deps: bump actions/setup-node from 6.0.0 to 6.4.0#43
Merged
Conversation
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.0.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@2028fbc...48b55a0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
This was referenced Apr 21, 2026
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
…log needs Aaron disposition Sampled unknowns across #170 + #161. Most are substantive P1 fact-check findings on content, not bot-noise: - .NET install path inaccurate - Z3 installation details incorrect - row #43 pointer-incorrect - coverage size inconsistent - bun.lock reference wrong - unresolved connector citation placeholders Zero outdated-unresolved threads across all 5 PRs (GitHub doesn't auto-mark outdated when cross-PR refs resolve; bots must re-review). Tool plateau reached: mechanizable classes (dangling-ref + name-attribution) are drained as far as regex can go. Remaining 135 need content fixes or explicit merge-with- defer disposition. Amara's "merge over invent" + Aaron's disposition guidance is load-bearing on the 135-thread backlog. Phase 1 closure push has plateaued until disposition decisions land. Honest-about-error discipline: Otto-25..30 drove Phase 1 via mechanization; Otto-31 surfaces that the underlying findings aren't mechanizable past ~15% of backlog. Session lesson: mechanization is force-multiplier for mechanizable work; doesn't transmute content-review into mechanical-drain. Next-tick candidates: (a) drive #155 rebase + tool-apply (b) content-fix on #170 inventory (c) re-prioritise to other Frontier-readiness gaps (d) Aaron disposition Attribution: Otto (loop-agent PM hat). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
…ings Addresses 13 of the 15 substantive findings from PR #170 Copilot review: Row-number corrections: - Row #48 ref: is GitHub surface triage cadence (not cross-platform parity); parity is row #51 - Row #43 ref: clarified SHA-pins via workflow-injection safe-patterns discipline Install-path + version-pin corrections: - .NET 10: install via mise (tools/setup/common/mise.sh + .mise.toml) not dotnet-install.sh; pin via global.json + .mise.toml - bun + TypeScript: no bun.lock committed; pin via package.json (packageManager + deps) - Z3: OS-installed CLI (brew/apt/winget); tools/Z3Verify shells out; no JARs downloaded (unlike TLA+/Alloy) - Stryker.NET: tools/setup/manifests/dotnet-tools (not .config/dotnet-tools.json); no CI job currently invokes - Postgres: no docker-compose.yml in samples/FactoryDemo.Db yet (CRM-shaped sample substrate pending) Reference corrections: - Codex capability map: openai-codex-cli-capability-map.md (full filename) - Gemini capability map: queued (no doc yet) - Per-user memory refs removed from "Composes with" (replaced with in-repo memory/CURRENT-*.md) - Per-user memory refs removed from PQC mandate rationale (noted migration path via in-repo-first policy cadence) Consistency: - Status: ~26 rows (corrected from "~12"); matches open-follow-ups #1 framing - CURRENT-aaron.md refs updated to memory/CURRENT-aaron.md (in-repo per PR #197) Attribution: Otto (loop-agent PM hat). Acts on Copilot P1 review findings; merge-forward on top of origin/main already done. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3 tasks
AceHack
added a commit
that referenced
this pull request
Apr 23, 2026
…action item #1) (#220) Amara's 2026-04-23 decision-proxy + technical review courier (PR #219) ranked memory-index-integrity CI as her highest-value immediate fix: directly prevents the NSA-001 measured failure mode (new memory landed without MEMORY.md pointer → undiscoverable from fresh session). New workflow: `.github/workflows/memory-index-integrity.yml` Check: if a PR (or push to main) adds or modifies any top-level `memory/*.md` file, `memory/MEMORY.md` MUST also be in the same range. Fails with an explicit remediation message citing NSA-001. Scope excludes: - memory/persona/** (per-persona notebooks have their own lifecycle) - memory/README.md (convention doc) - memory/MEMORY.md (the index itself) - Deletions (covered from the other direction by FACTORY- HYGIENE row #25 pointer-integrity audit) Safe-pattern compliant per FACTORY-HYGIENE row #43: - actions/checkout@de0fac2... SHA-pinned - Explicit minimum `permissions: contents: read` - Only first-party trusted context (github.sha, github.event.pull_ request.base.sha, github.event.before) passed via env: - No user-authored context referenced anywhere - concurrency group + cancel-in-progress: false - runs-on: ubuntu-22.04 pinned - actionlint clean; shellcheck clean (SC2086 fixed) FACTORY-HYGIENE row #58 added documenting the cadence / owner / scope / durable output + classification (row #47: prevention- bearing — blocks merge before substrate diverges from index). Row numbered 58 to leave #56 reserved for in-flight PR #204 (MD032 preflight) and #57 for in-flight PR #213 (git-hotspots audit). Ships to project-under-construction: adopters inherit the workflow unchanged; the memory/**.md + memory/MEMORY.md conventions are factory-generic. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 24, 2026
…59 (Amara Determinize action) (#225) Amara's 4th ferry (PR #221 absorb) Determinize-stage item: prevent the retrieval-drift class where prose cites paths that don't resolve. Her commit samples show repeated cleanup passes for memory paths that didn't exist; this is the third leg of memory-index hygiene. Three-leg memory-index hygiene now complete: 1. row #58 (PR #220 merged) — every memory/*.md change updates MEMORY.md in same commit/PR 2. AceHack PR #12 (pending Aaron merge) — MEMORY.md has no duplicate link targets 3. row #59 (this PR) — every MEMORY.md link target resolves to an actual file under memory/ New artifacts: - tools/hygiene/audit-memory-references.sh Parses `](foo.md)` link targets, resolves each against base dir (default memory/), fails (exit 2 under --enforce) on any broken reference. Supports --file PATH + --base DIR for custom use. - .github/workflows/memory-reference-existence-lint.yml Safe-pattern compliant per FACTORY-HYGIENE row #43 (SHA-pinned checkout, minimum permissions, concurrency group, runs-on pinned, no user-authored context). Triggers on PRs/pushes touching memory/** or the audit tool / workflow itself. - FACTORY-HYGIENE row #59 documenting cadence / owner / scope / classification (prevention-bearing — blocks merge before broken refs land). First-run baseline captured in commit: - In-repo memory/MEMORY.md: 44 refs all resolve (clean) - Per-user MEMORY.md: 391 refs all resolve (clean) Both clean confirms that PR #220's memory-index-integrity CI has been keeping the substrate in good shape. This lint closes the third-leg gap before drift regresses. Amara Determinize-stage progress: 2/5 (with this PR). ✓ Live-state-before-policy (PR #224) ✓ Memory reference-existence lint (this PR) Remaining: - Memory duplicate-title lint (partial via AceHack PR #12) - Generated CURRENT-*.md views (L) - Memory reconciliation algorithm (L) Per Aaron Otto-72 standing directive: acting under Otto-67 full-GitHub authority, decisions logged in PR body + memory, Frontier UI is the future batch-review surface. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
4 tasks
AceHack
added a commit
that referenced
this pull request
Apr 24, 2026
…os) (#358) Maintainer Otto-209 directive: "we are going to do macos once a day schedued, for both repos, unless acehack is getting it free." Ships the design from PR #345 (nightly-cross-platform workflow design doc) as a concrete workflow. Zeta-side lands here; lucent-ksk parallel workflow filed as BACKLOG row for cross-repo coordination. Matrix: ubuntu-22.04 + windows-2022 + macos-14. Cron: daily 09:00 UTC. Fork-scoping: scheduled trigger fires only on the canonical repo; manual dispatch + PR trigger on this workflow file still work on forks. Cost model (Otto-164 verification outcome): - Linux: free on public repos - Windows: free on public repos (standard runner) - macOS: $0.062/min (larger-runner billing). ~15min * 30 days = ~$28/month worst-case for Zeta canonical. PR-gate workflow (gate.yml) stays Linux-only — untouched. Rollback: delete macos-14 from matrix (one-line), or delete this workflow file entirely. No impact on gate.yml. Security: no user-authored github.event fields referenced (only github.repository / github.ref / github.event_name / runner.os / matrix.os are used). SHA-pinned actions per FACTORY-HYGIENE row #43. actionlint clean locally. Composes with PR #345 design doc (still in queue), PR #343 Otto-161-declined-verification history, FACTORY- HYGIENE row #51 cross-platform parity audit (detect-only → this workflow is the enforcement mechanism when baseline is green), and Otto-164 billing-verification memory. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
5 tasks
AceHack
added a commit
that referenced
this pull request
Apr 24, 2026
…ings Addresses 13 of the 15 substantive findings from PR #170 Copilot review: Row-number corrections: - Row #48 ref: is GitHub surface triage cadence (not cross-platform parity); parity is row #51 - Row #43 ref: clarified SHA-pins via workflow-injection safe-patterns discipline Install-path + version-pin corrections: - .NET 10: install via mise (tools/setup/common/mise.sh + .mise.toml) not dotnet-install.sh; pin via global.json + .mise.toml - bun + TypeScript: no bun.lock committed; pin via package.json (packageManager + deps) - Z3: OS-installed CLI (brew/apt/winget); tools/Z3Verify shells out; no JARs downloaded (unlike TLA+/Alloy) - Stryker.NET: tools/setup/manifests/dotnet-tools (not .config/dotnet-tools.json); no CI job currently invokes - Postgres: no docker-compose.yml in samples/FactoryDemo.Db yet (CRM-shaped sample substrate pending) Reference corrections: - Codex capability map: openai-codex-cli-capability-map.md (full filename) - Gemini capability map: queued (no doc yet) - Per-user memory refs removed from "Composes with" (replaced with in-repo memory/CURRENT-*.md) - Per-user memory refs removed from PQC mandate rationale (noted migration path via in-repo-first policy cadence) Consistency: - Status: ~26 rows (corrected from "~12"); matches open-follow-ups #1 framing - CURRENT-aaron.md refs updated to memory/CURRENT-aaron.md (in-repo per PR #197) Attribution: Otto (loop-agent PM hat). Acts on Copilot P1 review findings; merge-forward on top of origin/main already done. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 24, 2026
Per-thread fixes: - Gemini CLI capability-map now points at existing docs/research/gemini-cli-capability-map.md (no longer marked as queued / not-yet-present). - OpenAI web UI + Playwright rows: drop the bun + @playwright/test claim and the package.json version-pin claim. package.json has no Playwright dependency; Playwright is plugin-enabled only via .claude/settings.json. - Stryker.NET row: corrected Version pin to 'unversioned in setup manifest (tracks latest)' to match tools/setup/manifests/dotnet-tools, and synced TECH-RADAR ring to Trial. - Semgrep / CodeQL / Stryker / bun+TS rings synced to TECH-RADAR (Trial, not Adopt). - Semgrep install: corrected to 'CI-installed via pip install semgrep in .github/workflows/gate.yml' and removed the hardcoded '14 custom rules' count. - Docker row: corrected Install path to 'Manual / OS package install' (setup scripts do not detect or install Docker today). - Postgres row: dropped reference to a non-present samples/FactoryDemo.Db/docker-compose.yml; points at the real samples/FactoryDemo.Api.* trees instead. - GitHub Actions row: clarified SHA-pin is the actual pin mechanism; row #43 cited as the workflow-injection audit (the source-of-truth row), not as the SHA-pin policy itself. - Open follow-up #2: corrected row reference from #48 (GitHub surface triage) to #51 (cross-platform parity).
AceHack
added a commit
that referenced
this pull request
Apr 24, 2026
…e noted (#170) * docs: factory technology inventory — first-pass ~26 rows + PQC mandate noted First-pass population of the factory technology inventory doc queued by PR #165's BACKLOG row (Aaron 2026-04-23). Unified tie-together of HARNESS-SURFACES (harnesses), TECH-RADAR (ring adoption), tools/setup/ (install), and per-tech expert skills. Coverage: - Language runtimes + build (.NET 10 F#+C# / Rust / bun+TS / bash+PowerShell) - Data infrastructure (Postgres / Docker / Apache Arrow) - Agent harnesses (Claude Code / Codex CLI / Gemini CLI / OpenAI web UI via Playwright / Playwright) - Formal verification + testing (Lean 4 / Z3 / TLA+ / Alloy 6 / FsCheck / xUnit / Stryker.NET / BenchmarkDotNet) - Static analysis + security (Semgrep / CodeQL / Roslyn / F# analyzers / markdownlint-cli2 / actionlint / shellcheck) - CI + publishing (GitHub Actions / NuGet) PQC-mandate added to Open follow-ups per Aaron 2026-04-23: "any crypto graphy we decide to use should be quantium resisten, even one place we don't use it could be a place for attack". Currently no crypto in violation; rule is forward-looking. Full mandate in per-user memory feedback_all_cryptography_quantum_resistant_even_one_gap_is_attack_vector_2026_04_23.md. Living doc — ~26 rows in first-pass; more rows land on future on-touch fires. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(factory-technology-inventory): content fixes per Copilot P1 findings Addresses 13 of the 15 substantive findings from PR #170 Copilot review: Row-number corrections: - Row #48 ref: is GitHub surface triage cadence (not cross-platform parity); parity is row #51 - Row #43 ref: clarified SHA-pins via workflow-injection safe-patterns discipline Install-path + version-pin corrections: - .NET 10: install via mise (tools/setup/common/mise.sh + .mise.toml) not dotnet-install.sh; pin via global.json + .mise.toml - bun + TypeScript: no bun.lock committed; pin via package.json (packageManager + deps) - Z3: OS-installed CLI (brew/apt/winget); tools/Z3Verify shells out; no JARs downloaded (unlike TLA+/Alloy) - Stryker.NET: tools/setup/manifests/dotnet-tools (not .config/dotnet-tools.json); no CI job currently invokes - Postgres: no docker-compose.yml in samples/FactoryDemo.Db yet (CRM-shaped sample substrate pending) Reference corrections: - Codex capability map: openai-codex-cli-capability-map.md (full filename) - Gemini capability map: queued (no doc yet) - Per-user memory refs removed from "Composes with" (replaced with in-repo memory/CURRENT-*.md) - Per-user memory refs removed from PQC mandate rationale (noted migration path via in-repo-first policy cadence) Consistency: - Status: ~26 rows (corrected from "~12"); matches open-follow-ups #1 framing - CURRENT-aaron.md refs updated to memory/CURRENT-aaron.md (in-repo per PR #197) Attribution: Otto (loop-agent PM hat). Acts on Copilot P1 review findings; merge-forward on top of origin/main already done. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(factory-technology-inventory): drain PR #170 review threads Per-thread fixes: - Gemini CLI capability-map now points at existing docs/research/gemini-cli-capability-map.md (no longer marked as queued / not-yet-present). - OpenAI web UI + Playwright rows: drop the bun + @playwright/test claim and the package.json version-pin claim. package.json has no Playwright dependency; Playwright is plugin-enabled only via .claude/settings.json. - Stryker.NET row: corrected Version pin to 'unversioned in setup manifest (tracks latest)' to match tools/setup/manifests/dotnet-tools, and synced TECH-RADAR ring to Trial. - Semgrep / CodeQL / Stryker / bun+TS rings synced to TECH-RADAR (Trial, not Adopt). - Semgrep install: corrected to 'CI-installed via pip install semgrep in .github/workflows/gate.yml' and removed the hardcoded '14 custom rules' count. - Docker row: corrected Install path to 'Manual / OS package install' (setup scripts do not detect or install Docker today). - Postgres row: dropped reference to a non-present samples/FactoryDemo.Db/docker-compose.yml; points at the real samples/FactoryDemo.Api.* trees instead. - GitHub Actions row: clarified SHA-pin is the actual pin mechanism; row #43 cited as the workflow-injection audit (the source-of-truth row), not as the SHA-pin policy itself. - Open follow-up #2: corrected row reference from #48 (GitHub surface triage) to #51 (cross-platform parity). * docs(pr-preservation): drain log for PR #170 (factory technology inventory) 23 threads drained; rebase + content fixes per drain log. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 25, 2026
