Skip to content

feat: add Go project CI checklist and related skills section#6

Merged
CybotTM merged 1 commit into
mainfrom
feature/go-ci-checklist
Dec 26, 2025
Merged

feat: add Go project CI checklist and related skills section#6
CybotTM merged 1 commit into
mainfrom
feature/go-ci-checklist

Conversation

@CybotTM

@CybotTM CybotTM commented Dec 26, 2025

Copy link
Copy Markdown
Member

Summary

  • Add Go Project CI Checklist to SKILL.md with settings table
  • Add Related Skills section to SKILL.md and README.md
  • Add Skill Coordination diagram showing hub-and-spoke model
  • Cross-reference go-development and enterprise-readiness skills

Changes

SKILL.md

  • Added Go Project CI Checklist table with branch protection, Dependabot, auto-merge settings
  • Added delegation pointers to go-development and enterprise-readiness skills
  • Added Related Skills table

README.md

  • Added Related Skills section
  • Added Skill Coordination diagram

Skill Unification

This is part of a broader skill unification effort:

go-development (hub)
├── Code quality: linting, testing, fuzzing
├── Standard Makefile: test, build, lint, fuzz
└── Delegates to:
    ├── github-project (this skill) → repo setup, branch protection, auto-merge
    └── enterprise-readiness → supply chain security, SLSA, signing

Test Plan

  • Verify SKILL.md and README.md render correctly
  • Verify cross-references to other skills are accurate

- Add Go Project CI Checklist to SKILL.md with settings table
- Add Related Skills section to SKILL.md and README.md
- Add Skill Coordination diagram showing hub-and-spoke model
- Cross-reference go-development and enterprise-readiness skills

Part of skill unification effort for consistent enterprise-ready
Go project setup.
@CybotTM CybotTM merged commit 5c1ca96 into main Dec 26, 2025
2 checks passed
@CybotTM CybotTM deleted the feature/go-ci-checklist branch December 26, 2025 21:32
CybotTM added a commit that referenced this pull request Mar 15, 2026
The file_exists check only looked for .github/dependabot.yml, producing
false positives on repos using Renovate for dependency updates. Switch to
a command check that accepts dependabot.yml, renovate.json,
.github/renovate.json, .renovaterc.json, or .renovaterc.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM added a commit that referenced this pull request Mar 15, 2026
fix: GH-6 accept Renovate as alternative to Dependabot
CybotTM added a commit that referenced this pull request May 4, 2026
…allowlist

The automated-assessment runner enforces a command allowlist that rejects
command-chaining metacharacters (; && || backticks $()) and only accepts
specific base commands. Four checkpoints failed allowlist validation and
were never actually evaluated against target projects.

GH-6 and GH-23 used `test -f X || test -f Y` chains to test for any of
several files. Rewritten as `type: file_exists` with brace expansion,
which is the runner's first-class idiom for "any of these files".

GH-30 and GH-31 used multi-line YAML literal-block scalars (`target: |`)
to invoke `gh api` for branch protection audits. The runner's simple
line parser sees the literal-block indicator as the first token and
rejects with "'|' not in allowed command whitelist". Even with the
allowlist passing, these cannot be executed mechanically — they require
GitHub API auth context. Converted to `type: gh_api`, which the runner
recognises and skips with a clear evidence string. The semantically
equivalent audit is preserved in GH-32 (llm_reviews).
CybotTM added a commit that referenced this pull request May 4, 2026
…ert GH-5 demotion

Addresses PR #69 review feedback:

GH-2 (Copilot, Gemini): added missing license filenames the skill itself
documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause,
LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL,
LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0.

GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the
repository itself on the default branch (.github/, root, or docs/), and
the org-wide .github mechanism explicitly does NOT cover it (that
mechanism only provides templates and community-health files, never
review-routing rules). Severity restored to warning; description
corrected to remove the misleading org-wide claim.

GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate
config variants, and the .json5 form for Renovate.

GH-13/14 (Gemini follow-on): brace-expanded targets to also accept
.github/dependabot.yaml.

GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}`
to match either extension.

GH-24..27 (Gemini): glob target now
`.github/workflows/auto-merge*.{yml,yaml}`.

Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27
already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml})
that matches both filenames, so adding auto-merge.yml to GH-23 does
not produce false failures downstream.

GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on
runner — these are gh_api types, the desc field is human-readable).

.yamllint.yml: line-length bumped 160 → 360 to accommodate single-line
brace-expansion targets that the runner cannot read as folded scalars
(the runner's parser is bash regex, not a YAML library).
CybotTM added a commit that referenced this pull request May 31, 2026
A /retro session on 2026-05-31 (session 743f82e8) surfaced a standing user
preference stated during TYPO3 extension work: 'DRY — we use re-usable
workflows so all our projects gain from improvements', with the instruction to
check the shared typo3-ci reusable-workflow repo before patching a project.

Adds pitfall #6 to reusable-workflow-pitfalls.md: when a CI/quality gap
surfaces in a consumer, fix it in the shared reusable-workflow repo so every
consumer inherits it, rather than patching the single project. Distinct from
the existing pitfalls (#1-#5 cover how to author/reference; this covers where
a fix belongs) and from reusable-workflow-security.md (SHA pinning).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 31, 2026
…, not per-project (#82)

## Summary

Adds pitfall **#6** to `references/reusable-workflow-pitfalls.md`: when
a CI/quality gap surfaces in a consumer of a shared reusable workflow,
fix it upstream in the shared workflow repo so every consumer inherits
the fix — don't patch the single project's `.github/workflows/`.

## Came from

`/retro` session on 2026-05-31 (session `743f82e8`).
Finding: a standing user preference, stated verbatim during TYPO3
extension work — *"DRY — we use re-usable workflows so all our projects
gain from improvements"* — together with the instruction to check the
shared `typo3-ci` reusable-workflow repo before adding a per-project
guard. Existing references cover *how* to reference/pin/secure reusable
workflows but not *where* a fix belongs.

## Change

New section #6 (principle, not a structural trap): per-project patches
reintroduce the duplication the shared workflow removes, drift out of
sync, and force rediscovery in the next repo. Check whether the shared
repo owns the concern; if so, land the fix there and let consumers pick
it up via `@main`/`@vX.Y.Z`. Explicitly contrasted with pitfalls #1#5
and with `reusable-workflow-security.md`.

## Test plan

- [ ] `markdownlint-cli2` clean (verified locally: 0 errors)
- [ ] Renders correctly; cross-links to `reusable-workflow-security.md`
resolve
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant