Install tend with dormouse-bot#82
Merged
Merged
Conversation
Generated tend workflows, config, and skill overlay. Bot account dormouse-bot has write access; admins still bypass branch and tag rulesets. OVSX_PAT and VSCE_PAT migrated to vscode-extension-publish environment-only (already configured for v* tags). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploying mouseterm with
|
| Latest commit: |
f63a95f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://77727863.mouseterm.pages.dev |
| Branch Preview URL: | https://tend-setup.mouseterm.pages.dev |
actions/checkout's default shallow clone leaves refs/remotes/origin/main unfetched, so the workflow's `git remote set-head origin --auto` errors before any default-branch detection runs. Replace with `gh api` to query the default branch and set the symbolic-ref directly. Exclude this file from the drift comparison since the patch diverges from generator output until the upstream fix lands; the file is removed on the next nightly regen. Ref: max-sixty/tend#582 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 22, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A scheduled (07:13 UTC) workflow that walks every commit touching .github/workflows/ since the previous successful run, including feature-branch pushes that never open a PR. Each run opens an issue listing the commits, authors, refs, and files. Gap-resistant because the "since" lower bound is the previous successful run's API timestamp — a failed run pushes the window forward rather than dropping commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codifies dependency supply-chain, GitHub Actions, VS Code release, desktop release, and automated maintainer (tend) policies as a set of concrete FAIL IF checks. Each subsection describes the attack surface and the boundaries we accept. The tend section names the prompt-injection, bot-authority, reachable-secret, upstream-compromise, and audit-visibility surfaces explicitly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A reusable workflow at .github/workflows/security-audit.yaml that reads SECURITY.md, executes each FAIL IF as a mechanical check (gh api, grep, file presence, script runs), and does an additional qualitative pass for security holes the spec doesn't anticipate. Fails the workflow on any violation or BLOCKER-severity finding. Runs nightly at 04:21 UTC and is now a needs: dependency of publish-vscode in release.yml, so a v* tag push won't publish unless the audit passes. Also updates SECURITY.md to: soften the max-sixty/tend pinning FAIL IF (tend's generator produces tag pins, not SHA pins, which is an accepted upstream constraint), and codify the audit's own integrity as part of the CI validation contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The audit step now writes audit-report.md and audit-status.txt to the runner workspace; a follow-up step inspects the status: - PASS: closes any open security-audit-failure issues with a link to the passing run, so the issue tracker reflects live state. - FAIL: opens (or comments on, if one already exists) an issue labeled security-audit-failure with the full report as body, then exits non-zero so the workflow still blocks the release path. Adds issues:write to the workflow permissions. Updates SECURITY.md to describe the open/close behavior and broadens the audit-weakening FAIL IF to cover removal of the failure-reporting step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dormouse-bot— with workflows for review, triage, ci-fix, mentions, notifications, nightly, and weekly cadences.mainand all tag operations behind admin bypass (rulesets only — admins push directly as today). The bot has write but not admin.OVSX_PAT/VSCE_PATdeleted at repo level; they remain in thevscode-extension-publishenvironment (policy:v*tags), sorelease.ymlkeeps publishing on admin-pushed tags but the bot cannot reach the secrets.CIandChromaticfor ci-fix.tend-install-test.yamlaround tend#582; the file self-removes on the next nightly regen.Test plan
tend-install-testworkflow passesuvx tend@latest checklocally to double-check security prereqs.github/workflows/tend-install-test.yamlfrommainv*tag still triggersrelease.ymland the publish-vscode job can readOVSX_PAT/VSCE_PATfrom the env@dormouse-botto confirm the bot responds via the Claude harness🤖 Generated with Claude Code