fix: restore CI audit job and add missing cache-dependency-path#4
fix: restore CI audit job and add missing cache-dependency-path#4donny-devops with Copilot wants to merge 2 commits into
Conversation
The `audit` job was failing because `setup-node@v4` with `cache: npm` could not find a lock file at the repo root. The lock file lives at `tools/loop-audit/package-lock.json`, so add `cache-dependency-path` pointing to it in both the `validate` and `audit` jobs. Also restores the correct `name:`, `on:` triggers, and the `validate`/ `audit` job structure that was accidentally overwritten by a previous commit that left ci.yml with no triggers and a stale `build` job.
|
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
There was a problem hiding this comment.
Pull request overview
Restores the repository’s GitHub Actions CI workflow structure and fixes Node/npm caching by pointing setup-node@v4 at the correct lockfile under tools/loop-audit/.
Changes:
- Reintroduces
name: CIandon:triggers (push/PR/workflow_dispatch) for the workflow. - Restores
validateandauditjobs and updatessetup-node@v4npm cache configuration to usetools/loop-audit/package-lock.json.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| validate: | ||
| runs-on: ubuntu-latest |
| if: hashFiles('doc/package-lock.json') != '' | ||
| working-directory: doc | ||
| - working-directory: tools/loop-audit | ||
| run: node dist/cli.js .. --level L2 |
| - working-directory: tools/loop-audit | ||
| run: npm run build |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f1f1dc61e5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if: hashFiles('doc/package-lock.json') != '' | ||
| working-directory: doc | ||
| - working-directory: tools/loop-audit | ||
| run: node dist/cli.js .. --level L2 |
There was a problem hiding this comment.
Audit the repository root in validate
With this step running from tools/loop-audit, the target .. resolves to /workspace/loop-engineering/tools instead of the repository root. The audit CLI treats the first non-flag as the target and exits with code 2 for scores below 40 (tools/loop-audit/src/cli.ts), and running this command locally audits tools at 10/L0, so the new validate job will fail on every push/PR; use ../.. after building to scan the root.
Useful? React with 👍 / 👎.
| if: hashFiles('doc/package-lock.json') != '' | ||
| working-directory: doc | ||
| - working-directory: tools/loop-audit | ||
| run: node dist/cli.js .. --level L2 |
There was a problem hiding this comment.
Add a real L2 gate for validate
--level is not one of loop-audit's parsed options; the CLI only selects the first non-flag target and exits nonzero when the score is below 40. Once the target path is fixed, a repo that drops from L2 to L1 but remains above score 40 will still pass this validate step despite the command advertising an L2 gate, so add an actual level check or remove the misleading flag.
Useful? React with 👍 / 👎.
|
Closing as part of a portfolio-wide open-PR backlog cleanup to present a clean, reviewer-friendly repository. This action is fully reversible — reopen anytime if the work is still needed. (Dependabot PRs will be re-created on the next scan if still applicable.) |



The
auditjob was failing becausesetup-node@v4(cache: npm) searched for a lock file at the repo root, but it only exists attools/loop-audit/package-lock.json. A subsequent commit had also accidentally clobberedci.yml, stripping out thename:/on:triggers and replacing thevalidate/auditjobs with a deadbuildjob referencing non-existent paths.Changes
ci.ymlstructure — re-addsname: CI,on:triggers (push/PR/workflow_dispatch), and thevalidate+auditjobs that were overwrittencache-dependency-path: tools/loop-audit/package-lock.jsontosetup-node@v4in both jobs