Skip to content

ci: add PR-triggered CI workflow and CODEOWNERS#21

Merged
MrAlders0n merged 1 commit intodevfrom
chore/repo-hardening
Apr 14, 2026
Merged

ci: add PR-triggered CI workflow and CODEOWNERS#21
MrAlders0n merged 1 commit intodevfrom
chore/repo-hardening

Conversation

@MrAlders0n
Copy link
Copy Markdown
Contributor

@MrAlders0n MrAlders0n commented Apr 14, 2026

Summary

  • Adds .github/workflows/ci.yml — runs flutter analyze and flutter test on every PR against main or dev
  • Adds .github/CODEOWNERS routing all review requests to @MrAlders0n
  • Part of a broader repo hardening pass ahead of granting Write access to a new collaborator

Why this is safe

  • Workflow uses permissions: contents: read (least privilege)
  • Workflow uses pull_request (not pull_request_target) so PRs from forks run against PR HEAD, not base
  • Does not inject API_KEY — analyze/test don't need it, keeps the secret invisible to fork PRs
  • No github.event.* data is interpolated into run: steps (no injection surface)

Follow-up (not in this PR)

  • After this CI run goes green at least once, mark Analyze & Test as a required status check on main and dev
  • Branch protection updates (dismiss stale reviews, require_code_owner_reviews, require_last_push_approval, required_conversation_resolution) and tag protection ruleset will be applied via API after this PR lands

Test plan

  • CI workflow runs and shows Analyze & Test job
  • @MrAlders0n is auto-requested as reviewer (verifies CODEOWNERS is wired up)
  • flutter analyze passes
  • flutter test passes

🤖 Generated with Claude Code

@MrAlders0n @claude
ci: add PR-triggered analyze/test workflow and CODEOWNERS
08239d0 
Adds a new CI workflow that runs flutter analyze and flutter test on
every PR targeting main or dev, and a CODEOWNERS file routing all
review requests to @MrAlders0n. Combined with branch protection updates
(require_code_owner_reviews), this enforces owner approval on every
incoming PR before merge.

The workflow uses least-privilege contents:read permissions and does
not inject API_KEY, since analyze/test do not need it and keeping it
out of PR runs prevents fork-PR exposure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MrAlders0n MrAlders0n merged commit 2a5ae74 into dev Apr 14, 2026
1 check failed
@MrAlders0n MrAlders0n deleted the chore/repo-hardening branch April 14, 2026 02:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MrAlders0n