Skip to content

fix: restore CI audit job and add missing cache-dependency-path#4

Closed
donny-devops with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-audit-job-failure
Closed

fix: restore CI audit job and add missing cache-dependency-path#4
donny-devops with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-audit-job-failure

Conversation

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown

The audit job was failing because setup-node@v4 (cache: npm) searched for a lock file at the repo root, but it only exists at tools/loop-audit/package-lock.json. A subsequent commit had also accidentally clobbered ci.yml, stripping out the name:/on: triggers and replacing the validate/audit jobs with a dead build job referencing non-existent paths.

Changes

  • Restore ci.yml structure — re-adds name: CI, on: triggers (push/PR/workflow_dispatch), and the validate + audit jobs that were overwritten
  • Fix npm cache lookup — adds cache-dependency-path: tools/loop-audit/package-lock.json to setup-node@v4 in both jobs
- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: npm
    cache-dependency-path: tools/loop-audit/package-lock.json

The `audit` job was failing because `setup-node@v4` with `cache: npm`
could not find a lock file at the repo root. The lock file lives at
`tools/loop-audit/package-lock.json`, so add `cache-dependency-path`
pointing to it in both the `validate` and `audit` jobs.

Also restores the correct `name:`, `on:` triggers, and the `validate`/
`audit` job structure that was accidentally overwritten by a previous
commit that left ci.yml with no triggers and a stale `build` job.
Copilot AI changed the title [WIP] Fix failing GitHub Actions job audit fix: restore CI audit job and add missing cache-dependency-path Jun 30, 2026
Copilot AI requested a review from donny-devops June 30, 2026 13:10
@sonarqubecloud

Copy link
Copy Markdown

@donny-devops donny-devops marked this pull request as ready for review June 30, 2026 14:44
Copilot AI review requested due to automatic review settings June 30, 2026 14:44
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Restores the repository’s GitHub Actions CI workflow structure and fixes Node/npm caching by pointing setup-node@v4 at the correct lockfile under tools/loop-audit/.

Changes:

  • Reintroduces name: CI and on: triggers (push/PR/workflow_dispatch) for the workflow.
  • Restores validate and audit jobs and updates setup-node@v4 npm cache configuration to use tools/loop-audit/package-lock.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
Comment on lines +9 to 10
validate:
runs-on: ubuntu-latest
Comment thread .github/workflows/ci.yml
if: hashFiles('doc/package-lock.json') != ''
working-directory: doc
- working-directory: tools/loop-audit
run: node dist/cli.js .. --level L2
Comment thread .github/workflows/ci.yml
Comment on lines +37 to +38
- working-directory: tools/loop-audit
run: npm run build

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f1f1dc61e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
if: hashFiles('doc/package-lock.json') != ''
working-directory: doc
- working-directory: tools/loop-audit
run: node dist/cli.js .. --level L2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Audit the repository root in validate

With this step running from tools/loop-audit, the target .. resolves to /workspace/loop-engineering/tools instead of the repository root. The audit CLI treats the first non-flag as the target and exits with code 2 for scores below 40 (tools/loop-audit/src/cli.ts), and running this command locally audits tools at 10/L0, so the new validate job will fail on every push/PR; use ../.. after building to scan the root.

Useful? React with 👍 / 👎.

Comment thread .github/workflows/ci.yml
if: hashFiles('doc/package-lock.json') != ''
working-directory: doc
- working-directory: tools/loop-audit
run: node dist/cli.js .. --level L2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add a real L2 gate for validate

--level is not one of loop-audit's parsed options; the CLI only selects the first non-flag target and exits nonzero when the score is below 40. Once the target path is fixed, a repo that drops from L2 to L1 but remains above score 40 will still pass this validate step despite the command advertising an L2 gate, so add an actual level check or remove the misleading flag.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner

Closing as part of a portfolio-wide open-PR backlog cleanup to present a clean, reviewer-friendly repository. This action is fully reversible — reopen anytime if the work is still needed. (Dependabot PRs will be re-created on the next scan if still applicable.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants