From 641501461e78d1f016bb4fd1860103dd4ccf9f10 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 25 Mar 2026 22:17:12 +0000
Subject: [PATCH 1/2] feat: add GitHub Actions for Sentry, Cloudflare, StatsIG,
 and more

- sentry-release: automated release + deploy tracking on version tags
- cloudflare-pages: deploy dashboards to Cloudflare Pages on main push
- statsig-gate-check: reusable workflow to gate deploys behind StatsIG flags
- release-drafter: auto-generate changelogs from PR labels
- nuget-audit: weekly + PR vulnerability scanning for NuGet packages
- dashboard-validation: HTML validation + Lighthouse CI for dashboards
- contextstream-index: auto-sync ContextStream index on main push

https://claude.ai/code/session_015niGCWWtEYykLhYJwA8vcE
---
 .github/release-drafter.yml                | 62 ++++++++++++++++++
 .github/workflows/cloudflare-pages.yml     | 25 ++++++++
 .github/workflows/contextstream-index.yml  | 27 ++++++++
 .github/workflows/dashboard-validation.yml | 75 ++++++++++++++++++++++
 .github/workflows/nuget-audit.yml          | 32 +++++++++
 .github/workflows/release-drafter.yml      | 23 +++++++
 .github/workflows/sentry-release.yml       | 50 +++++++++++++++
 .github/workflows/statsig-gate-check.yml   | 54 ++++++++++++++++
 8 files changed, 348 insertions(+)
 create mode 100644 .github/release-drafter.yml
 create mode 100644 .github/workflows/cloudflare-pages.yml
 create mode 100644 .github/workflows/contextstream-index.yml
 create mode 100644 .github/workflows/dashboard-validation.yml
 create mode 100644 .github/workflows/nuget-audit.yml
 create mode 100644 .github/workflows/release-drafter.yml
 create mode 100644 .github/workflows/sentry-release.yml
 create mode 100644 .github/workflows/statsig-gate-check.yml

diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
new file mode 100644
index 0000000..7b1726d
--- /dev/null
+++ b/.github/release-drafter.yml
@@ -0,0 +1,62 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+
+categories:
+  - title: "New Features"
+    labels:
+      - "feature"
+      - "enhancement"
+  - title: "Bug Fixes"
+    labels:
+      - "fix"
+      - "bugfix"
+      - "bug"
+  - title: "iRacing"
+    labels:
+      - "iracing"
+  - title: "Dashboard"
+    labels:
+      - "dashboard"
+      - "ui"
+  - title: "Observability"
+    labels:
+      - "observability"
+      - "logging"
+      - "metrics"
+  - title: "Security"
+    labels:
+      - "security"
+  - title: "Dependencies"
+    labels:
+      - "dependencies"
+  - title: "CI/CD"
+    labels:
+      - "ci"
+      - "github-actions"
+
+change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
+change-title-escapes: '\<*_&'
+
+version-resolver:
+  major:
+    labels:
+      - "major"
+      - "breaking"
+  minor:
+    labels:
+      - "feature"
+      - "enhancement"
+  patch:
+    labels:
+      - "fix"
+      - "bugfix"
+      - "bug"
+      - "dependencies"
+  default: patch
+
+template: |
+  ## Changes
+
+  $CHANGES
+
+  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION
diff --git a/.github/workflows/cloudflare-pages.yml b/.github/workflows/cloudflare-pages.yml
new file mode 100644
index 0000000..c9a8fff
--- /dev/null
+++ b/.github/workflows/cloudflare-pages.yml
@@ -0,0 +1,25 @@
+name: Deploy Dashboards to Cloudflare Pages
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "src/SimSteward.Dashboard/**"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      deployments: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy to Cloudflare Pages
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy src/SimSteward.Dashboard --project-name=sim-steward-dash
diff --git a/.github/workflows/contextstream-index.yml b/.github/workflows/contextstream-index.yml
new file mode 100644
index 0000000..5ee470f
--- /dev/null
+++ b/.github/workflows/contextstream-index.yml
@@ -0,0 +1,27 @@
+name: ContextStream Index Sync
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - "*.md"
+      - ".github/**"
+      - "docs/**"
+
+jobs:
+  index:
+    runs-on: windows-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install ContextStream CLI
+        run: npm install -g contextstream-mcp
+
+      - name: Run ContextStream ingest
+        env:
+          CONTEXTSTREAM_API_URL: https://api.contextstream.io
+          CONTEXTSTREAM_PROJECT_ID: ${{ secrets.CONTEXTSTREAM_PROJECT_ID }}
+          CONTEXTSTREAM_WORKSPACE_ID: ${{ secrets.CONTEXTSTREAM_WORKSPACE_ID }}
+          CONTEXTSTREAM_API_KEY: ${{ secrets.CONTEXTSTREAM_API_KEY }}
+        run: pwsh -NoProfile -File scripts/contextstream-ingest.ps1 -Force
diff --git a/.github/workflows/dashboard-validation.yml b/.github/workflows/dashboard-validation.yml
new file mode 100644
index 0000000..d117c48
--- /dev/null
+++ b/.github/workflows/dashboard-validation.yml
@@ -0,0 +1,75 @@
+name: Dashboard Validation
+
+on:
+  push:
+    paths:
+      - "src/SimSteward.Dashboard/**"
+  pull_request:
+    paths:
+      - "src/SimSteward.Dashboard/**"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate HTML files
+        run: |
+          errors=0
+          for f in src/SimSteward.Dashboard/*.html; do
+            echo "Checking $f..."
+
+            # Check for unclosed script/style tags
+            open_script=$(grep -c '<script' "$f" || true)
+            close_script=$(grep -c '</script>' "$f" || true)
+            if [ "$open_script" -ne "$close_script" ]; then
+              echo "::error file=$f::Mismatched <script> tags (open=$open_script, close=$close_script)"
+              errors=$((errors + 1))
+            fi
+
+            # Check for Sentry DSN not accidentally removed
+            if grep -q 'Sentry.init' "$f"; then
+              if ! grep -q 'dsn:' "$f"; then
+                echo "::error file=$f::Sentry.init found but no DSN configured"
+                errors=$((errors + 1))
+              fi
+            fi
+
+            # Check for console.log left in production (warning only)
+            count=$(grep -c 'console\.log' "$f" || true)
+            if [ "$count" -gt 5 ]; then
+              echo "::warning file=$f::$count console.log statements found - consider cleanup"
+            fi
+          done
+
+          if [ "$errors" -gt 0 ]; then
+            echo "::error::$errors validation error(s) found"
+            exit 1
+          fi
+          echo "All dashboard HTML files passed validation."
+
+  lighthouse:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install Lighthouse CI
+        run: npm install -g @lhci/cli
+
+      - name: Run Lighthouse on dashboards
+        run: |
+          for f in src/SimSteward.Dashboard/*.html; do
+            echo "Running Lighthouse on $f..."
+            lhci autorun --collect.staticDistDir=src/SimSteward.Dashboard \
+              --collect.url="file://$(pwd)/$f" \
+              --assert.preset=lighthouse:no-pwa \
+              --assert.assertions.categories:accessibility=warn \
+              --assert.assertions.categories:best-practices=warn || true
+          done
diff --git a/.github/workflows/nuget-audit.yml b/.github/workflows/nuget-audit.yml
new file mode 100644
index 0000000..3b93ffd
--- /dev/null
+++ b/.github/workflows/nuget-audit.yml
@@ -0,0 +1,32 @@
+name: NuGet Vulnerability Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 7 * * 1"
+
+jobs:
+  audit:
+    runs-on: windows-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Restore packages
+        run: dotnet restore
+
+      - name: Check for vulnerable packages
+        run: dotnet list package --vulnerable --include-transitive 2>&1 | tee audit-output.txt
+
+      - name: Fail on vulnerabilities
+        shell: pwsh
+        run: |
+          $output = Get-Content audit-output.txt -Raw
+          if ($output -match "has the following vulnerable packages") {
+            Write-Error "Vulnerable NuGet packages detected. See output above."
+            exit 1
+          }
+          Write-Host "No known vulnerabilities found."
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
new file mode 100644
index 0000000..d6006aa
--- /dev/null
+++ b/.github/workflows/release-drafter.yml
@@ -0,0 +1,23 @@
+name: Release Drafter
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize, labeled]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  update-release-draft:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/sentry-release.yml b/.github/workflows/sentry-release.yml
new file mode 100644
index 0000000..3754c36
--- /dev/null
+++ b/.github/workflows/sentry-release.yml
@@ -0,0 +1,50 @@
+name: Sentry Release
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  sentry-release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Create Sentry release
+        uses: getsentry/action-release@v3
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: sim-steward
+        with:
+          projects: simhub-plugin web-dashboards
+          version: ${{ steps.version.outputs.version }}
+          set_commits: auto
+
+      - name: Register simhub-plugin deploy
+        if: env.SENTRY_AUTH_TOKEN != ''
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+        run: |
+          curl -s -X POST \
+            "https://sentry.io/api/0/organizations/sim-steward/releases/${{ steps.version.outputs.version }}/deploys/" \
+            -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{"environment":"production","name":"simhub-plugin"}'
+
+      - name: Register web-dashboards deploy
+        if: env.SENTRY_AUTH_TOKEN != ''
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+        run: |
+          curl -s -X POST \
+            "https://sentry.io/api/0/organizations/sim-steward/releases/${{ steps.version.outputs.version }}/deploys/" \
+            -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{"environment":"production","name":"web-dashboards"}'
diff --git a/.github/workflows/statsig-gate-check.yml b/.github/workflows/statsig-gate-check.yml
new file mode 100644
index 0000000..05e3a5f
--- /dev/null
+++ b/.github/workflows/statsig-gate-check.yml
@@ -0,0 +1,54 @@
+name: StatsIG Gate Check
+
+on:
+  workflow_call:
+    inputs:
+      gate-name:
+        description: "StatsIG gate to check before proceeding"
+        required: true
+        type: string
+      environment:
+        description: "Target environment"
+        required: false
+        type: string
+        default: "production"
+    outputs:
+      gate-open:
+        description: "Whether the gate is open"
+        value: ${{ jobs.check-gate.outputs.gate-open }}
+
+jobs:
+  check-gate:
+    runs-on: ubuntu-latest
+    outputs:
+      gate-open: ${{ steps.gate.outputs.open }}
+
+    steps:
+      - name: Check StatsIG gate
+        id: gate
+        env:
+          STATSIG_SERVER_KEY: ${{ secrets.STATSIG_SERVER_KEY }}
+        run: |
+          if [ -z "$STATSIG_SERVER_KEY" ]; then
+            echo "::warning::STATSIG_SERVER_KEY not set - defaulting gate to open"
+            echo "open=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          response=$(curl -s -X POST "https://statsigapi.net/v1/check_gate" \
+            -H "statsig-api-key: $STATSIG_SERVER_KEY" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"user\": { \"userID\": \"github-actions\", \"custom\": { \"environment\": \"${{ inputs.environment }}\" } },
+              \"gateName\": \"${{ inputs.gate-name }}\"
+            }")
+
+          gate_value=$(echo "$response" | jq -r '.value // false')
+          echo "Gate '${{ inputs.gate-name }}' = $gate_value"
+          echo "open=$gate_value" >> "$GITHUB_OUTPUT"
+
+      - name: Gate closed - block deploy
+        if: steps.gate.outputs.open != 'true'
+        run: |
+          echo "::error::StatsIG gate '${{ inputs.gate-name }}' is closed for environment '${{ inputs.environment }}'. Deploy blocked."
+          exit 1

From 57e0b88c0963b348c1e357c64cac7003ffb2ed4a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 25 Mar 2026 22:26:24 +0000
Subject: [PATCH 2/2] security: pin all GitHub Actions to commit SHAs

Replace mutable version tags (@v4, @v3, @v2, @v6) with immutable
commit SHAs across all workflows. Prevents supply chain attacks
where a tag is force-pushed to a compromised commit.

https://claude.ai/code/session_015niGCWWtEYykLhYJwA8vcE
---
 .github/workflows/cloudflare-pages.yml     |  6 ++++--
 .github/workflows/contextstream-index.yml  |  3 ++-
 .github/workflows/dashboard-validation.yml |  9 ++++++---
 .github/workflows/nuget-audit.yml          |  3 ++-
 .github/workflows/release-drafter.yml      |  3 ++-
 .github/workflows/secrets-scan.yml         | 15 ++++++++++-----
 .github/workflows/sentry-release.yml       |  6 ++++--
 .github/workflows/test.yml                 |  6 ++++--
 8 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/cloudflare-pages.yml b/.github/workflows/cloudflare-pages.yml
index c9a8fff..b31ac81 100644
--- a/.github/workflows/cloudflare-pages.yml
+++ b/.github/workflows/cloudflare-pages.yml
@@ -15,10 +15,12 @@ jobs:
       deployments: write
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/wrangler-action@v3
+        # cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
diff --git a/.github/workflows/contextstream-index.yml b/.github/workflows/contextstream-index.yml
index 5ee470f..c5afee7 100644
--- a/.github/workflows/contextstream-index.yml
+++ b/.github/workflows/contextstream-index.yml
@@ -13,7 +13,8 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Install ContextStream CLI
         run: npm install -g contextstream-mcp
diff --git a/.github/workflows/dashboard-validation.yml b/.github/workflows/dashboard-validation.yml
index d117c48..0709f73 100644
--- a/.github/workflows/dashboard-validation.yml
+++ b/.github/workflows/dashboard-validation.yml
@@ -13,7 +13,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Validate HTML files
         run: |
@@ -54,9 +55,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
-      - uses: actions/setup-node@v4
+      # actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
 
diff --git a/.github/workflows/nuget-audit.yml b/.github/workflows/nuget-audit.yml
index 3b93ffd..a2ea20b 100644
--- a/.github/workflows/nuget-audit.yml
+++ b/.github/workflows/nuget-audit.yml
@@ -13,7 +13,8 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Restore packages
         run: dotnet restore
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index d6006aa..aa9d107 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -18,6 +18,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: release-drafter/release-drafter@v6
+      # release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index ec9dd98..c37377c 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -10,9 +10,12 @@ jobs:
   secretlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      # pnpm/action-setup@v4
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
+      # actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
           cache: pnpm
@@ -22,9 +25,11 @@ jobs:
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      # gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/sentry-release.yml b/.github/workflows/sentry-release.yml
index 3754c36..20d8a27 100644
--- a/.github/workflows/sentry-release.yml
+++ b/.github/workflows/sentry-release.yml
@@ -9,7 +9,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
 
@@ -18,7 +19,8 @@ jobs:
         run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
 
       - name: Create Sentry release
-        uses: getsentry/action-release@v3
+        # getsentry/action-release@v3
+        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: sim-steward
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6d71e54..6843ff1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,7 +11,8 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Restore packages
         run: dotnet restore
@@ -23,7 +24,8 @@ jobs:
         run: dotnet test src/SimSteward.Plugin.Tests/SimSteward.Plugin.Tests.csproj -c Release --no-build --logger trx --results-directory TestResults -v normal
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        # actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         if: always()
         with:
           name: test-results