feat(ci): bridge fop/local-ci/pr status for Dependabot PRs (parity with parkhub-php #511)#647
Closed
nash87 wants to merge 4 commits into
Closed
feat(ci): bridge fop/local-ci/pr status for Dependabot PRs (parity with parkhub-php #511)#647nash87 wants to merge 4 commits into
nash87 wants to merge 4 commits into
Conversation
…afe) Parallel `fop-local-ci.sh --background` runs across PR worktrees collide on the hardcoded port 8081, causing the second-and-later runners to fail with "Address already in use" and post a false `failure` commit status. Ports the same 5-tier allocate_parkhub_server_port() pattern fixed in parkhub-php PR #503: 1. FOP_LOCAL_CI_SERVER_PORT env (explicit operator override) 2. SERVER_PORT env (outer wrapper already chose one) 3. 8081 if free (preserves docs + muscle memory) 4. random free port 49152-65535 via ss -ltn (listening sockets only) 5. fallback 8082+rand(0-199) when ss/shuf unavailable Applied to: - scripts/e2e-local.sh (was hardcoded SERVER_PORT:-8081) - scripts/v5-design-smoke-local.sh (same) - .github/scripts/fop-local-ci.sh (full profile playwright step hardcoded 8081) E2E_BASE_URL is exported from the allocated port so playwright.config.ts already picks it up via the existing process.env.E2E_BASE_URL path. Test: scripts/tests/test-port-allocator.sh (4 tiers, all green).
… unblock)
Three clippy violations introduced by the TOTP replay guard commit were
blocking the pre-push hook on this branch:
- explicit_auto_deref: &*state_guard -> &state_guard
- collapsible_if (x2): nested if-let chain collapsed to let_chains
(stable since Rust 1.88; MSRV is 1.94, edition 2024)
Lockfile-only bumps to clear pre-push security gate failures:
- lettre 0.11.21 -> 0.11.22: RUSTSEC-2026-0141 SMTP TLS MITM
(inverted boolean disabling hostname verification, CVSS 9.1)
- devalue 5.7.1 -> 5.8.1: GHSA-77vg-94rm-hx3p sparse-array DoS
- ws 8.20.0 -> 8.20.1: GHSA-58qx-3vcg-4xpx header parsing DoS
Per policy: lockfile bump, not deny/ignore suppression.
…th parkhub-php #511) Ports the Dependabot local-CI bridge from parkhub-php PR #511 to parkhub-rust. The fop/local-ci/pr commit status is normally posted by a developer running fop-local-ci.sh locally. Dependabot PRs have no local developer, so the local-ci-attestation gate in ci.yml was blocking all 5 stuck Dependabot PRs indefinitely. This workflow runs the headless gate suite on Dependabot PRs only and posts the status result so the PRs can merge cleanly. Rust-specific gate mapping vs parkhub-php: - composer audit -> cargo deny check (hard) - (new) -> cargo audit (advisory, RUSTSEC ignores from security.yml) - npm audit root -> npm audit parkhub-web (advisory) - gitleaks -> gitleaks PR-range (hard, identical) - osv-scanner -> osv-scanner Cargo.lock + parkhub-web/package-lock.json - typos -> typos (advisory, identical) Unblocks: #638 #639 #640 #641 #642
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
github-actions
Bot
added
dependencies
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a GitHub Actions (and Gitea-mirror) workflow that runs a headless gate suite for Dependabot PRs and posts the required fop/local-ci/pr commit status so those PRs can merge. The diff also carries port-allocator helpers from the base branch (PR #644) plus a small clippy refactor in security.rs.
Changes:
- New
dependabot-local-ci-bridge.ymlworkflow (and Gitea mirror) running cargo-deny / cargo-audit / npm-audit / gitleaks / osv-scanner / typos and postingfop/local-ci/prstatus fordependabot[bot]PRs only. - Adds
allocate_parkhub_server_porthelper toe2e-local.sh,v5-design-smoke-local.sh, andfop-local-ci.shto avoid port collisions across parallel local-CI worktrees, with a unit test. - Refactors
verify_totp_with_replay_guardinparkhub-server/src/api/security.rsto uselet-chainsand drops a redundant reborrow.
