ci: add manually-triggered Cross Platform Builds workflow#1233
Conversation
Adds .github/workflows/cross-platform-builds.yml — a workflow_dispatch workflow that runs lint, check, test, and compile on windows-latest and macos-latest. The workflow has no automatic triggers, so it adds no CI noise to PRs or main, and is invoked on demand via the GitHub UI or `gh workflow run`. This is the foundation for incremental Windows-support work: the first run captures the failure inventory; subsequent runs verify that fixes land cleanly on Windows. Once Windows support is complete, this workflow's triggers can be expanded to include pull_request as a final acceptance gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
Blocking Issues
None.
Suggestions
None — this is a clean, minimal addition.
Details:
The workflow mirrors the existing ci.yml test job exactly — same actions (actions/checkout@v6, denoland/setup-deno@v2), same commands (deno lint, deno fmt --check, deno task check, deno task test, deno task compile), and appropriately minimal permissions (contents: read).
Checked:
- CLAUDE.md conventions: No TypeScript changes, so no license headers, type checks, linting, or formatting concerns. The workflow commands match the established patterns.
- DDD: Not applicable — no domain code changed.
- Test coverage: Not applicable — no code requiring tests.
- Security:
workflow_dispatchwith no inputs means no injection surface. No secrets used. Permissions are read-only. Third-party action pins match the existing CI convention. - Consistency:
fail-fast: falseis the right choice for an exploratory failure-inventory run across independent platforms.
LGTM.
There was a problem hiding this comment.
CI Security Review
Critical / High
None.
Medium
.github/workflows/cross-platform-builds.yml:19,22—actions/checkout@v6anddenoland/setup-deno@v2are pinned by tag rather than full commit SHA. A compromised tag could deliver malicious code. However, both are from trusted publishers (GitHub-owned / Deno official), and the existingci.ymlin this repo uses the same tag-only pinning for these actions, so this is consistent with current repo convention. Consider SHA-pinning as a future hardening pass across all workflows.
Low
None.
Verdict
PASS — This is a clean, minimal workflow. It is workflow_dispatch-only (no external trigger surface), uses job-level contents: read permissions (minimum necessary), interpolates no untrusted data, references no secrets, and invokes no LLMs. The tag-only action pins are a medium-severity note but are consistent with existing repo practice and use trusted publishers.
1 participant
Summary
.github/workflows/cross-platform-builds.yml, a manually-triggered workflow that runs the full pipeline (lint, check, test, compile) onwindows-latestandmacos-latest.workflow_dispatchonly — does not run on PRs, pushes, or a schedule, so there's no CI noise on regular work.How to invoke
Via GitHub UI: Actions → Cross Platform Builds → Run workflow
Or CLI:
Why workflow_dispatch only?
Until Windows support exists, every triggered run will fail loudly. Wiring it to PRs or a schedule would mean red checks / red emails on every workday — alert fatigue, and the signal stops being useful. On-demand runs let us capture the failure list when we want it (now, and after each Windows-support PR) without polluting unrelated work.
Once Windows support is complete, a follow-up PR can flip the triggers to
pull_requestand remove this manual step.Test plan
main.Cross Platform Build (windows-latest)andCross Platform Build (macos-latest)jobs run independently (fail-fast: falsekeeps macOS running when Windows fails).🤖 Generated with Claude Code