← knowledge.oriz.in

Fleet-wide CI: MegaLinter gating + external fork CI + 3 new Dagger modules

decision cimegalinterdaggerforksworkflows

Fleet-wide CI expansion — 2026-07-03

What shipped

  1. MegaLinter fleet configchirag127/workflows/.mega-linter.yml rewritten:

    • GATING linters: 8 security scanners (gitleaks, secretlint, trufflehog, semgrep, trivy, osv-scanner, dustilock, checkov), JS/TS eslint, JSON/YAML lint, dotenv-linter, hadolint, actionlint, zizmor.
    • ADVISORY (report, don't fail): copypaste_jscpd, devskim, kics, grype, markdownlint, spelling, css_stylelint, html_htmlhint, json_v8r, json_npm_package_json_lint.
    • HARD-DISABLED (conflict with fleet biome): prettier + standard descriptors.
  2. MegaLinter reusable workflowchirag127/workflows/.github/workflows/megalinter.yml:

    • Downstream opt-in — repos add one workflow that uses: chirag127/workflows/.github/workflows/megalinter.yml@main.
    • Fleet config auto-fetched if repo has no .mega-linter.yml.
  3. Fork CI — external, zero-byte on fork mainchirag127/workspace/.github/workflows/fork-ci.yml:

    • Runs nightly + workflow_dispatch + repository_dispatch.
    • Matrix over 6 forks. Checks out umbrella with submodules recursive, runs fork-audit Dagger module, posts commit status via API.
    • Zero files added to any fork main. Preserves no-fork-divergence.
  4. fork-audit Dagger module — drift + license + MegaLinter-security-flavor.

  5. data-scrape-api Dagger module + reusable — for the 9 data-scrape APIs.

  6. infra-umbrella Dagger module + reusable — for workspace + hermes-config

    • agent-skills.

Why (rule preservation)

Follow-up (deferred)

Cross-refs