Ensure mitigations in place for all past breakages of main builds and deploys

[markafitzgerald1]

Examples:

• [x] non-updated Linux e2e test screenshots - could catch via pre-commit hook and/or requirement that all commits to main come from PR branches passing that GitHub PR check. Might want to get rid of non-Linux e2e tests here to save some runtime and ensure all files in main are automatically validate-able both locally for all developers and in CI.
• [x] incorrect GitHub Actions setup - could perhaps prevent some of these via requirement to have a PR to get changes into main and deployed.

Check through all commits to main with PR checks and address or create issues to mitigate them going forward.

[markafitzgerald1]

Another example:

• [x] d393805 disabled onclick handling between the card text and the card border and it was only caught via manual testing post-deploy. Can we automatically check for that?

[markafitzgerald1]

Another example:

• [x] 4281a13c95087af80a10579c59fde3c097b4cbec reformatted .eslintrc.json - why was the non-compliant with Prettier formatting not caught before that commit?

[markafitzgerald1]

I just reviewed main (and PR) history and found that all failure causes have either already been mitigated or will be mitigated by the above four checkbox items:

• [x] require PR + checks to get into main (often these were caused by GitHub Actions not being equal to local pre-commit checks, and GitHub Actions checks cannot be run locally),
• [x] drop e2e tests not run in CI,
• [x] better onclick test if it can be automated, and
• [x] more broad Prettier code (and config) format checking.

[markafitzgerald1]

main branch protections reconfigured:

• PR now required before merge (into main),
• 1 approval required before merge,
• stale reviews dismissed on push,
• status checks must pass before merge,
• branch must be up to date before merge, and
• conversations must be resolved before merge.

[markafitzgerald1]

Test PR created to test out the above: https://github.com/markafitzgerald1/cribbage-trainer/pull/34.

[markafitzgerald1]

PR cannot be merged as I can't approve it as its own author. :)

[markafitzgerald1]

Enabled 'Require approval of the most recent reviewable push' on main.

[markafitzgerald1]

Disabled 'Require approvals' and 'Require approval of the most recent reviewable push'. Branch only protected by automatic checks now. (Seems better than always having to admin override, as I'll likely forget and override the automated checks sometimes using that workflow. Can always revisit if/when other developers added to the project.)

[markafitzgerald1]

Made npm-test-build-and-upload-artifact be a required check as otherwise merge of a non-built or being built PR was allowed!

[markafitzgerald1]

Test push of local main to remote (GitHub) rejected now, as expected.

[markafitzgerald1]

Test PR becomes merge-able once CI passes.

[markafitzgerald1]

First mitigation now in place. Three to go! :)

[markafitzgerald1]

Some generated directories and files are not cleaned on npm run clean. Fix that.

• [x] Remove all generated files and directories on npm run clean.

[markafitzgerald1]

35 created to address incomplete npm run clean issue.

[markafitzgerald1]

35 merged, resolving the npm run clean issue.

[markafitzgerald1]

• [x] Perhaps consider only deploying on merge to main given that only PRs that are up to date and passing build can be merged?

[markafitzgerald1]

• [x] Update GitHub Actions plugins to latest versions - will resolve at least two deprecation warnings.

[markafitzgerald1]

GitHub Pages preview site feature still in Alpha and not available to the public, so can't use that to preview deploys of builds - yet.

[markafitzgerald1]

VS Code Counter discovered during work on this Issue, so added .gitignore, .markdownlintignore and npm run clean support for it in #36.

[markafitzgerald1]

The formatting of .eslintrc.json was valid according to prettier --check . both before and after https://github.com/markafitzgerald1/cribbage-trainer/commit/4281a13c95087af80a10579c59fde3c097b4cbec and was being automatically checked by both local development linting and CI (GitHub PR and main branch checks) both before and after that change. However, Prettier does format that file differently depending on how the code is formatted to start - which is not quite how I expected it to behave. I guess some change came into the file and then I asked Prettier to reformat it, resulting in... the file changing! No mitigation needed here at present.

[markafitzgerald1]

It seems either not possible or rather expensive to automatically catch the UI regression of https://github.com/markafitzgerald1/cribbage-trainer/commit/d3938058f354949ed0f1685ce4b799cdb3964481 which disabled onclick handling between the card text and the card border. Declining to add mitigations for that beyond manual testing for now as their implementation and maintenance costs are looking to be high if they are possible at all, and their value is at present less than that expected cost.

[markafitzgerald1]

Local development e2e testing fully switched over to Docker Linux and non-Linux e2e tests dropped in #37 to eliminate time cost of two sets of screenshots and reliability cost of having to manually remember to update Linux screenshots in non-Linux development environments.

[markafitzgerald1]

• [x] Maybe add Dependabot as a part of this Issue's resolution to reduce developer toil?

[markafitzgerald1]

• [x] Add verified commits to future proof GitHub hosting of this project?

[markafitzgerald1]

38 created to address "Update GitHub Actions plugins to latest versions - will resolve at least two deprecation warnings."

[markafitzgerald1]

38 merged into main and deployed.

[markafitzgerald1]

Deploy only from main may not be practical - an artifact is needed as per https://github.com/actions/deploy-pages. Could perhaps just build and drop all tests to save time given the PR is already up to date with main and passing all non-deploy automated checks.

[markafitzgerald1]

Only build and deploy on merge into main implemented in #39 and merged into main successfully. Merge to deployed time reduced from about 2 minutes and 50 seconds to about 50 seconds by this change!

[markafitzgerald1]

Dependabot:

• alerts enabled,
• security updates (grouped) enabled,
• version updates enabled (via #40),

CodeQL weekly code security and error analysis enabled with PRs failing on any CodeQL alert.

Secret scanning and push protection enabled.

[markafitzgerald1]

Private vulnerability reporting enabled as well.

[markafitzgerald1]

Commit signing (via SSH) added to my local development environment - git Working Copy and VS Code. Vigilant Mode not yet enabled in GitHub. No signed commits yet pushed.

• [x] Push a signed commit to verify that it works.
• [x] Enable Vigilant Mode in GitHub for this project.

[markafitzgerald1]

Resuming work on #21 in order to test out signed commits and possible vigilant mode.

[markafitzgerald1]

Vigilant mode enabled after push of self-created verified commit f95714c2b8da9e8c57112d141aba9eec1a6dc2e3.

[markafitzgerald1]

All known past and foreseeable future build and deploy breakage mitigation complete.

[markafitzgerald1]

Imported the GitHub public GPG key at https://github.com/web-flow.gpg in my local development environment so that git log --show-signature somewhat trusts (merge) commits signed by GitHub on my behalf.

[markafitzgerald1]

Vigilant Mode enabled just now, but that setting only affects me, not the project itself.