Skip to content

fix: repo health cleanup — dead code, stale refs, CI hygiene#162

Merged
Jesssullivan merged 5 commits intomainfrom
fix/repo-health-cleanup
Mar 26, 2026
Merged

fix: repo health cleanup — dead code, stale refs, CI hygiene#162
Jesssullivan merged 5 commits intomainfrom
fix/repo-health-cleanup

Conversation

@Jesssullivan
Copy link
Copy Markdown
Collaborator

@Jesssullivan Jesssullivan commented Mar 26, 2026

Summary

  • -507 net LOC across 32 files
  • Remove 5 dead files (434 LOC): unused scripts, stale overlay, dead workflow
  • Rename 16 stale Jesssullivan/attic-iac URLs → tinyland-inc/GloriousFlywheel
  • Remove all dead MinIO CI logic (use_minio conditionals, health checks, docs)
  • Fix dashboard: remove dead MinIO Prometheus queries, use configurable namespace
  • Pin trivy-action and trufflehog to release SHAs (supply-chain risk)
  • Add concurrency groups to 4 workflows
  • Fix broken custom action paths (./github/./.github/)

Commits

  1. chore: remove dead code — 434 LOC of unused scripts, overlays, workflow
  2. fix: rename URLs — 16 stale Jesssullivan references
  3. fix(ci): remove dead MinIO logic — ~74 LOC from CI, update docs to RustFS
  4. fix(dashboard): remove MinIO queries — configurable namespace
  5. fix(ci): pin actions, concurrency, action paths — supply-chain + hygiene

Test plan

  • bazel test //... passes
  • nix flake check passes
  • CI validation workflow passes
  • Dashboard builds without MinIO query imports

@Jesssullivan
chore: remove dead code — scripts, overlays, stale workflow
2863377 
- scripts/test-abstraction.sh (141 LOC, unreferenced)
- scripts/generate-attic-token.sh (142 LOC, unreferenced)
- scripts/lib/config.sh (53 LOC, only used by dead test-abstraction)
- nix/overlays/default.nix (46 LOC, never imported by flake.nix)
- .github/workflows/test-arc-runners.yml (triggers on non-existent branch)
@Jesssullivan
fix: rename Jesssullivan/attic-iac → tinyland-inc/GloriousFlywheel
169294a 
Bulk update 16 stale URL references across docs, flake.nix,
BUILD.bazel, release workflow, and link checker config.
@Jesssullivan
fix(ci): remove dead MinIO logic, update docs to RustFS
b1596c3 
- Remove use_minio conditionals from plan/apply/drift CI jobs
- Remove minio-operator debug checks and health checks
- Remove ghost minio-operator/minio-tenant doc entries, add rustfs
- Update Justfile and health-check.sh
- Net ~74 LOC removed from CI alone
@Jesssullivan
fix(dashboard): remove dead MinIO queries, use configurable namespace
b911fc2 
- Remove minioStorageUsed/minioObjectCount (MinIO replaced by RustFS)
- Replace 8 hardcoded "attic-cache" strings with CACHE_NS env variable
@Jesssullivan
fix(ci): pin actions to SHA, add concurrency groups, fix action paths
55ac62f 
- Pin trivy-action and trufflehog to release SHAs (supply-chain risk)
- Add concurrency groups to validate, build-image, secrets-scan, deploy
- Fix broken ./github/ → ./.github/ paths in custom actions
@greptile-apps
Copy link
Copy Markdown

greptile-apps bot commented Mar 26, 2026

Greptile Summary

This is a broad repo-health cleanup PR (-507 net LOC across 32 files) that removes dead MinIO CI logic, renames 16 stale Jesssullivan/attic-iac URLs to tinyland-inc/GloriousFlywheel, pins two mutable action references (trivy-action@master, trufflehog@main) to release SHAs, adds concurrency groups to four workflows, and fixes two broken custom-action paths (./github/./.github/). The changes are largely mechanical and low-risk, but two issues warrant attention before merge:\n\n- Broken release install instructions (release.yml): The clone URL was updated to GloriousFlywheel but the subsequent cd attic-iac was not changed. Published release notes will fail for anyone following the quickstart.\n- Security gate weakened by cancellation (secrets-scan.yml): The new cancel-in-progress: true concurrency setting can cancel an in-progress TruffleHog scan if a rapid second push lands on the same branch, potentially leaving commits unscanned. Security workflows are typically better served by cancel-in-progress: false.\n\nEverything else — supply-chain pinning, MinIO removal, URL renames, action-path fixes — looks correct and well-scoped.

Confidence Score: 3/5

Two targeted fixes needed before merge: a broken cd in release notes and cancel-in-progress: true on the secrets-scan workflow.

The vast majority of changes are safe, mechanical cleanups. However the stale cd attic-iac will cause published release instructions to fail (a concrete, reproducible bug), and flipping cancel-in-progress: true on the secrets-scan workflow introduces a real, if narrow, security gap. Both are one-line fixes, but the security implication bumps the score down to 3.

.github/workflows/release.yml (broken cd command) and .github/workflows/secrets-scan.yml (cancel-in-progress on security gate).

Important Files Changed

Filename Overview
.github/workflows/release.yml URL updated from attic-iac to GloriousFlywheel, but the cd attic-iac directory command on the next line was not updated — published release notes will have broken install instructions.
.github/workflows/secrets-scan.yml TruffleHog pinned to SHA (good supply-chain fix), but the added cancel-in-progress: true concurrency setting could cause secret scans to be skipped when multiple pushes race on the same branch.
.github/workflows/build-image.yml Pins all three trivy-action@master uses to a specific SHA (v0.35.0) and adds a concurrency group; correct supply-chain hygiene improvements.
app/src/lib/server/prometheus/queries.ts Removes two hardcoded MinIO Prometheus queries and replaces the hardcoded attic-cache namespace string with a configurable CACHE_NS env-var constant; clean and correct.
app/src/routes/api/cache/+server.ts Removes the two MinIO Prometheus queries from the Promise.all and sets storage fields to null; the API shape is preserved, callers handle null gracefully.
.gitlab/ci/jobs/tofu-apply.gitlab-ci.yml Removes the use_minio conditional guard and always passes S3 vars; also removes the minio-operator import step; aligns with the MinIO → RustFS migration.
docs/architecture/bazel-version-policy.md Two gf-overlay rows replaced by one tinyland-infra row, but a pre-existing tinyland-infra row remains, leaving two ambiguous duplicate entries in the version matrix table.
nix/overlays/default.nix Deleted 46-LOC placeholder/stub overlay file; only contained a placeholder comment and two never-referenced wrappers.

Reviews (1): Last reviewed commit: "fix(ci): pin actions to SHA, add concurr..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Mar 26, 2026
View reviewed changes
.github/workflows/release.yml
git clone --branch ${{ github.ref_name }} https://github.com/Jesssullivan/attic-iac.git
git clone --branch ${{ github.ref_name }} https://github.com/tinyland-inc/GloriousFlywheel.git
cd attic-iac
cp config/organization.example.yaml config/organization.yaml
Copy link
Copy Markdown

@greptile-apps greptile-apps bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Stale directory name in install instructions

The clone URL was updated from Jesssullivan/attic-iac to tinyland-inc/GloriousFlywheel, but the cd attic-iac command on the following line was not updated. After running git clone https://github.com/tinyland-inc/GloriousFlywheel.git, the local directory will be named GloriousFlywheel, so cd attic-iac will fail for anyone following these release notes.

Suggested change
cp config/organization.example.yaml config/organization.yaml
cd GloriousFlywheel

.github/workflows/secrets-scan.yml
Comment on lines +13 to +15
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

Copy link
Copy Markdown

@greptile-apps greptile-apps bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 cancel-in-progress: true undermines secret detection coverage

Adding cancel-in-progress: true to the secrets-scan workflow creates a race condition: if two pushes arrive on the same branch in quick succession, the first scan is cancelled and the new one starts from the latest commit. Depending on how TruffleHog resolves its scan range, commits introduced by the cancelled run may never be fully scanned.

For availability workflows (build, deploy, validate) cancel-in-progress: true is the right trade-off, but for a security gate the cost of a cancelled run is higher than the cost of a redundant one. Consider setting it to false:

Suggested change
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

docs/architecture/bazel-version-policy.md
Comment on lines +18 to 19
| tinyland-infra | 7.4.0 | Bzlmod | Aligned |
| tinyland-infra | inherited | local_path_override | Consumer |
Copy link
Copy Markdown

@greptile-apps greptile-apps bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Duplicate tinyland-infra entry in version matrix

The two gf-overlay rows were collapsed into a single new tinyland-infra | 7.4.0 | Bzlmod | Aligned row, but an existing tinyland-infra | inherited | local_path_override | Consumer row was already in the table. The result is two tinyland-infra entries with conflicting attributes, which is ambiguous for readers. If these represent genuinely different repos/configurations they should have distinct names; if one entry should replace the other, the duplicate should be removed.

@Jesssullivan Jesssullivan merged commit 8d48fd0 into main Mar 26, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jesssullivan