…Otto-213 durable lesson Otto-214 implementation of the tooling-level enforcement I proposed Otto-213. Memory-alone was not sufficient to stop the "write a stale version number" recurrence pattern; this script adds a CI-fail gate. Behavior: - Walks .github/workflows/*.yml files - Extracts runs-on: + os: matrix lines - Fails (exit 2) if any line references a STALE runner version (ubuntu-22.04, macos-14, macos-15, windows-2022, ubuntu-20.04, macos-13, macos-15-intel, etc.) - Warns (exit 3) if the allow-list itself is stale (>30 days since LAST_VERIFIED) - Prints the canonical list of ALLOWED labels on failure + the authoritative GitHub docs URL for re-verification Allow-list verified 2026-04-24 via https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories exact quote "Use of the standard GitHub-hosted runners is free and unlimited on public repositories." First-run detects 13 stale-label hits across codeql.yml, gate.yml, github-settings-drift.yml (plus stale comment- block references in gate.yml from the pre-correction history). These will be cleaned up by PR #359 for gate.yml; codeql.yml + github-settings-drift.yml need separate follow-up PRs. Does NOT wire into gate.yml automatically — separate step to add the lint check after the baseline is green. Premature enforcement would block every current PR. Sequencing: (1) this PR ships the tool; (2) follow-up PRs clean up existing stale refs (gate.yml already covered by #359; others queued); (3) once baseline is clean, add to gate.yml lint job. Composes with: - Otto-213 version-numbers-require-websearch memory - Otto-212 use-latest-tags + security-hygiene directive - Otto-210/211 macOS-is-free + M1-not-Intel corrections - FACTORY-HYGIENE row #43 safe-pattern compliance - Analogous pattern to audit-cross-platform-parity.sh (detect-only-first, enforce-when-baseline-green) Test plan: - Runs clean when no stale labels present - Exits 2 with clear message when stale labels present - Warns when allow-list >30 days old - Shellcheck clean (SC2001 note acknowledged; the non-bash-4 sed-style substitution is intentional for macOS default-bash-3.x compatibility per FACTORY- HYGIENE row #51 cross-platform parity) - Portable: no mapfile (bash 4+ only); uses while-read loop pattern that works in bash 3.x Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 25, 2026
…Otto-213 stale-version lesson (#360) * tools: lint/runner-version-freshness.sh — structural enforcement for Otto-213 durable lesson Otto-214 implementation of the tooling-level enforcement I proposed Otto-213. Memory-alone was not sufficient to stop the "write a stale version number" recurrence pattern; this script adds a CI-fail gate. Behavior: - Walks .github/workflows/*.yml files - Extracts runs-on: + os: matrix lines - Fails (exit 2) if any line references a STALE runner version (ubuntu-22.04, macos-14, macos-15, windows-2022, ubuntu-20.04, macos-13, macos-15-intel, etc.) - Warns (exit 3) if the allow-list itself is stale (>30 days since LAST_VERIFIED) - Prints the canonical list of ALLOWED labels on failure + the authoritative GitHub docs URL for re-verification Allow-list verified 2026-04-24 via https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories exact quote "Use of the standard GitHub-hosted runners is free and unlimited on public repositories." First-run detects 13 stale-label hits across codeql.yml, gate.yml, github-settings-drift.yml (plus stale comment- block references in gate.yml from the pre-correction history). These will be cleaned up by PR #359 for gate.yml; codeql.yml + github-settings-drift.yml need separate follow-up PRs. Does NOT wire into gate.yml automatically — separate step to add the lint check after the baseline is green. Premature enforcement would block every current PR. Sequencing: (1) this PR ships the