Reviewed changes
Copilot reviewed 7 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/dependabot-local-ci-bridge.yml | New GitHub workflow that runs the headless gate suite for Dependabot PRs and posts the fop/local-ci/pr status. |
| .gitea/workflows/dependabot-local-ci-bridge.yaml | Gitea mirror of the above; cargo tooling installed inline because no pinned Gitea-Actions equivalents exist. |
| .github/scripts/fop-local-ci.sh | Defines and uses allocate_parkhub_server_port to pick a unique parkhub-server port for the playwright step in the full profile. |
| scripts/e2e-local.sh | Replaces the hard-coded SERVER_PORT=8081 default with the same allocate_parkhub_server_port helper. |
| scripts/v5-design-smoke-local.sh | Same port-allocator change for the v5 design smoke harness. |
| scripts/tests/test-port-allocator.sh | New bash test that copies the allocator function locally and exercises the 5-tier fallback. |
| parkhub-server/src/api/security.rs | Refactors verify_totp_with_replay_guard to use let-chains and removes a needless &* reborrow. |
Files not reviewed (1)
- parkhub-web/package-lock.json: Language not supported
| fi | ||
| if command -v shuf >/dev/null 2>&1; then | ||
| local picked | ||
| picked="$(comm -23 <(seq 49152 65535) <(printf '%s\n' "$in_use") 2>/dev/null | shuf -n 1)" |
Comment on lines
+12
to
+44
| # Source only the function — stop before the script body executes. | ||
| # We do this by defining the sentinel vars the script checks early on. | ||
| PARKHUB_TEST_SOURCE_ONLY=1 | ||
|
|
||
| # Extract allocate_parkhub_server_port from e2e-local.sh and eval it. | ||
| allocate_parkhub_server_port() { | ||
| if [[ -n "${FOP_LOCAL_CI_SERVER_PORT:-}" ]]; then | ||
| printf '%s' "${FOP_LOCAL_CI_SERVER_PORT}" | ||
| return 0 | ||
| fi | ||
| if [[ -n "${SERVER_PORT:-}" ]]; then | ||
| printf '%s' "${SERVER_PORT}" | ||
| return 0 | ||
| fi | ||
| if command -v ss >/dev/null 2>&1; then | ||
| local in_use | ||
| in_use="$(ss -ltn 2>/dev/null | awk 'NR>1 {sub(/.*:/,"",$4); print $4}' | sort -un)" | ||
| if ! grep -qx '8081' <<<"$in_use"; then | ||
| printf '%s' '8081' | ||
| return 0 | ||
| fi | ||
| if command -v shuf >/dev/null 2>&1; then | ||
| local picked | ||
| picked="$(comm -23 <(seq 49152 65535) <(printf '%s\n' "$in_use") 2>/dev/null | shuf -n 1)" | ||
| if [[ -n "$picked" ]]; then | ||
| printf '%s' "$picked" | ||
| return 0 | ||
| fi | ||
| fi | ||
| fi | ||
| printf '%s' "$((8082 + RANDOM % 200))" | ||
| } | ||
|
|
Comment on lines
+88
to
+95
| # Tier 5 fallback range: force ss to be missing | ||
| result=$(unset FOP_LOCAL_CI_SERVER_PORT SERVER_PORT 2>/dev/null; PATH=/dev/null allocate_parkhub_server_port 2>/dev/null || true) | ||
| if [[ "$result" =~ ^[0-9]+$ && "$result" -ge 8082 && "$result" -le 8281 ]]; then | ||
| printf 'PASS tier5: fallback in range 8082-8281 (got %s)\n' "$result" | ||
| (( pass++ )) || true | ||
| elif [[ -z "$result" ]]; then | ||
| # ss unavailable path still returns something via arithmetic | ||
| printf 'SKIP tier5: could not isolate (PATH trick neutralised shuf too)\n' |
| --config=osv-scanner.toml \ | ||
| -L Cargo.lock \ | ||
| -L parkhub-web/package-lock.json \ | ||
| --format=table || true |
Comment on lines
+166
to
+169
| - name: Post fop/local-ci/pr status | ||
| if: always() | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} |
Comment on lines
+86
to
+88
| } | ||
|
|
||
| _SERVER_PORT="$(allocate_parkhub_server_port)" |
Owner
Author
|
Superseded by v2 — rebased onto post-#650 main. |
auto-merge was automatically disabled
May 19, 2026 12:44
Pull request was closed
nash87
added a commit
that referenced
this pull request
May 19, 2026
…post-#650 main) (#653) Supersedes #647. Rebased onto post-#650 main; allocator + clippy + lockfile commits dropped as no-ops (they landed via #650 + #648). Clean diff = 2 files = bridge workflow + Gitea mirror. Mirrors parkhub-php PR #511. Unblocks the 5 stuck parkhub-rust Dependabot PRs (#638/#639/#640/#641/#642) once merged. Pushed via HTTPS (parkhub-rust SSH instability documented in memory feedback_parkhub_session_2026_05_19_operational_patterns.md). Co-authored-by: Elly <7864054+nash87@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirrors parkhub-php PR #511 (merged 07:40:21Z) — closes the architectural gap that keeps Dependabot bot PRs from satisfying the required
fop/local-ci/prPAT-posted commit status.What
New
.github/workflows/dependabot-local-ci-bridge.yml(+ Gitea mirror). Triggers only on PRs wheregithub.event.pull_request.user.login == "dependabot[bot]". Runs the headless equivalent ofmake ciadapted to the rust gate set:Final step posts
fop/local-ci/pr: success|failureviagh api POST /repos/.../statuses/{sha}matching the local-ci-attestation convention. All actions SHA-pinned, reusing canonical SHAs fromsecurity.yml+ci.yml.Why now
5 stuck Dependabot PRs on parkhub-rust in MERGEABLE+BLOCKED state for days: #638, #639, #640, #641, #642. parkhub-php just shipped its parallel via #511; this PR closes the rust side of the same architectural gap.
Branch base
Built on top of
t-port-allocator(PR #644) which carries the TOTP-replay-guard clippy fix + lettre/devalue/ws lockfile bumps required by the pre-push gauntlet. Once #644 merges, this PR diff vs main reduces to just the bridge workflow + Gitea mirror commit.Verification
Full pre-push gauntlet passed — no
--no-verifybypass.