chore(deps): Bump @supabase/supabase-js from 2.101.1 to 2.104.1 #1418
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SMI-2189: Lightweight CI for documentation-only changes | |
| # SMI-3997: Conditional-required pattern — workflow always triggers; jobs are | |
| # skipped with success when no doc paths changed, so the Markdown Lint | |
| # required status check is always reported (never silently absent). | |
| # Runs secret scanning and markdown linting without the full build pipeline. | |
| # This workflow triggers for EVERY PR/push; job-level if: gates do the filtering. | |
| name: Docs CI | |
| # SMI-2267: Explicit minimal permissions for CodeQL compliance. | |
| # Workflow-level is contents:read only; pull-requests:read is scoped to the | |
| # detect-changes job below (SMI-3997 Finding #5, matching ci.yml:128-129 | |
| # verify-implementation pattern). | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| concurrency: | |
| group: docs-ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # SMI-3997: Detect whether any doc-related paths changed in this PR. | |
| # This job always runs; downstream jobs gate on its output. | |
| detect-changes: | |
| name: Detect Doc Changes | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| # SMI-3997 Finding #5: Scope pull-requests:read to ONLY the job that needs it, | |
| # matching ci.yml verify-implementation (SMI-3546, lines 128-129). Workflow-level | |
| # permissions stay contents:read per SMI-2267 hardening. | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| docs: ${{ steps.filter.outputs.docs }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| # SMI-3997: Pinned to SHA for reproducibility (v4 release) | |
| # To update: check https://github.com/dorny/paths-filter/releases | |
| - name: Filter doc paths | |
| id: filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 | |
| with: | |
| # SMI-3997 Finding #2: Explicit base so push-event behavior does not rely on | |
| # action defaults. On pull_request, compares HEAD against PR base ref. | |
| # On push, falls back to the repository default branch (main). | |
| base: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }} | |
| filters: | | |
| docs: | |
| - 'docs/internal/**' | |
| - '.claude/development/**' | |
| - '.claude/templates/**' | |
| - '**/*.md' | |
| - 'LICENSE' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/CODEOWNERS' | |
| # SMI-3997 Finding #2: Observability — log the resolved output so the first | |
| # few carrier runs can be inspected in job logs without cross-referencing | |
| # the GitHub Checks API. | |
| - name: Log detection result | |
| run: echo "Detected docs=${{ steps.filter.outputs.docs }}" | |
| # Secret scanning - catches accidentally committed credentials | |
| # SMI-3997 + SMI-3999: Gated by detect-changes. On non-doc PRs, ci.yml's | |
| # secret-scan runs and emits the check; this job skips with success. On | |
| # pure-doc PRs post-SMI-3999, ci.yml's secret-scan ALSO emits a check | |
| # (skipped-with-success); this job runs and emits its own success. Branch | |
| # protection accepts multiple check-runs with the same context name as long | |
| # as at least one resolves to success. | |
| secret-scan: | |
| name: Secret Scan | |
| needs: [detect-changes] | |
| if: needs.detect-changes.outputs.docs == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | tar -xz | |
| sudo mv gitleaks /usr/local/bin/ | |
| - name: Run gitleaks | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| gitleaks detect --source . --config .gitleaks.toml --log-opts "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" --verbose | |
| else | |
| gitleaks detect --source . --config .gitleaks.toml --verbose | |
| fi | |
| # Markdown linting - ensures documentation quality | |
| # SMI-3997: Gated by detect-changes. On non-doc PRs, this job skips with | |
| # success, satisfying the required status check. (ci.yml does not define | |
| # a markdown-lint job — docs-only.yml is the exclusive emitter of this | |
| # required context.) | |
| markdown-lint: | |
| name: Markdown Lint | |
| needs: [detect-changes] | |
| if: needs.detect-changes.outputs.docs == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| # SMI-2215: Pinned to SHA for reproducibility (v20 release) | |
| # To update: check https://github.com/DavidAnson/markdownlint-cli2-action/releases | |
| # Only lint non-encrypted markdown files. | |
| # docs/** files are in a private submodule (not available in CI). | |
| # .claude/development/ and .claude/templates/ are unencrypted dev docs. | |
| - name: Lint markdown files | |
| uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 | |
| with: | |
| globs: | | |
| *.md | |
| .claude/development/**/*.md | |
| .claude/templates/**/*.md | |
| !node_modules/** | |
| !packages/*/node_modules/** | |
| config: .markdownlint.json |