for the discipline. The structural fix (audit + lint gate) is correct because OUR usage was wrong, not because the action was wrong.
AceHack
added a commit
that referenced
this pull request
May 3, 2026
…ster + cache-clobber discipline encoded (#1408) Substantial multi-tick session shard. 18 PRs touched (#1383 + #1387 + #1392-#1407 inclusive); 14 merged + 4 in-flight as of shard time. **Math-proofs assessment progress** (#1383 outstanding-work matrix): - A1+A2 → A-with-CI ✓ (#1394 Lean lake-build workflow) - A4 registry rows ✓ (#1393) - B1 → 2 of 4 deferred specs in CI ✓ (#1397 DbspSpec + #1401 CircuitRegistration B-0180 closed) - B2 Alloy → A ✓ (#1396 silent-no-op spec-path fix) - B4 Semgrep → A ✓ (correction) - Peer-review email template ✓ (#1387) - Phase 0 substrate-discovery PoC ✓ (#1392) - Stryker config-fix ✓ (#1395; CI wire deferred) - 3 broken-spec backlog rows filed ✓ (#1398) **Cache-clobber silent-bug class discovered + fully encoded:** B-0180 fix passing locally + failing CI → verify-then-claim identified gate.yml + low-memory.yml caching whole tools/tla and tools/alloy directories. Fix cluster: #1403 (gate.yml) + #1404 (low-memory.yml + audit-ci-cache-paths.ts) + #1406 (CI lint gate) + #1407 (memory file + bug-locus disambiguation per Aaron's 'real github bug?' question — answer: usage-bug, not tool-bug). **Other substrate work:** #1399 BACKLOG.md regen, #1400 .ts/.sh parity bug, #1402 assessment matrix doc update, #1405 B-0182 backlog row (Linux-only formal verification — orthogonal-axes split per Aaron 2026-05-03). **Discipline lessons captured:** chat-is-assertion-channel, substrate-corrections-cluster, search-first-before-architectural- expansion, verify-then-claim CI fidelity, documentation-is- current-state-not-history. Carved sentence: 'When a lucky catch surfaces a class of bug, build the structural fix that eliminates the luck — audit + lint gate + carved-sentence rule + memory file.'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires the structural cache-path audit shipped in #1404 into CI as a dedicated lint workflow. Closes the not-lucky-next-time loop opened by #1403's silent-bug discovery.
What this gates
The audit fires on:
.github/workflows/**(catches new workflow files introducing broad cache paths)tools/hygiene/audit-ci-cache-paths.ts(catches audit-tool bugs before they affect future PRs)workflow_dispatch(manual triage)Non-zero exit fails the workflow, blocking merge if any
actions/cachepath overlaps with git-tracked files.Why this closes the loop
The bug class (cache hit OVERWRITES freshly-checked-out source files with cached versions) is silent + invisible without this gate. Future PRs introducing the same pattern would now fail at lint-time, with self-diagnosing output (workflow + step + tracked file + Why-this-is-a-bug + How-to-fix).
Test plan
bun tools/hygiene/audit-ci-cache-paths.tsreturns "OK: 13 workflow(s) audited; no cache paths overlap git-tracked files" (this PR's new workflow included)🤖 Generated with Claude Code