fix: release v1.0.0 with macos-15 acceptance runner#57
Merged
Conversation
Automates the standard branch model setup for any new repo: creates develop branch, sets it as default, applies protection rules to develop and main, and adds v* tag protection ruleset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…admins (#24) Add a new /create-repo Claude Code skill that creates a repo from the amcheste/repo-template, clones it locally, and applies the full standard branch protection setup in one command. Update /publish-release to work with enforce_admins=true on develop: the old flow pushed directly to develop, which is now blocked. The new flow creates a chore/release-v<version> branch, opens a PR to develop, then after merge opens a develop→main release PR before tagging. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Add tools that were installed on the machine but not tracked: - tart (via cirruslabs/cli tap) — local VM acceptance testing - git-lfs — large file support - kustomize — Kubernetes config management - octant — Kubernetes dashboard - postgresql@17 — local Postgres - virtualenv — Python virtual environments - claude-code (cask) — Claude Code CLI Also adds the cirruslabs/cli tap declaration. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
… SAST (#27) - Pin all GitHub Actions to full commit SHAs (satisfies Pinned-Dependencies check) - Add explicit `permissions: contents: read` to all workflows that were missing it (satisfies Token-Permissions check) - Add SAST workflow using Semgrep (p/bash + p/secrets rulesets) with SARIF upload to GitHub Security tab (satisfies SAST check) Dependabot is already configured to keep Action SHAs up to date weekly. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Allows scorecard to run on develop merges for early visibility into security posture before promoting to main. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The scorecard action enforces that publish_results=true can only run from the default/main branch. Conditionally set it so develop runs still produce SARIF output without failing on publication. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…cker requirement (#35) - Wrap `colorscheme gruvbox` in a try/catch so first-run `vim +PlugInstall` falls back to `desert` instead of printing an error (gruvbox not yet downloaded at that point) - Remove live `claude mcp list` health check from setup-mcps.sh summary — it always shows GitHub MCP as failed because Docker isn't running at setup time. Replace with a static server list and a clear note that Docker must be running for the GitHub MCP to connect. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
vim-go's update output is longer than one screen, causing a `-- More --` pager pause that blocks unattended setup. Use `--not-a-term -c "set nomore"` to disable the pager and suppress terminal UI rendering. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Redirect stdout in addition to stderr so lightline colour allocation errors don't leak through to the terminal during unattended setup. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…le (#40) Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: add preflight checks and pre-tap cirruslabs/cli before brew bundle Fixes two issues found during testing on a second Mac: Issue #36 — tart not found during brew bundle: brew bundle can fail to resolve third-party tap formulae if the tap hasn't been added before the fetch stage. Explicitly run `brew tap cirruslabs/cli` before `brew bundle` to guarantee tart is resolvable. Issue #37 — non-admin account with no sudo access: Added preflight checks at the top of setup.sh that run before anything else: - Fails immediately with a clear message if the account is not in the macOS 'admin' group (Homebrew requires sudo for installation) - Warns if an existing Homebrew prefix is not writable by the current user, with the exact command needed to fix it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: improve test coverage based on real-world failure scenarios Three improvements based on bugs found during testing on a second Mac (issues #36 and #37): VM acceptance test: - Untap cirruslabs/cli before running setup.sh to simulate a truly fresh machine. This would have caught issue #36 (tart not found) immediately. Acceptance checks (acceptance-test.sh): - Add Preflight section: macOS check, admin group check, Homebrew writability check - Add cirruslabs/cli tap and tart installation checks - Add Claude Skills section: verify all three skills are symlinked Preflight unit tests (scripts/preflight-test.sh): - New script that runs entirely on the local machine without a VM - Mocks id and brew via PATH override to test non-admin and unwritable-prefix scenarios in isolation - Wired into the macOS integration job in validate.yml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