tool; (2) follow-up PRs clean up existing stale refs (gate.yml already covered by #359; others queued); (3) once baseline is clean, add to gate.yml lint job. Composes with: - Otto-213 version-numbers-require-websearch memory - Otto-212 use-latest-tags + security-hygiene directive - Otto-210/211 macOS-is-free + M1-not-Intel corrections - FACTORY-HYGIENE row #43 safe-pattern compliance - Analogous pattern to audit-cross-platform-parity.sh (detect-only-first, enforce-when-baseline-green) Test plan: - Runs clean when no stale labels present - Exits 2 with clear message when stale labels present - Warns when allow-list >30 days old - Shellcheck clean (SC2001 note acknowledged; the non-bash-4 sed-style substitution is intentional for macOS default-bash-3.x compatibility per FACTORY- HYGIENE row #51 cross-platform parity) - Portable: no mapfile (bash 4+ only); uses while-read loop pattern that works in bash 3.x Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * drain(#360 P0×2 + P1+P2+P1+P1 Codex): regex-escape + BSD-grep portable + comment-strip + rolling-alias forbidden + warn-only exit Six Codex findings on tools/lint/runner-version-freshness.sh: P0 (line 133) — regex-metachar escape: `stale_pattern` was built from raw label strings; `.` in ubuntu-22.04 was a regex wildcard, producing false matches/ misses. Added `escape_for_regex` helper that escapes . + * ? ( ) [ ] { } | \ / before alternation. P0 (line 149) — BSD-grep portability: `\b` word-boundary doesn't work in BSD grep (macOS default; treated as backspace per POSIX ERE). Replaced with explicit non-word boundaries: `([^A-Za-z0-9_]|^)` start + `([^A-Za-z0-9_]|$)` end, expressed without backrefs so it works in both GNU and BSD grep. P1 (line 149-1) — exclude comments: Stale-label-in-comment was triggering false positives. Added a comment-stripping pre-filter (`grep -vE '^[[:space:]]*#'`) so YAML comments are excluded from the scan. P1 (line 149-2) — explicit-file-not-found masking: `grep ... 2>/dev/null || true` silently swallowed missing- file errors and reported 'ok' for nothing-actually-linted. Added an explicit `[ ! -r "$file" ]` precheck that fails loud (exit 2) rather than passing silent. P1 (line 73) — rolling-aliases forbidden by convention: ALLOWED_LABELS included ubuntu-latest / windows-latest / macos-latest, contradicting the repo convention of pinned major-OS-version labels. Removed from ALLOWED_LABELS, added a separate ROLLING_ALIASES forbidden list, added a distinct error-class scan ('ROLLING-ALIAS RUNNER LABEL') so contributors get a different error message than for stale-version pins. Same fail=1 flag, different operator message. P2 (line 179) — warn-only exit on stale freshness: Header documents this as warning-only; code exited 3 (which some CI configurations treat as failure). Updated to exit 0 on stale-freshness-only path; warning is still printed to stderr. Stale-version-detection still exit 2 (a real failure). Smoke-test note: the new script now flags ubuntu-22.04 in gate.yml as stale (real finding) — exit 2 with the expected output. gate.yml's own runner-pin upgrade is out of scope for this PR; will land separately. * drain(#360 P1+P2 Codex): quoted-matrix-entries + inline-comment stripping Two more substantive Codex findings: P1 (line 183) — quoted matrix entries missed: The matrix-entry prefilter was `^[[:space:]]*-[[:space:]]+` which only matched bare `- <label>`. Common YAML syntax `- "ubuntu-22.04"` or `- 'macos-15'` was being missed. Updated prefilter to `^[[:space:]]*-[[:space:]]+(['\"]?)` which optionally consumes a leading single or double quote. Smoke-tested with mixed quoting + matrix block: catches both forms now. P2 (line 179) — trailing inline comments not stripped: `runs-on: ubuntu-24.04 # was ubuntu-22.04` was falsely flagging `ubuntu-22.04` in the trailing comment. Added a second sed pass: `sed -E 's/[[:space:]]+#.*$//'` strips everything after the first ` #` (YAML-spec comment-start sentinel with required leading space). Conservative: doesn't handle `#` inside quoted strings (rare in workflow YAML). Smoke-tested: trailing comments correctly stripped. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 6.0.0 to 6.4.0.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)