Skip to content

fix: harden workflow and payload validation#2

Merged
CodeSigils merged 1 commit into
mainfrom
agent/harden-workflow-payload
Jul 17, 2026
Merged

fix: harden workflow and payload validation#2
CodeSigils merged 1 commit into
mainfrom
agent/harden-workflow-payload

Conversation

@CodeSigils

Copy link
Copy Markdown
Owner

Summary

  • reject symlinked canonical sources and runtime payload entries
  • correct uv-managed project setup, verification commands, and classification precedence
  • require complete CI gates and immutable action pins with negative-path regression tests

Root cause

Payload checks followed declared symlinks while orphan discovery ignored them, the documented uv commands bypassed the managed environment, and CI policy checks relied on incomplete substring assertions.

Validation

  • repository portability, source, CI-policy, and payload validators
  • CI-policy and payload regression tests
  • pinned Ruff 0.12.4, ShellCheck, Bash syntax, and diff checks
  • all 15 external URLs
  • fresh generated-project smoke test covering uv sync, Ruff, mypy, pytest, sdist, and wheel build

@CodeSigils
CodeSigils marked this pull request as ready for review July 17, 2026 07:00
@CodeSigils
CodeSigils merged commit 09e57d4 into main Jul 17, 2026
5 checks passed
@CodeSigils
CodeSigils deleted the agent/harden-workflow-payload branch July 17, 2026 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant