Skip to content

Fork-path validation: fix deploy bug, add CONTRIBUTING, patch README#30

Merged
jeftekhari merged 1 commit into
mainfrom
docs/fork-path-validation
Apr 18, 2026
Merged

Fork-path validation: fix deploy bug, add CONTRIBUTING, patch README#30
jeftekhari merged 1 commit into
mainfrom
docs/fork-path-validation

Conversation

@jeftekhari

@jeftekhari jeftekhari commented Apr 18, 2026

Copy link
Copy Markdown
Contributor

Third and final open-source-readiness blocker. Dry-ran the fork path from a fresh clone, surfaced a real deploy-workflow bug, patched it, then updated docs so the intended flow is actually the documented flow.

What the dry-run revealed

Cloned upstream into /tmp/fresh-fork, ran the README steps. npm install was clean (3s, 127 packages). wrangler dev --local booted and served /health + / correctly against the committed placeholder KV id. Then I checked what .github/workflows/deploy.yml actually does with secrets.

Bug: the ORG_NAME sed uncommented ORG_NAME = "..." but left [vars] commented. Result:

# [vars]
ORG_NAME = "Acme"

ORG_NAME landed at top-level TOML, not inside [vars]. c.env.ORG_NAME in the worker was always undefined for any forker who set the repo variable. Nobody noticed because the upstream runs without ORG_NAME most of the time and the header subtitle silently falls back to empty.

Fix

  • Drop the ORG_NAME sed. Pass ORG_NAME (and now GRC_AUDIENCE, for fork-specific OIDC audience scoping) via wrangler deploy --var KEY:VALUE. Binds cleanly regardless of TOML structure, no-op when the repo var is unset.
  • Preflight step fails fast with ::error:: when CLOUDFLARE_API_TOKEN or CLOUDFLARE_KV_ID is missing. Previous failure mode was an opaque wrangler auth error or the literal YOUR_KV_NAMESPACE_ID getting sent to the CF API — neither pointed forkers back at their Repo Settings.
  • Kept the KV-id sed: narrow string substitution that works correctly.

Docs

  • README Setup split into two clearly labelled paths: "Auto-deploy (production)" and "Local-only (development)". Previously intermixed. Documents every secret + variable a forker needs, with links to the Cloudflare dashboard where they're created.
  • GRC_AUDIENCE listed as an optional repo variable. Deploy workflow and README now describe the fork-scoping pattern consistently.
  • CONTRIBUTING.md (new) — dev loop for scanner and dashboard, .dev.vars instructions for local OIDC bypass, three extension-point walkthroughs (scan rule, policy template, framework). Idempotency rules for templates spelled out so contributors don't accidentally produce noisy commits on every scan. Linked from the README's new Contributing section.
  • Checklist items closed: Validate the fork path end-to-end; Contributing guide; How to add scan rules; How to add policy templates.

Side cleanup

npm audit fix bumped hono past the moderate HTML-injection advisory (GHSA-458j-xx4x-4375). Lockfile-only change, no source edits.

Test plan

  • Fresh clone → npm install (3s, 127 pkgs, no errors)
  • wrangler dev --local boots against placeholder KV id → /health 200 + / renders empty-state 200
  • npm run scan -- . post-hono-bump: no behaviour change
  • npx tsx scripts/smoke-dashboard.ts post-hono-bump: passes
  • After merge: deploy workflow runs on main with real secrets — confirm the workflow logs show the preflight step succeeding, the KV id inject succeeding, and wrangler deploy --var ORG_NAME:... being called with the right value.
  • Open the live dashboard after deploy — confirm the header subtitle shows the ORG_NAME (bug fix verification).

Open-source-readiness status after this merge

All three original items closed:

  1. ✅ Auth (PR Auth: GitHub OIDC verification on POST /api/report #28)
  2. ✅ CI (PR CI: smoke tests for scanner + dashboard render paths #29)
  3. ✅ Fork-path validation (this PR)

Remaining softer items are tracked in the checklist — no more blockers for a public announcement.

@jeftekhari
Fork-path validation: fix deploy workflow bug, add CONTRIBUTING, patc…
b504322 
…h README

Third open-source-readiness blocker. Dry-ran the fork path
from a fresh clone, surfaced a real deploy-workflow bug,
patched it, then updated docs so the intended flow is
actually the documented flow.

## What was broken

The ORG_NAME sed in .github/workflows/deploy.yml uncommented
`ORG_NAME = "..."` but left `[vars]` commented. Post-sed:

    # [vars]
    ORG_NAME = "Acme"

ORG_NAME ended up as a top-level TOML key instead of inside
[vars], so `c.env.ORG_NAME` in the worker was always undefined.
Nobody noticed because the upstream dashboard ran without
ORG_NAME set most of the time, and the header subtitle silently
fell back to an empty string.

Any forker who set `ORG_NAME` as a repo variable expecting it to
show up in the dashboard header would have gotten zero signal
that the sed was broken.

## Fix

- **Drop the ORG_NAME sed entirely.** Pass ORG_NAME (and now
  GRC_AUDIENCE, for fork-specific OIDC audience scoping) via
  `wrangler deploy --var KEY:VALUE`. `--var` binds cleanly
  regardless of the TOML structure and is a no-op when the
  repo var is unset.
- **Preflight step** that fails fast with a clear
  `::error::` message when `CLOUDFLARE_API_TOKEN` or
  `CLOUDFLARE_KV_ID` is missing. Prior behaviour was a cryptic
  wrangler auth failure or a literal `YOUR_KV_NAMESPACE_ID`
  being sent to the CF API — neither pointed back at the
  forker's repo settings.
- Kept the KV id sed: that's a narrow string substitution
  that works correctly (the placeholder is structurally
  distinct and the file stays valid).

## Docs

- **README Setup rewrite.** Split into two clearly-labelled
  paths: "Auto-deploy (production)" step-by-step, and
  "Local-only (development)". Previously the two were
  intermixed, which made the fork path ambiguous. Documents
  exactly which secrets and vars to set and where they live
  in the Repo Settings UI.
- **GRC_AUDIENCE** now listed as an optional repo variable.
  Both the deploy workflow and the README describe the
  fork-scoping pattern consistently.
- **CONTRIBUTING.md** (new) — dev loop for scanner and
  dashboard, .dev.vars instructions for local OIDC bypass,
  and three extension-point walkthroughs (add a scan rule,
  add a policy template, add a framework). Idempotency
  rules for templates spelled out so future contributors
  don't accidentally produce noisy commits on every scan.
  Linked from the README.
- **Implementation checklist** items closed: fork-path
  validation, contributing guide, how-to-add-scan-rules,
  how-to-add-policy-templates.

## Side cleanup

`npm audit fix` bumped `hono` past the moderate
HTML-injection advisory (GHSA-458j-xx4x-4375). Backwards-
compatible lockfile change only, no source edits required.

## Verified

- Fresh clone → `npm install` (3s, 127 packages, no errors).
- `wrangler dev --local` boots against the committed
  placeholder KV id and serves `/health` (200) + `/`
  (empty-state 200).
- `npm run scan -- .` and `npx tsx scripts/smoke-dashboard.ts`
  both pass after the hono bump — no behaviour regression.

## Not tested here

The live CF deploy path (needs real secrets in a real fork).
The workflow changes are small enough to review by inspection;
first fork that sets the secrets will exercise them end-to-end.
@jeftekhari jeftekhari merged commit 70e346d into main Apr 18, 2026
1 check passed
@jeftekhari jeftekhari mentioned this pull request Apr 20, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeftekhari