From cf0942f6ee5520261178005663a9bfc6a68272c8 Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Tue, 3 Mar 2026 11:18:25 -0500
Subject: [PATCH 1/4] Remove unused Coana workflow files

Remove coana-analysis.yml and coana-guardrail.yml from CI workflows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/coana-analysis.yml  | 28 -----------
 .github/workflows/coana-guardrail.yml | 67 ---------------------------
 2 files changed, 95 deletions(-)
 delete mode 100644 .github/workflows/coana-analysis.yml
 delete mode 100644 .github/workflows/coana-guardrail.yml

diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml
deleted file mode 100644
index cac82a7a..00000000
--- a/.github/workflows/coana-analysis.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-name: Coana Vulnerability Analysis
-
-on:
-  schedule:
-    - cron: "0 3 * * *" # every day at 3 AM
-  workflow_dispatch:
-    inputs:
-      tags:
-        description: "Manually run vulnerability analysis"
-      # Required by the return-dispatch action
-      distinct_id:
-
-jobs:
-  coana-vulnerability-analysis:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Run Coana CLI
-        id: coana-cli
-        uses: docker://coana/coana:latest
-        with:
-          args: |
-            coana run . \
-              --api-key ${{ secrets.COANA_API_KEY }} \
-              --repo-url https://github.com/${{github.repository}}
diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml
deleted file mode 100644
index 4d32ef1f..00000000
--- a/.github/workflows/coana-guardrail.yml
+++ /dev/null
@@ -1,67 +0,0 @@
-name: Coana Guardrail
-
-on: pull_request
-
-jobs:
-  guardrail:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout the ${{github.base_ref}} branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{github.base_ref}} # checkout the base branch (usually master/main).
-
-      - name: Fetch the PR branch
-        run: |
-          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
-
-      - name: Get list of changed files relative to the main/master branch
-        id: changed-files
-        run: |
-          echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT
-
-      - name: Use Node.js 24.x
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
-        with:
-          node-version: 24.x
-
-      - name: Run Coana on the ${{github.base_ref}} branch
-        run: |
-          npx @coana-tech/cli run . \
-            --guardrail-mode \
-            --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \
-            -o /tmp/main-branch \
-            --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
-            --lightweight-reachability \
-
-      # Reset file permissions.
-      # This is necessary because the Coana CLI may add
-      # new files with root ownership since it's using docker.
-      # These files will not be deleted by the clean step in checkout
-      # if the permissions are not reset.
-      - name: Reset file permissions
-        run: sudo chown -R $USER:$USER .
-
-      - name: Checkout the current branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          clean: true
-
-      - name: Run Coana on the current branch
-        run: |
-          npx @coana-tech/cli run . \
-            --guardrail-mode \
-            --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \
-            -o /tmp/current-branch \
-            --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
-            --lightweight-reachability \
-
-      - name: Run Report Comparison
-        run: |
-          npx @coana-tech/cli compare-reports \
-            --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \
-            /tmp/main-branch/coana-report.json \
-            /tmp/current-branch/coana-report.json
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 56c3ef72494f56039c30e758e407664f86d8d05d Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Tue, 3 Mar 2026 11:22:37 -0500
Subject: [PATCH 2/4] Fix YAML syntax error in ci.yml smoke-test job

Wrap labels.*.name in toJSON() so contains() receives a valid string
argument in the GitHub Actions if conditional.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 58c71a69..c346e6a4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,7 @@ jobs:
 
   smoke-test:
     name: Smoke test (Python ${{ matrix.python }})
-    if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'autorelease: pending')
+    if: github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending')
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

From 4bc3e416981aa0158cc03e1ecdcde1644a657b79 Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Tue, 3 Mar 2026 11:24:04 -0500
Subject: [PATCH 3/4] Fix YAML syntax on ci.yml line 45

Wrap the if expression in ${{ }} to prevent YAML from parsing the
colon in 'autorelease: pending' as a mapping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c346e6a4..14d1dec4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,7 @@ jobs:
 
   smoke-test:
     name: Smoke test (Python ${{ matrix.python }})
-    if: github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending')
+    if: ${{ github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending') }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

From 88e5243c84f0dd6f882815e4614c757e581094b8 Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Tue, 3 Mar 2026 11:26:09 -0500
Subject: [PATCH 4/4] Quote the if expression in ci.yml to fix YAML parsing

The YAML parser runs before GitHub Actions expression evaluation,
so the unquoted value with single quotes and colons causes a syntax
error. Wrapping in double quotes fixes it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 14d1dec4..4da31e2f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,7 @@ jobs:
 
   smoke-test:
     name: Smoke test (Python ${{ matrix.python }})
-    if: ${{ github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending') }}
+    if: "${{ github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'autorelease: pending') }}"
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false