Skip to content

ci: T8490: typos.yml + central _typos.toml (ruleset-required pilot)#150

Merged
andamasov merged 1 commit into
productionfrom
ci/T8490-typos-ruleset
Jun 19, 2026
Merged

ci: T8490: typos.yml + central _typos.toml (ruleset-required pilot)#150
andamasov merged 1 commit into
productionfrom
ci/T8490-typos-ruleset

Conversation

@andamasov

@andamasov andamasov commented Jun 19, 2026

Copy link
Copy Markdown
Member

What

Adds a standalone, fork-safe typos.yml workflow plus a central _typos.toml allowlist to vyos/.github. This workflow is designed to be required fleet-wide via a GitHub repository ruleset (type: workflows) on a pilot set of repos — no per-repo caller files.

Why standalone on: pull_request (not a workflow_call reusable)

A workflow_call-only reusable cannot be a ruleset-required workflow — GitHub's "require workflows via rulesets" requires a directly PR-triggered file. So this intentionally diverges from the reusable+wrapper pattern: the whole point is to enforce the check centrally without a per-repo caller in every product repo.

Design

  • Two-step checkout: the PR code into the workspace root, and vyos/.github@production into .github-central/, so the allowlist is always sourced from the authoritative protected branch regardless of which product repo runs the check.
  • Full-tree scan with the central config (--config .github-central/_typos.toml). The pilot is central-config-only (no repo-local override) — that removes the same-PR config-relaxation vector, since the config lives in the protected production branch.
  • crate-ci/typos prebuilt binary (drops the old cargo install), all actions SHA-pinned (incl. bullfrogsec/bullfrog egress-audit, per repo convention), persist-credentials: false on both checkouts.
  • Failure comment posts only on same-repo (non-fork) PRs.
  • Coverage note: typos defaults to ignore-hidden = true, so dot-prefixed dirs (incl. the .github-central/ checkout and each repo's own .github/) are not scanned. This is intentional/acceptable — it also means the central-config checkout never cross-contaminates a product PR's result.

_typos.toml (seed)

Excludes upstream-owned paths (*.patch, smoketest/**, mibs/**, kernel config fragments) and allowlists confirmed VyOS / networking / kernel jargon (ICMPv6 ND, 802.11ai FILS/ACI/OCE/SME, MACsec pn, GeoIP country codes, commitd, kernel CONFIG_* driver symbols, 3DES EDE, etc.). Dry-run reductions: vyos-1x 742→75, vyos-build 138→1, vyatta-cfg-system 81→67, vyconf 36→14. This is a Phase-1 seed; the rollout's evaluate phase tunes it to a clean baseline before enforcement is made blocking.

Rollout

After merge: an org ruleset requires this workflow on vyos-1x / vyos-build / vyatta-cfg-system / vyconf for rolling / circinus / sagitta, rolled out evaluate → active. The legacy per-repo vyos-1x caller + the old workflow_call reusable + custom scripts are then retired.

Relates: T8490

@andamasov
ci: T8490: add typos workflow + central allowlist seed
4814e80 
Add `.github/workflows/typos.yml` — a new standalone CI workflow that
runs crate-ci/typos against pull_request branches (rolling/circinus/sagitta).

Workflow design:
- Two-step checkout: PR code into workspace, vyos/.github@production into
  `.github-central/` so the central config is always sourced from the
  authoritative repo regardless of which product repo runs the check.
- SHA-pinned actions (actions/checkout v7, crate-ci/typos v1.47.2,
  peter-evans/create-or-update-comment v5).
- Failure comment injected only on same-repo (non-fork) PRs to avoid
  pull_request_target exposure on forks.

