ci: migrate PMG to v1 server-mode proxy#23
Merged
Conversation
Bump safedep/pmg to v0.21.2 (SHA-pinned) and switch both the ci.yml release-preflight job and the goreleaser.yml release job to server-mode. In server mode the proxy daemon owns event delivery, so the job-end `pmg cloud sync` is replaced with `pmg proxy stop --fail-on-violation`, which flushes events and fails the job on any blocked package. Drop continue-on-error from the goreleaser stop step so a blocked package fails the job instead of passing silently. Note the limitation: the step runs after publish, so it alerts but cannot stop a release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SafeDep Report SummaryNo dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
arunanshub
previously approved these changes
Jun 30, 2026
Bump safedep/pmg to the v1 action tag (SHA-pinned) and switch both the ci.yml release-preflight job and the goreleaser.yml release job to server-mode. v1 is the action's major-version tag (the CLI ships its own v0.x releases), so we pin the action line to v1 rather than a CLI tag. In server mode the proxy daemon owns event delivery, so the job-end `pmg cloud sync` is replaced with `pmg proxy stop --fail-on-violation`, which flushes events and fails the job on any blocked package. Drop continue-on-error from the goreleaser stop step so a blocked package fails the job instead of passing silently. Note the limitation: the step runs after publish, so it alerts but cannot stop a release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
arunanshub
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
Migrates the SafeDep PMG GitHub Action usage in both workflows to the v1 server-mode proxy pattern.
safedep/pmgto thev1action tag (SHA-pinned).v1is the action's major-version pointer following GitHub Actions convention. The repo's GitHub Releases are the PMG CLI (v0.x), so the action line is pinned tov1, not to a CLI release tag.server-mode: trueto both theci.ymlrelease-preflightjob and thegoreleaser.ymlreleasejob. The proxy runs as a daemon and routes every package install through it.pmg cloud syncwithpmg proxy stop --fail-on-violation. In server mode the proxy daemon owns event delivery, so stopping it both flushes cloud events and fails the job on any blocked package.continue-on-error: truefrom the goreleaser stop step so a blocked package fails the job instead of passing silently.Note on versioning
The action's
versioninput is left at its default (latest), so the installed PMG binary floats to the newest release (checksum-verified by the action). This matches the priorv0.14.0behavior and is generally desirable for a security tool. Only the action definition is pinned (tov1).Known limitation (documented in-line)
In
goreleaser.ymlthe stop step runs after the publish step, so it alerts but cannot prevent a release:Install dependenciesstep, before publish runs.To gate the release itself on a violation, the stop step would need to move before the publish step (or split build/publish into separate jobs). Left as a follow-up.
🤖 Generated with Claude Code