build(deps): unify dependabot bumps for npm + GitHub Actions#109
Merged
Conversation
Consolidates 11 open Dependabot PRs into one update so the lockfile resolves once and CI runs once. Covers every open bump on main: npm_and_yarn group - @biomejs/biome 2.4.14 → 2.4.15 (root) - @commitlint/cli 21.0.0 → 21.0.1 (root) - @commitlint/config-conventional 20.5.3 → 21.0.1 (root) - @types/node 25.6.0/25.6.2 → 25.7.0 (root + 17 workspace packages) - @astrojs/starlight ^0.38.4 → ^0.39.2 (packages/docs) - astro ^6.2.1 → ^6.3.1 (packages/docs) - playwright ^1.59.1 → ^1.60.0 (packages/docs) - starlight-llms-txt ^0.8.1 → ^0.9.0 (packages/docs) - fast-xml-parser 5.7.3 → 5.8.0 (packages/ingestion) - yaml 2.8.4 → 2.9.0 (cli, frameworks, policy, sarif) - @chonkiejs/core ^0.0.9 → ^0.0.10 (packages/pack) github_actions group - actions/cache v4.2.3 → v5.0.5 (och-self-scan.yml) - sigstore/cosign-installer v3.7.0 → v4.1.2 (release.yml) Also bumps biome.json $schema URL to 2.4.15 to match the bumped binary (fixes an info-level lint diagnostic after the biome upgrade). Supersedes #98, #99, #100, #101, #102, #103, #104, #105, #106, #107, #108.
Starlight 0.39 removed support for autogenerate on a label-only group.
Wrap each autogenerate config in `items: [{ autogenerate: ... }]` so
the sidebar renders under @astrojs/starlight@0.39.2.
4 tasks
theagenticguy
added a commit
that referenced
this pull request
May 14, 2026
… + sbom + coverage-auto; summaries opt-in) (#110) ## Summary Reshapes `codehub analyze` so a bare invocation produces the full local artifact set agents rely on — graph, SARIF, SBOM, coverage overlay (when present), ownership, cochanges — while keeping the LLM phase opt-in. Before: `codehub analyze` built the graph; `codehub scan` and `--sbom`/`--coverage` were separate steps the operator had to remember. Agents calling `list_findings` or `verdict` on a fresh index got empty tables because the SARIF hadn't been written yet. After: one command, one `.codehub/` folder with everything the MCP surface reads. Zero AWS, zero Bedrock, zero LLM calls unless explicitly opted in. ## Default behavior (new) | Phase | Before | After | Opt-out | |---|---|---|---| | Graph (tree-sitter + SCIP + communities + processes + cochanges + ownership + dependencies + detectors) | on | on | — | | **scan** (Priority-1 scanners → `.codehub/scan.sarif` → graph findings) | **separate command** | **on** | `--no-scan` | | **sbom** (CycloneDX + SPDX from Dependency nodes) | off | **on** | `--no-sbom` | | **coverage** (lcov / cobertura / jacoco / coverage.py overlay) | off | **auto** — probe known paths, enable if found | `--no-coverage` | | **summaries** (Bedrock LLM narrative summaries) | **on** | **off** — fully opt-in | `--summaries` to enable | | embeddings | off | off | `--embeddings` to enable | `--offline` flag continues to work: network-backed scanners (osv-scanner, grype, npm/pip audit) self-skip, so the scan default stays honest for air-gapped runs. ## Why A bare `codehub analyze` should be the dependable foundation of every agent workflow. Before this change, calling `list_findings` or `verdict` on a fresh analyze returned empty — the SARIF hadn't been written yet. Operators either knew to chain `codehub analyze && codehub scan`, or silently got the degraded experience. Folding scan into analyze makes the MCP surface work on day one. `sbom` and `coverage` follow the same logic: the cost of producing them is negligible when the data is already in the graph, and every downstream audit wants them. Coverage auto-detect is the key wrinkle — we silently skip when no report exists so repos without tests don't get warnings, and force-on (`--coverage`) still warns to catch setup errors. ## Commits 1. `feat(cli)!: make codehub analyze fast by default; summaries are opt-in` — flips `--summaries` default from ON to OFF; adds `CODEHUB_BEDROCK_SUMMARIES=1` env opt-in; fixes a latent bug where the CLI collapsed `--summaries=true` to `undefined` before forwarding. 2. `feat(cli)!: scan + sbom default on; coverage auto-detects reports` — folds `runScan()` into `runAnalyze` as a best-effort step; flips `--sbom` default to ON; adds `resolveCoverageEnabled` + `detectCoverageReport` for silent auto-detect. ## Precedence — summaries | `CODEHUB_BEDROCK_DISABLED=1` | `flag=true` | `flag=false` | `CODEHUB_BEDROCK_SUMMARIES=1` | result | |---|---|---|---|---| | yes | any | any | any | **off** | | no | yes | — | any | on | | no | no | yes | any | **off** | | no | unset | unset | yes | on | | no | unset | unset | no | **off (new default)** | ## Changes - `resolveSummariesEnabled()` — truth table flipped, new env opt-in. - `resolveSbomEnabled()` — trivial default-on. - `resolveScanEnabled()` — trivial default-on. - `resolveCoverageEnabled()` + `detectCoverageReport()` — auto-detect