Add `_typos.toml` at repo root — the central allowlist consumed by the
two-checkout pattern above.  Config excludes upstream-owned paths
(*.patch, smoketest/**, mibs/**, kernel config fragments) and carries
extend-words entries for confirmed VyOS / networking / kernel jargon:
ICMPv6 ND prefixes, IEEE 802.11ai FILS/EDCA ACI/OCE/SME, MACsec pn,
GeoIP country codes (ba/fo), VyOS daemon suffix (commitd), _OFR_CONFIGURE
bash env, Linux UAPI FlAGS kernel identifiers (AGS), Triple-DES EDE,
RTAX_RTO_MIN (RTO/rto), nftables bridge chain prefix (NAM), Linux kernel
driver symbols (DAMON/WIL/EXPORTFS/SYNOPSYS/ADIN), QoS thr threshold,
setpriv --inh-caps (inh), VyOS dummy interface prefix (dum), ATA node
prefix (hda), gratuitous-ARP abbreviation (grat), and the
op-mode tab-completion prefix file (clea).

Dry-run against 4 pilot repos (vyos-1x/vyos-build/vyatta-cfg-system/vyconf):
  - vyos-1x:           742 → 75 hits (90 % reduction)
  - vyos-build:        138 →  1 hit  (99 % reduction)
  - vyatta-cfg-system:  81 → 67 hits (17 % reduction — repo has real typos)
  - vyconf:             36 → 14 hits (61 % reduction)

All remaining hits are genuine typos in product source, not false positives.

This is the Phase 1.3/1.4 seed. Phase 2 evaluate step will measure false
positives on live PRs and tune further; zero false positives is not the
goal here.

Relates: T8490
🤖 Generated by [robots](https://vyos.io)
@coderabbitai

coderabbitai Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 0a000939-d07a-4004-bf16-cba3bbac6e2b

📥 Commits

Reviewing files that changed from the base of the PR and between 314142b and 4814e80.

📒 Files selected for processing (2)
  • .github/workflows/typos.yml
  • _typos.toml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • ansible/ansible (manual)
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (2)
.github/workflows/**/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/**/*.yml: GitHub Actions workflows must be reusable workflows using workflow_call trigger; avoid adding non-reusable workflows unless necessary (exception: cla-check.yml with pull_request_target)
Most GitHub Actions jobs must include a bullfrogsec/bullfrog@v0.8.4 egress-audit step (non-fatal)
Bot mutations across orgs must use vyosbot identity via org-level PAT and REMOTE_OWNER secrets in GitHub Actions workflows

Files:

  • .github/workflows/typos.yml
.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Rollout 1c (Phorge T8943, 2026-05-30) renamed default branches fleet-wide: release-train repos current -> rolling; vyos/.github and other non-release-train repos current -> production. (1) Reusable-workflow refs of the form vyos/.github/.github/workflows/<name>.yml@production are CORRECT and canonical. Do NOT suggest changing @production to @current: current is the OLD name, retained only as a temporary bake-period alias and slated for removal. Any AGENTS.md still saying "reusables pinned to @current" or "current (rolling)" is stale post-1c and must not drive review suggestions. (2) In the mirror caller pr-mirror-repo-sync.yml, permissions: contents: read is INTENTIONAL: the central reusable workflow performs all push/PR writes with the vyos-bot GitHub App installation token (minted via the get-token action), not the inherited GITHUB_TOKEN. Do NOT suggest broadening the caller's permissions to contents: write / pull-requests: write.

Files:

  • .github/workflows/typos.yml
🧠 Learnings (1)
📚 Learning: 2026-05-30T19:50:14.606Z 
Learnt from: andamasov
Repo: vyos/.github PR: 132
File: .github/workflows/pr-mirror-repo-sync.yml:41-43
Timestamp: 2026-05-30T19:50:14.606Z
Learning: When reviewing GitHub Actions workflows in the vyos/.github repository, do not require SHA-pinning for `uses:` action references that intentionally follow the repo’s Rollout 1a conventions. In particular, internal central-infra actions may be referenced via mutable tag/branch refs (e.g., `vyos/.github/.github/actions/get-tokenproduction`) so that all workflow consumers pick up updates from a single central `vyos/.githubproduction` change. Similarly, third-party actions should follow the existing repo convention (e.g., version tags like `bullfrogsec/bullfrogv0.8.4`). SHA-pinning fleet-wide is tracked separately (e.g., T8850) and is out of scope for individual PRs unless a referenced action clearly deviates from the established convention.

Applied to files:

  • .github/workflows/typos.yml
🔍 Remote MCP Context7

Summary of Additional Context for PR Review

Typos Action Capabilities and Configuration

The crate-ci/typos GitHub Action accepts key inputs: files (patterns to check), config (custom configuration file), and isolated (to ignore implicit config files). The runner requires wget to be installed.

Configuration Precedence: Configuration is loaded in order: command line arguments, a file specified via --config PATH, and then by searching parent directories for configuration files like typos.toml, _typos.toml, .typos.toml, Cargo.toml, or pyproject.toml. This is important for the PR's design: by passing a custom config file via the config parameter, the workflow ensures the central _typos.toml from vyos/.github@production takes precedence.

Action Design Characteristics

The typos tool is "fast enough to run on monorepos" and has "low false positives so you can run on PRs". The action creates GitHub annotations directly in the pull request interface, displaying typos as warnings with file, line number, and suggested corrections. For production environments, it's recommended to use a specific version tag to avoid unexpected failures from new spell checking rules.

Configuration Management

The typos tool makes it relatively easy to modify its sensitivity by editing the typos.toml file to ignore some words or patterns, which aligns with the PR's strategy of maintaining a central allowlist for domain-specific VyOS terminology.

****, ****, (https://github.com/crate-ci/typos/blob/master/docs/github-action.md)

🔇 Additional comments (2)
_typos.toml (1)

19-142: LGTM!

.github/workflows/typos.yml (1)

1-47: LGTM!

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Added automated typo checking to pull request workflows across target branches.
    • Established centralized typo allowlist configuration to standardize code quality checks with defined terminology and jargon exceptions.

Walkthrough

Adds .github/workflows/typos.yml, a new GitHub Actions workflow that runs crate-ci/typos on PRs targeting rolling, circinus, and sagitta. It fetches _typos.toml from vyos/.github@production as a central config, which is also introduced here with path exclusions and an extensive VyOS/kernel/networking token allowlist.

Changes

Centralized Typos CI Workflow

Layer / File(s) Summary
Central typos allowlist and exclusions
_typos.toml		 Introduces _typos.toml with [files] exclude globs (upstream patches, smoketest outputs, MIBs, kernel config fragments) and a [default.extend-words] allowlist for ~100 networking/kernel/crypto/VyOS-specific abbreviations and identifier sub-tokens, including case-sensitive variants.
Typos workflow definition
.github/workflows/typos.yml		 New Typos workflow triggers on PRs to rolling, circinus, sagitta; checks out the PR, fetches _typos.toml from vyos/.github@production, runs crate-ci/typos, and posts a failure comment on same-repo PRs only.

Possibly related PRs

  • vyos/.github#129: Modifies the existing check-typos workflow with an egress-audit step — directly related as both touch the typo-checking CI infrastructure in this repository.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed Title directly references the two main components (typos.yml and _typos.toml) and the pilot approach (ruleset-required), accurately summarizing the changeset's primary objectives.
Description check ✅ Passed Description is comprehensive and directly related to the changeset, explaining the workflow design, central config strategy, checkout pattern, allowlist content, and rollout plan.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch ci/T8490-typos-ruleset

Comment @coderabbitai help to get the list of available commands and usage tips.

@andamasov andamasov marked this pull request as ready for review June 19, 2026 05:59
@andamasov andamasov merged commit 2b5ec2d into production Jun 19, 2026
4 checks passed
@andamasov andamasov deleted the ci/T8490-typos-ruleset branch June 19, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andamasov