deploy: derive bounded.tools from the canonical pipeline (adds approval gate)#98
Merged
Conversation
…ds gate) Mirror robertdelanghe.dev: replace the straight build->deploy job with a call to the canonical reusable workflow (bounded-systems/.github). This ADDS the preview -> deterministic preview-URL verify -> required-reviewers promote gate that bounded.tools didn't have. Also re-vendors the FIXED standalone verifier (package.json + lockfile + the X509 SAN extraction), which is portable (identity derived from served provenance). site-promote Environment created with bdelanghe as required reviewer. Pinned to the opt-in-probe branch until bounded-systems/.github#42 merges, then -> @sha. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t-in-probe branch)
bdelanghe
added a commit
that referenced
this pull request
Jun 29, 2026
…ifier verify-vendor failed: #98 advanced the standalone verifier (package.json + verify.mjs + added package-lock.json) to conformance-kit's fixed version but left the lock pinned to the old bf20952d hashes, so the build's vendor-integrity gate flagged 3 violations. The vendored files are byte-identical to conformance- kit @ c45be5003128 (PR #16: X509 SAN extraction, sigstore ^2.3.1), so this updates those 3 pins to match and documents the (intentional, minimal) verify/- only provenance advance in the lock note. verify-vendor now passes (45 files). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
that referenced
this pull request
Jun 29, 2026
…#100) #98 merged the advanced standalone verifier (verify/ package.json + verify.mjs + new package-lock.json, byte-identical to conformance-kit @ c45be5003128 / PR #16) but NOT the matching lock pins, so verify-vendor — and thus build — fails on main, blocking the gated bounded.tools deploy. Update the 3 verify/ pins to match the vendored fixed verifier and document the minimal verify/-only provenance advance. verify-vendor passes (45 files). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
that referenced
this pull request
Jun 29, 2026
…re integrity) (#102) * fix(vendor): re-vendor conformance-kit bf20952 → e8838ed (restore integrity) #98 hand-copied a newer verify.mjs (X509 SAN) into the vendored kit without re-vendoring the rest or regenerating the lock, so verify-vendor failed repo-wide (main red). conformance-kit main (e8838ed, #26) already carries that fix plus the split vulns/asvs schema and the ai-readability gate, so this re-vendors the full pinned subset to e8838ed and regenerates vendor/conformance-kit.lock.json. verify-vendor: 45 files @ e8838ed (green). Advances prx-tnqu. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(structure): regenerate structure.json baseline for re-vendored audit tool The re-vendor to e8838ed updated the structure-audit tool; the consumer-side drift baseline is regenerated to match (site content unchanged, 0 errors/warns). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bdelanghe
added a commit
that referenced
this pull request
Jun 29, 2026
…42 merged) (#109) bounded-systems/.github#42 (make the RFC 9110 probe opt-in) merged 2026-06-29; per #98's plan, move the promote pin off the temporary @fix/optional-http-probe branch to its merge commit c46a1dc on .github main, restoring the repo's SHA-pin posture. Also re-triggers a fresh deploy run (the prior one wedged in pending). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirrors robertdelanghe.dev onto the canonical reusable pipeline (bounded-systems/.github).
build(signed OCI →ghcr.io/bounded-systems/bounded-tools-site) stays; the straightdeployjob becomes one shareduses:call.Changes bounded.tools' deploy behavior (intentionally)
site-promoteEnvironment created (reviewer: bdelanghe).package.json+ lockfile + the X509 SAN extraction (was the old broken copy). Portable (identity from served provenance).Sequence
uses:ref@fix/optional-http-probe→ the merged.githubSHA.🤖 Generated with Claude Code