lcov / cobertura / jacoco / coverage.py at the same candidate paths the ingestion phase uses. - `runAnalyze` — invokes `runScan()` (from `./scan.js`) as a best-effort step at the end, logs findings count, writes `.codehub/scan.sarif`. Scanner failure logs-and-continues so analyze never regresses the graph over a flaky scanner. - CLI entry — forwards three-state `sbom`/`coverage`/`scan` opts, adds `--no-sbom` / `--no-coverage` / `--no-scan`. - Tests — 26 new unit tests (3 × sbom, 3 × scan, 7 × detectCoverageReport, 4 × resolveCoverageEnabled, 9 × resolveSummariesEnabled). - Docs — `reference/cli.md` and `guides/indexing-a-repo.md` updated. ## Verification - `pnpm typecheck` — green across 19 workspace projects. - `pnpm lint` — green. (The one `info` diagnostic is the stale Biome `$schema` URL fixed in #109.) - `pnpm -r test` — **2,044 tests pass** (was 2,027 on main; +26 new / -9 replaced). - Pre-push hook: typecheck + test passed. `verdict` flagged this PR as `dual_review` (2 symbols / 4 communities / 28 symbols affected) — expected for a breaking CLI change; surfaced here for reviewer awareness, not a CI failure. ### Smoke test on a fresh 2-function TS repo (bare `codehub analyze`) ``` codehub scan: running 5 scanner(s): semgrep, betterleaks, osv-scanner, detect-secrets, grype codehub ingest-sarif: 5 findings, 5 edges from .codehub/scan.sarif codehub analyze: scan — 5 scanner(s), 5 finding(s), sarif=.codehub/scan.sarif codehub analyze: smoke-repo — 7 nodes, 6 edges, graph f66a5d27, total ~10s ``` `.codehub/` now contains: `graph.lbug`, `temporal.duckdb`, `meta.json`, `scan.sarif`, `sbom.cyclonedx.json`, `sbom.spdx.json`, `scan-state.json`, `parse-cache/`. Previously it contained only `graph.*`, `meta.json`, and `parse-cache/`. `--no-scan --no-sbom` reproduces the pre-flip fast path (~727 ms). Opt-in Bedrock path: ``` CODEHUB_BEDROCK_SUMMARIES=1 codehub analyze /tmp/smoke-repo --max-summaries 0 --verbose codehub analyze: summarize — considered=2, skippedUnconfirmed=2, cacheHits=0, summarized=0, wouldHaveSummarized=0, failed=0 ``` ## BREAKING CHANGES - Bare `codehub analyze` no longer runs the summarize phase. Workflows depending on implicit summarization must add `--summaries` or set `CODEHUB_BEDROCK_SUMMARIES=1`. `CODEHUB_BEDROCK_DISABLED=1` continues to work unchanged. - Bare `codehub analyze` now runs Priority-1 scanners and emits SBOMs. Pass `--no-scan` / `--no-sbom` for the pre-flip graph-only behavior. Workflows that previously chained `codehub analyze && codehub scan` still work; the chained scan is now redundant. ## Test plan - [x] Resolver truth tables covered by unit tests. - [x] Coverage auto-detect covered for all 5 candidate paths + miss + priority order. - [x] `pnpm -r test` — 2,044 passing, 0 fails. - [x] Smoke-tested end-to-end: default, `--no-scan --no-sbom`, `--coverage` with report, `--summaries`, `CODEHUB_BEDROCK_SUMMARIES=1`, and kill-switch all behave as specified.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates all 11 open Dependabot PRs into one unified update so the
lockfile resolves once, CI runs once, and review is a single place.
Supersedes: #98, #99, #100, #101, #102, #103, #104, #105, #106, #107, #108.
npm_and_yarn group
@biomejs/biome2.4.14 → 2.4.15 (root)@commitlint/cli21.0.0 → 21.0.1 (root)@commitlint/config-conventional20.5.3 → 21.0.1 (root)@types/node25.6.0 / 25.6.2 → 25.7.0 (root + 17 workspace packages)@astrojs/starlight^0.38.4 → ^0.39.2 (packages/docs)astro^6.2.1 → ^6.3.1 (packages/docs)playwright^1.59.1 → ^1.60.0 (packages/docs)starlight-llms-txt^0.8.1 → ^0.9.0 (packages/docs)fast-xml-parser5.7.3 → 5.8.0 (packages/ingestion)yaml2.8.4 → 2.9.0 (cli, frameworks, policy, sarif)@chonkiejs/core^0.0.9 → ^0.0.10 (packages/pack)github_actions group
actions/cachev4.2.3 → v5.0.5 (.github/workflows/och-self-scan.yml)sigstore/cosign-installerv3.7.0 → v4.1.2 (.github/workflows/release.yml)Follow-ups (required for Starlight 0.39)
biome.json: bump$schemaURL to2.4.15so Biome stops emitting themismatch info diagnostic.
packages/docs/astro.config.mjs: migrate sidebar groups to thev0.39 shape (
items: [{ autogenerate: { directory: ... } }]).Starlight 0.39 removed support for
autogenerateon a label-onlygroup; the docs build fails without this change.
Test plan
pnpm install --lockfile-onlyregenerates the lockfile cleanly.pnpm installsucceeds (no peer-dep breakage).pnpm typecheckpasses across all 19 workspace projects.pnpm lintpasses (Biome 2.4.15 — 0 findings after$schemabump).pnpm -r buildpasses, including@opencodehub/docson Starlight 0.39.2.pnpm -r testpasses (full suite green; the earlier storage failurewas stale
dist/from the prior lockfile — rebuilt and re-tested).verdict+typecheck+test) passed on the final push.