⚙️ setup (ci): fix security, guards, and validation issues

warengonzaga · Copilot · warengonzaga · commit d71d8659d4e9 · 2026-02-19T15:12:40.000+08:00
- add if-guard to package/container jobs (main push only)
- narrow ci.yml top-level permissions to contents: read
- add per-job permissions for package and container jobs
- remove unused packages/security-events write from release.yml
- fix commit-lint push range to validate all commits (before..after)
- quote SHA interpolations in commit-lint PR log command
- remove duplicate bun run build step from package.yml
- add --bail flag to pre-commit bun test hook
- add msgFile undefined guard in validate-commit-msg.mjs
- make variation selector optional for trash and gear emojis
- strengthen readCache to validate latest and runtime field types

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,9 +9,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  security-events: write
-  pull-requests: write
 
 jobs:
   build:
@@ -56,10 +53,19 @@ jobs:
 
   package:
     needs: test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      packages: write
+      pull-requests: write
     uses: ./.github/workflows/package.yml
     secrets: inherit
 
   container:
     needs: test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      packages: write
+      security-events: write
+      pull-requests: write
     uses: ./.github/workflows/container.yml
     secrets: inherit
diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
@@ -25,9 +25,15 @@ jobs:
           PATTERN='^(📦|🔧|🗑️|🔒|⚙️|☕|🧪|📖|🚀) (new|update|remove|security|setup|chore|test|docs|release)( \([a-z0-9][a-z0-9-]*\))?: .{1,72}$'
 
           if [ "${{ github.event_name }}" = "pull_request" ]; then
-            COMMITS=$(git log --format="%s" ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }})
+            COMMITS=$(git log --format="%s" "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}")
           else
-            COMMITS=$(git log --format="%s" -1)
+            GITHUB_EVENT_BEFORE="${{ github.event.before }}"
+            GITHUB_EVENT_AFTER="${{ github.event.after }}"
+            if [ "$GITHUB_EVENT_BEFORE" = "0000000000000000000000000000000000000000" ]; then
+              COMMITS=$(git log --format="%s" "$GITHUB_EVENT_AFTER" -1)
+            else
+              COMMITS=$(git log --format="%s" "${GITHUB_EVENT_BEFORE}..${GITHUB_EVENT_AFTER}")
+            fi
           fi
 
           FAILED=0
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -33,9 +33,6 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
-      - name: Build all packages
-        run: bun run build
-
       - name: Build & Publish Packages
         uses: wgtechlabs/package-build-flow-action@v2.0.1
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,8 +8,6 @@ on:
 
 permissions:
   contents: write
-  packages: write
-  security-events: write
   pull-requests: write
 
 jobs:
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1 +1 @@
-bun test
+bun test --bail
diff --git a/.husky/validate-commit-msg.mjs b/.husky/validate-commit-msg.mjs
@@ -1,6 +1,10 @@
 import { readFileSync } from "fs";
 
 const msgFile = process.argv[2];
+if (!msgFile) {
+  console.error("Error: No commit message file path provided.");
+  process.exit(1);
+}
 const raw = readFileSync(msgFile, "utf8");
 const firstLine = raw.replace(/\r/g, "").split("\n")[0].trim();
 
@@ -10,7 +14,7 @@ if (/^Merge /.test(firstLine)) process.exit(0);
 // Clean Commit convention pattern
 // Format: <emoji> <type>[(<scope>)]: <description>
 const pattern =
-  /^(📦|🔧|🗑️|🔒|⚙️|☕|🧪|📖|🚀) (new|update|remove|security|setup|chore|test|docs|release)( \([a-z0-9][a-z0-9-]*\))?: .{1,72}$/u;
+  /^(📦|🔧|🗑\uFE0F?|🔒|⚙\uFE0F?|☕|🧪|📖|🚀) (new|update|remove|security|setup|chore|test|docs|release)( \([a-z0-9][a-z0-9-]*\))?: .{1,72}$/u;
 
 if (!pattern.test(firstLine)) {
   console.error("");
diff --git a/packages/core/src/update-checker.ts b/packages/core/src/update-checker.ts
@@ -118,7 +118,7 @@ function readCache(dataDir: string): UpdateInfo | null {
   try {
     const raw = readFileSync(getCachePath(dataDir), 'utf-8');
     const cached = JSON.parse(raw) as UpdateInfo;
-    if (cached && typeof cached.checkedAt === 'number') return cached;
+    if (cached && typeof cached.checkedAt === 'number' && typeof cached.latest === 'string' && typeof cached.runtime === 'string') return cached;
   } catch {
     // Missing or corrupt — will re-check
   }

Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ function readCache(dataDir: string): UpdateInfo \| null {`
`118`	`118`	`try {`
`119`	`119`	`const raw = readFileSync(getCachePath(dataDir), 'utf-8');`
`120`	`120`	`const cached = JSON.parse(raw) as UpdateInfo;`
`121`		`- if (cached && typeof cached.checkedAt === 'number') return cached;`
	`121`	`+ if (cached && typeof cached.checkedAt === 'number' && typeof cached.latest === 'string' && typeof cached.runtime === 'string') return cached;`
`122`	`122`	`} catch {`
`123`	`123`	`// Missing or corrupt — will re-check`
`124`	`124`	`}`