When release-drafter runs on a pull_request event it sets target_commitish to the PR merge ref (refs/pull/N/merge) which GitHub rejects as invalid for a release. Label application is already handled by the separate labeler.yml workflow so the pull_request trigger here is redundant. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: detect and reject sudo/root execution before brew runs (#44) Users who see "Homebrew prefix not writable" instinctively retry with sudo, which Homebrew rejects. This breaks setup in a confusing loop. - Add root detection check at the top of preflight (before brew runs) using `id -u` so the check is unit-testable via PATH override - Exit immediately with a clear message explaining *not* to use sudo and showing the exact chown command to run first instead - Strengthen the writability error message with an explicit warning: "Do NOT re-run setup.sh with sudo" - Add 4 new preflight unit tests covering the root/sudo scenario Fixes #44 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: auto-fix Homebrew directory ownership instead of failing out (#44) Rather than printing a manual chown command and exiting, setup.sh now attempts to fix the ownership automatically using targeted sudo chown. - Only chowns the specific subdirectories Homebrew uses (bin, Cellar, Caskroom, etc, Frameworks, include, lib, Library, opt, sbin, share, var) — not the entire prefix (e.g. /usr/local), which may contain system-managed files that should remain root-owned - If auto-fix succeeds, setup continues without re-run required - If auto-fix fails (e.g. user can't sudo), prints a targeted manual command using only the affected subdirs rather than the whole prefix - Root-detection message updated: tells user setup.sh will handle the chown automatically if they just re-run without sudo - Updated preflight unit test to match revised root message wording Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
octant was deprecated and disabled in Homebrew on 2024-02-07 (upstream repo archived by VMware). Attempting to install it on a fresh machine fails with "No available formula" and aborts the entire brew bundle run. - Replace `octant` with `k9s` — actively maintained terminal-based Kubernetes dashboard that covers the same day-to-day cluster inspection workflow - Add acceptance-test check for deprecated Brewfile formulae so this class of failure is caught in CI before it reaches a real install Fixes #46 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* ci: use larger macOS runners for acceptance test and main branch integration - acceptance.yml: upgrade macos-15 → macos-15-xlarge (6-core M-series) Tart nested VMs are CPU-bound; the larger runner should cut test time significantly and improve reliability under load. - validate.yml: use macos-15-xlarge on main branch pushes, macos-latest on develop and PRs. Keeps PR feedback fast and cheap while giving the stable branch a more thorough environment. Requires GitHub Team plan (or higher) for larger runner access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: revert validate integration job to macos-latest No CPU-intensive work in that job — standard runner is sufficient and cheaper. Only the Tart VM acceptance test benefits from xlarge. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: Bump ossf/scorecard-action (#34) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from ff5dd8929f96a8a4dc67d13f32b8c75057829621 to 62b2cac7ed8198b15735ed49ab1e5cf35480ba46. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@ff5dd89...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump github/codeql-action (#33) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c to 5c8a8a642e79153f5d047b10ec1cba1d1cc65699. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3b1a19a...5c8a8a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 5c8a8a642e79153f5d047b10ec1cba1d1cc65699 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alan Chester <amcheste@gmail.com> * chore: Bump actions/labeler from 5.0.0 to 6.0.1 (#31) Bumps [actions/labeler](https://github.com/actions/labeler) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...634933e) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#30) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
… VMs (#56) macos-15-xlarge runners are virtualized environments and don't support nested virtualization. Tart cannot obtain an IP address for the inner VM, causing the acceptance test to time out every run. macos-15 (standard, 3-core) runners are bare-metal and fully support Tart. Reverting to ensure the release pipeline is reliable. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the v1.0.0 release pipeline.
macos-15-xlargerunners are virtualized and don't support nested virtualization — Tart times out waiting for a VM IP address.This PR gets the
macos-15revert (PR #56) onto main so we can re-cut the v1.0.0 tag cleanly.After merging, the old v1.0.0 tag will be deleted and re-pushed at the new main HEAD to trigger a clean release run.
🤖 Generated with Claude Code