Fleet-wide CI: MegaLinter gating + external fork CI + 3 new Dagger modules
Fleet-wide CI expansion — 2026-07-03
What shipped
MegaLinter fleet config —
chirag127/workflows/.mega-linter.ymlrewritten:- GATING linters: 8 security scanners (gitleaks, secretlint, trufflehog, semgrep, trivy, osv-scanner, dustilock, checkov), JS/TS eslint, JSON/YAML lint, dotenv-linter, hadolint, actionlint, zizmor.
- ADVISORY (report, don't fail): copypaste_jscpd, devskim, kics, grype, markdownlint, spelling, css_stylelint, html_htmlhint, json_v8r, json_npm_package_json_lint.
- HARD-DISABLED (conflict with fleet biome): prettier + standard descriptors.
MegaLinter reusable workflow —
chirag127/workflows/.github/workflows/megalinter.yml:- Downstream opt-in — repos add one workflow that
uses: chirag127/workflows/.github/workflows/megalinter.yml@main. - Fleet config auto-fetched if repo has no
.mega-linter.yml.
- Downstream opt-in — repos add one workflow that
Fork CI — external, zero-byte on fork main —
chirag127/workspace/.github/workflows/fork-ci.yml:- Runs nightly +
workflow_dispatch+repository_dispatch. - Matrix over 6 forks. Checks out umbrella with submodules recursive,
runs
fork-auditDagger module, posts commit status via API. - Zero files added to any fork main. Preserves
no-fork-divergence.
- Runs nightly +
fork-auditDagger module — drift + license + MegaLinter-security-flavor.data-scrape-apiDagger module + reusable — for the 9 data-scrape APIs.infra-umbrellaDagger module + reusable — for workspace + hermes-config- agent-skills.
Why (rule preservation)
- Fork CI without files on fork main preserves the letter of
no-fork-divergenceandfork-thin-upstream-tracking. Same effective coverage; infra stays in umbrella, forks stay thin. - MegaLinter opt-in reusable avoids blanket-reding every repo on next push.
Follow-up (deferred)
- Wire MegaLinter into pilot repos (bookmark-mind, api-fleet-landing, sops-lens).
- Wire
ci-data-scrape-api.ymlinto each of the 9 data-scrape repos. - Wire
ci-infra-umbrella.ymlinto workspace + hermes-config + agent-skills. - Add
FORK_STATUS_TOKENsecret (PATrepo:status) — without it, fallback is silent (warning, not failure).
Cross-refs
rules/agent/no-fork-divergencerules/agent/fork-thin-upstream-trackingdecisions/agent-tooling/dagger-confirmed-2026-07-02