cistack 5.0.0 → 5.2.0

package/README.md

@@ -2,7 +2,7 @@
 
 > Generate GitHub Actions CI/CD pipelines by analyzing the codebase you already have.
 
-`cistack` scans your project, detects the stack, and writes production-ready GitHub Actions workflows for CI, deployment, Docker, security, and releases. It is designed for real repos, not toy demos: it reads lock files, framework signals, release config, monorepo workspaces, hosting config, and Git branch metadata before generating YAML.
+`cistack` scans your project, detects the stack, and writes production-ready GitHub Actions workflows for CI, deployment, Docker, and releases. It is designed for real repos, not toy demos: it reads lock files, framework signals, release config, monorepo workspaces, hosting config, and Git branch metadata before generating YAML.
 
 ## Why cistack
 
@@ -55,7 +55,7 @@ npx cistack generate --no-prompt
 npx cistack audit
 ```
 
-This checks `.github/workflows` for issues like missing concurrency blocks, outdated actions, old Node versions, and missing dependency caching.
+This checks your generated workflow directory for issues like missing concurrency blocks, outdated actions, old Node versions, and missing dependency caching. If you set `outputDir` in `cistack.config.js`, `audit` and `upgrade` will use that directory too.
 
 ### Upgrade workflow actions
 
@@ -78,11 +78,11 @@ This writes `cistack.config.js` with the supported override keys.
 
 ### `pipeline.yml`
 
-By default, `cistack` now generates a single GitHub Actions workflow that combines CI, deploy, Docker, security, and release jobs into one place so teams can track the whole pipeline from one file.
+By default, `cistack` now generates a single GitHub Actions workflow that combines CI, deploy, Docker, and release jobs into one place so teams can track the whole pipeline from one file.
 
-- Includes lint, test, build, E2E, deploy, Docker, security, and release jobs when those parts of the stack are detected
+- Includes lint, test, build, E2E, deploy, Docker, and release jobs when those parts of the stack are detected
 - Uses the detected default branch or your configured `branches`
-- Keeps preview deploys, release jobs, and scheduled security scans in the same workflow file
+- Keeps preview deploys and release jobs in the same workflow file
 - Documents required secrets in the file header
 
 ### `dependabot.yml`
@@ -99,7 +99,7 @@ module.exports = {
 };
 ```
 
-In split mode, `cistack` writes separate `ci.yml`, `deploy.yml`, `docker.yml`, `security.yml`, and `release.yml` files again.
+In split mode, `cistack` writes separate `ci.yml`, `deploy.yml`, `docker.yml`, and `release.yml` files again.
 
 ## Supported detection
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cistack",
-  "version": "5.0.0",
+  "version": "5.2.0",
   "description": "Automatically generate GitHub Actions CI/CD pipelines by analysing your codebase",
   "main": "src/index.js",
   "types": "index.d.ts",

package/src/analyzers/workflow.js

@@ -6,9 +6,9 @@ const yaml = require('js-yaml');
 const chalk = require('chalk');
 
 class WorkflowAnalyzer {
-  constructor(projectPath) {
+  constructor(projectPath, options = {}) {
     this.projectPath = projectPath;
-    this.workflowsDir = path.join(projectPath, '.github/workflows');
+    this.workflowsDir = options.workflowsDir || path.join(projectPath, '.github/workflows');
     
     // Latest stable versions for common actions
     this.latestVersions = {

package/src/generators/dependabot.js

@@ -150,6 +150,11 @@ class DependabotGenerator {
       directory: '/',
       schedule: { interval: 'weekly', day: 'monday' },
       'open-pull-requests-limit': 10,
+      groups: {
+        'github-actions-updates': {
+          patterns: ['*'],
+        },
+      },
     });
 
     const doc = { version: 2, updates };

package/src/generators/workflow.js

@@ -118,12 +118,6 @@ class WorkflowGenerator {
       });
     }
 
-    // ── 4. Security audit ────────────────────────────────────────────────
-    workflows.push({
-      filename: 'security.yml',
-      content: this._buildSecurityWorkflow(),
-    });
-
     return workflows;
   }
 
@@ -566,79 +560,6 @@ class WorkflowGenerator {
     return this._toYaml(workflow, `# Generated by cistack v${version}\n# Docker image build and push to GHCR\n\n`);
   }
 
-  // ══════════════════════════════════════════════════════════════════════════
-  // Security Workflow
-  // ══════════════════════════════════════════════════════════════════════════
-
-  _buildSecurityWorkflow() {
-    const lang = this.primaryLang;
-    const branches = this._resolveBranches(['main', 'master']);
-    const steps = [this._stepCheckout()];
-
-    if (['JavaScript', 'TypeScript'].includes(lang.name)) {
-      steps.push(
-        ...this._setupSteps(lang),
-        this._stepInstallDeps(lang),
-        {
-          name: 'Audit dependencies',
-          run:
-            lang.packageManager === 'npm'   ? 'npm audit --audit-level=high' :
-            lang.packageManager === 'yarn'  ? 'yarn audit --level high' :
-            lang.packageManager === 'pnpm'  ? 'pnpm audit --audit-level high' :
-                                              'npm audit --audit-level=high',
-        },
-      );
-    }
-
-    if (lang.name === 'Python') {
-      steps.push(
-        { name: 'Set up Python', uses: 'actions/setup-python@v5', with: { 'python-version': lang.pythonVersion || '3.11' } },
-        { name: 'Install safety', run: 'pip install safety' },
-        { name: 'Run safety check', run: 'safety check' },
-      );
-    }
-
-    if (lang.name === 'Rust') {
-      steps.push(
-        { name: 'Set up Rust', uses: 'dtolnay/rust-toolchain@stable' },
-        { name: 'Run cargo audit', run: 'cargo install cargo-audit && cargo audit' },
-      );
-    }
-
-    // CodeQL analysis
-    steps.push(
-      {
-        name: 'Initialize CodeQL',
-        uses: 'github/codeql-action/init@v3',
-        with: { languages: this._codeQLLanguage(lang.name) },
-      },
-      { name: 'Perform CodeQL Analysis', uses: 'github/codeql-action/analyze@v3' },
-    );
-
-    const workflow = {
-      name: 'Security Audit',
-      on: {
-        push: { branches },
-        pull_request: { branches },
-        schedule: [{ cron: '0 6 * * 1' }],
-      },
-      permissions: {
-        actions: 'read',
-        contents: 'read',
-        'security-events': 'write',
-      },
-      jobs: {
-        security: {
-          name: '🔒 Security Audit',
-          'runs-on': 'ubuntu-latest',
-          steps: steps.filter(Boolean),
-        },
-      },
-    };
-
-    return this._toYaml(workflow, `# Generated by cistack v${version}\n# Security: dependency audit + CodeQL analysis (runs weekly)\n\n`);
-  }
-
   // ══════════════════════════════════════════════════════════════════════════
   // Reusable step builders
   // ══════════════════════════════════════════════════════════════════════════

package/src/index.js

@@ -124,7 +124,7 @@ class CIFlow {
       if (this._workflowLayout(finalConfig) !== 'split') {
         workflows = [combineWorkflows(workflows, { config: finalConfig, releaseInfo: combinedReleaseInfo })];
       }
-      spinner.succeed(chalk.green(`Generated ${workflows.length} workflow file(s)`));
+      spinner.succeed(chalk.green(`Generated ${this._workflowCountLabel(workflows.length)}`));
 
       // ── 10. Write files ────────────────────────────────────────────────
       if (this.dryRun) {
@@ -136,7 +136,11 @@ class CIFlow {
 
       console.log('\n' + chalk.bold.green('✅  Done! Your GitHub Actions pipeline is ready.'));
       if (!this.dryRun) {
-        console.log(chalk.dim(`   Workflows → ${this.outputDir}`));
+        if (workflows.length === 1) {
+          console.log(chalk.dim(`   Pipeline → ${path.join(this.outputDir, workflows[0].filename)}`));
+        } else {
+          console.log(chalk.dim(`   Workflows → ${this.outputDir}`));
+        }
         console.log(chalk.dim(`   Dependabot → ${path.join(this.projectPath, '.github', 'dependabot.yml')}\n`));
       }
     } catch (err) {
@@ -151,7 +155,8 @@ class CIFlow {
     const spinner = ora({ text: 'Auditing existing workflows...', color: 'cyan' }).start();
     
     try {
-      const analyzer = new WorkflowAnalyzer(this.projectPath);
+      const workflowsDir = await this._resolveWorkflowsDir();
+      const analyzer = new WorkflowAnalyzer(this.projectPath, { workflowsDir });
       const results = await analyzer.audit();
       spinner.succeed(chalk.green('Audit complete'));
 
@@ -195,7 +200,8 @@ class CIFlow {
     const spinner = ora({ text: 'Upgrading actions...', color: 'cyan' }).start();
     
     try {
-      const analyzer = new WorkflowAnalyzer(this.projectPath);
+      const workflowsDir = await this._resolveWorkflowsDir();
+      const analyzer = new WorkflowAnalyzer(this.projectPath, { workflowsDir });
       const results = await analyzer.upgrade(this.dryRun);
       
       if (results.changes === 0) {
@@ -263,6 +269,23 @@ class CIFlow {
     return layout === 'split' ? 'split' : 'single';
   }
 
+  async _resolveWorkflowsDir() {
+    const configLoader = new ConfigLoader(this.projectPath);
+    const userConfig = await configLoader.load();
+    const relativeOutputDir = userConfig.outputDir || '.github/workflows';
+    return path.join(this.projectPath, relativeOutputDir);
+  }
+
+  _workflowCountLabel(count) {
+    return `${count} workflow file${count === 1 ? '' : 's'}`;
+  }
+
+  _displayWorkflowPath(filename) {
+    const filePath = path.join(this.outputDir, filename);
+    const relativePath = path.relative(this.projectPath, filePath) || filename;
+    return relativePath.split(path.sep).join(path.posix.sep);
+  }
+
   async _interactiveConfirm(config) {
     const { confirmed } = await inquirer.prompt([
       {
@@ -353,7 +376,7 @@ class CIFlow {
     console.log('\n' + chalk.yellow('── DRY RUN – files not written ──\n'));
 
     for (const wf of workflows) {
-      console.log(chalk.bold.cyan(`\n📄 .github/workflows/${wf.filename}`));
+      console.log(chalk.bold.cyan(`\n📄 ${this._displayWorkflowPath(wf.filename)}`));
       console.log(chalk.dim('─'.repeat(60)));
       console.log(wf.content);
     }
@@ -377,11 +400,11 @@ class CIFlow {
         const { content: merged, changes } = smartMergeWorkflow(existing, wf.content);
 
         if (changes.length === 0) {
-          console.log(chalk.dim(`  ○ No changes: ${wf.filename}`));
+          console.log(chalk.dim(`  ○ No changes: ${this._displayWorkflowPath(wf.filename)}`));
           continue;
         }
 
-        console.log(chalk.yellow(`  ↻ Smart-merged: ${wf.filename}`));
+        console.log(chalk.yellow(`  ↻ Smart-merged: ${this._displayWorkflowPath(wf.filename)}`));
         for (const c of changes) {
           console.log(chalk.dim(`    • ${c}`));
         }
@@ -389,10 +412,10 @@ class CIFlow {
         writeFile(filePath, merged);
       } else if (exists && this.force) {
         writeFile(filePath, wf.content);
-        console.log(chalk.green(`  ✔ Overwritten:  ${wf.filename}`));
+        console.log(chalk.green(`  ✔ Overwritten:  ${this._displayWorkflowPath(wf.filename)}`));
       } else {
         writeFile(filePath, wf.content);
-        console.log(chalk.green(`  ✔ Written:      ${wf.filename}`));
+        console.log(chalk.green(`  ✔ Written:      ${this._displayWorkflowPath(wf.filename)}`));
       }
     }
   }

package/src/utils/helpers.js

@@ -23,6 +23,25 @@ function banner() {
   console.log(chalk.dim('  ' + '─'.repeat(24)) + '\n');
 }
 
+function _isCistackManaged(content) {
+  return typeof content === 'string' && content.startsWith('# Generated by cistack');
+}
+
+function _isManagedJobId(jobId) {
+  return [
+    'lint',
+    'test',
+    'build',
+    'lighthouse',
+    'e2e',
+    'ci',
+    'deploy',
+    'preview',
+    'release',
+    'security',
+  ].includes(jobId) || /^(ci|deploy|docker|release|security)_/.test(jobId);
+}
+
 /**
  * Smart diff: compare existing workflow YAML with newly generated YAML.
  *
@@ -39,6 +58,7 @@ function banner() {
  */
 function smartMergeWorkflow(existingContent, newContent) {
   let existing, generated;
+  const cistackManaged = _isCistackManaged(existingContent) && _isCistackManaged(newContent);
 
   try {
     existing = yaml.load(existingContent);
@@ -65,6 +85,9 @@ function smartMergeWorkflow(existingContent, newContent) {
         merged[key] = generated[key];
         changes.push(`updated top-level "${key}"`);
       }
+    } else if (cistackManaged && key in merged) {
+      delete merged[key];
+      changes.push(`removed top-level "${key}"`);
     }
   }
 
@@ -92,6 +115,15 @@ function smartMergeWorkflow(existingContent, newContent) {
         // else — identical, keep existing
       }
     }
+
+    if (cistackManaged) {
+      for (const jobId of Object.keys(existing.jobs || {})) {
+        if (!(jobId in generated.jobs) && _isManagedJobId(jobId)) {
+          delete merged.jobs[jobId];
+          changes.push(`removed job "${jobId}"`);
+        }
+      }
+    }
   }
 
   // ── re-serialise ──────────────────────────────────────────────────────────

package/tests/run.js

@@ -213,6 +213,33 @@ test('Dependabot skips empty npm manifests and uses the bun ecosystem for bun.lo
   assert(!bunDependabot.updates.some((entry) => entry['package-ecosystem'] === 'npm'));
 });
 
+test('Dependabot groups GitHub Actions updates into a single pull request', async () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    '.github/workflows/ci.yml': [
+      'name: CI',
+      'jobs:',
+      '  test:',
+      '    runs-on: ubuntu-latest',
+      '    steps:',
+      '      - uses: actions/checkout@v4',
+      '      - uses: actions/setup-node@v4',
+      '      - uses: actions/upload-artifact@v4',
+    ].join('\n'),
+  });
+
+  const info = await new CodebaseAnalyzer(projectDir).analyse();
+  const dependabot = parseWorkflow(new DependabotGenerator(info).generate().content);
+  const gha = dependabot.updates.find((entry) => entry['package-ecosystem'] === 'github-actions');
+
+  assert(gha);
+  assert.deepEqual(gha.groups, {
+    'github-actions-updates': {
+      patterns: ['*'],
+    },
+  });
+});
+
 test('GCP App Engine detection documents only the secrets the generated deploy flow uses', async () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {
@@ -296,7 +323,7 @@ test('CodebaseAnalyzer detects the current git branch as the default branch fall
   assert.equal(info.defaultBranch, 'release');
 });
 
-test('WorkflowGenerator uses the detected default branch across CI, deploy, and security workflows', () => {
+test('WorkflowGenerator uses the detected default branch across CI and deploy workflows', () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {
     'package.json': json({
@@ -322,7 +349,6 @@ test('WorkflowGenerator uses the detected default branch across CI, deploy, and
 
   assert.deepEqual(byName['ci.yml'].on.push.branches, ['release']);
   assert.deepEqual(byName['deploy.yml'].on.push.branches, ['release']);
-  assert.deepEqual(byName['security.yml'].on.push.branches, ['release']);
 });
 
 test('combineWorkflows collapses generated workflows into a single pipeline file', () => {
@@ -351,7 +377,6 @@ test('combineWorkflows collapses generated workflows into a single pipeline file
   assert.equal(combined.filename, 'pipeline.yml');
   assert(parsed.jobs.ci_lint);
   assert(parsed.jobs.deploy_deploy);
-  assert(parsed.jobs.security_security);
   assert(parsed.jobs.release_release);
 });
 
@@ -384,8 +409,6 @@ test('combineWorkflows preserves workflow-specific trigger scoping in the unifie
   assert.deepEqual(combined.on.push.branches, ['main', 'master', 'develop']);
   assert(combined.jobs.ci_lint.if.includes("github.event_name == 'push'"));
   assert(combined.jobs.ci_lint.if.includes("github.event_name == 'pull_request'"));
-  assert(!combined.jobs.ci_lint.if.includes("github.event_name == 'schedule'"));
-  assert(combined.jobs.security_security.if.includes("github.event_name == 'schedule'"));
   assert(combined.jobs.deploy_deploy.if.includes("github.ref_name == 'main'"));
   assert(combined.jobs.deploy_deploy.if.includes("github.ref_name == 'master'"));
   assert(!combined.jobs.deploy_deploy.if.includes("github.ref_name == 'develop'"));
@@ -586,28 +609,6 @@ test('Bun workflows set up Bun before installing dependencies', () => {
   assert.equal(deployBuildStep.run, 'bun run build');
 });
 
-test('Python security workflow honors the detected Python version', () => {
-  const projectDir = makeTempDir();
-  const generator = new WorkflowGenerator(
-    {
-      hosting: [],
-      frameworks: [],
-      languages: [{ name: 'Python', packageManager: 'pip', pythonVersion: '3.12' }],
-      testing: [],
-      envVars: { secrets: [], public: [], all: [], sourceFile: null },
-      monorepoPackages: [],
-      lockFiles: [],
-      _config: {},
-    },
-    projectDir
-  );
-
-  const workflow = parseWorkflow(generator._buildSecurityWorkflow());
-  const pythonSetup = workflow.jobs.security.steps.find((step) => step.name === 'Set up Python');
-
-  assert.equal(pythonSetup.with['python-version'], '3.12');
-});
-
 test('smartMergeWorkflow preserves existing custom steps that cistack does not regenerate', () => {
   const existing = [
     'name: CI',
@@ -645,6 +646,66 @@ test('smartMergeWorkflow preserves existing custom steps that cistack does not r
   assert(stepNames.includes('Build'));
 });
 
+test('smartMergeWorkflow removes stale managed jobs and top-level keys from previous generated workflows', () => {
+  const existing = [
+    '# Generated by cistack v5.0.0',
+    '',
+    'name: Pipeline',
+    'on:',
+    '  push:',
+    '    branches:',
+    '      - main',
+    '  schedule:',
+    '    - cron: 0 6 * * 1',
+    'permissions:',
+    '  contents: read',
+    '  security-events: write',
+    'jobs:',
+    '  ci_lint:',
+    '    runs-on: ubuntu-latest',
+    '    steps:',
+    '      - name: Checkout code',
+    '        uses: actions/checkout@v4',
+    '  security_security:',
+    '    runs-on: ubuntu-latest',
+    '    steps:',
+    '      - name: Security',
+    '        run: echo audit',
+    '  custom_check:',
+    '    runs-on: ubuntu-latest',
+    '    steps:',
+    '      - name: Custom',
+    '        run: echo custom',
+    '',
+  ].join('\n');
+
+  const generated = [
+    '# Generated by cistack v5.1.0',
+    '',
+    'name: Pipeline',
+    'on:',
+    '  push:',
+    '    branches:',
+    '      - main',
+    'jobs:',
+    '  ci_lint:',
+    '    runs-on: ubuntu-latest',
+    '    steps:',
+    '      - name: Checkout code',
+    '        uses: actions/checkout@v4',
+    '',
+  ].join('\n');
+
+  const result = smartMergeWorkflow(existing, generated);
+  const merged = yaml.load(stripHeader(result.content));
+
+  assert(!merged.on.schedule);
+  assert(!merged.permissions);
+  assert(merged.jobs.ci_lint);
+  assert(!merged.jobs.security_security);
+  assert(merged.jobs.custom_check);
+});
+
 test('Per-package CI picks workspace build scripts instead of only reading the root package.json', () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {
@@ -883,6 +944,98 @@ test('CLI smoke test still generates workflows in dry-run mode', () => {
   assert(output.includes('Done! Your GitHub Actions pipeline is ready.'));
 });
 
+test('CLI write output shows the pipeline file path in single-layout mode', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'cli-write-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+      },
+    }),
+  });
+
+  const output = execFileSync(process.execPath, ['bin/ciflow.js', 'generate', '--path', projectDir, '--no-prompt'], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(output.includes('✔ Written:      .github/workflows/pipeline.yml'));
+  assert(output.includes(`Pipeline → ${path.join(projectDir, '.github', 'workflows', 'pipeline.yml')}`));
+  assert(output.includes(`Dependabot → ${path.join(projectDir, '.github', 'dependabot.yml')}`));
+});
+
+test('CLI output respects custom outputDir in write and dry-run modes', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'cli-custom-output-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+      },
+    }),
+    'cistack.config.js': `module.exports = { outputDir: 'ci' };\n`,
+  });
+
+  const writeOutput = execFileSync(process.execPath, ['bin/ciflow.js', 'generate', '--path', projectDir, '--no-prompt'], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(writeOutput.includes('✔ Written:      ci/pipeline.yml'));
+  assert(!writeOutput.includes('.github/workflows/pipeline.yml'));
+  assert(writeOutput.includes(`Pipeline → ${path.join(projectDir, 'ci', 'pipeline.yml')}`));
+
+  const dryRunOutput = execFileSync(process.execPath, ['bin/ciflow.js', 'generate', '--path', projectDir, '--dry-run', '--no-prompt'], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(dryRunOutput.includes('📄 ci/pipeline.yml'));
+  assert(!dryRunOutput.includes('📄 .github/workflows/pipeline.yml'));
+  assert(dryRunOutput.includes('.github/dependabot.yml'));
+});
+
+test('CLI audit and upgrade honor custom outputDir', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'cistack.config.js': `module.exports = { outputDir: 'ci' };\n`,
+    'ci/pipeline.yml': [
+      'name: Pipeline',
+      'on: push',
+      'jobs:',
+      '  test:',
+      '    runs-on: ubuntu-latest',
+      '    steps:',
+      '      - uses: actions/checkout@v3',
+      '',
+    ].join('\n'),
+  });
+
+  const auditOutput = execFileSync(process.execPath, ['bin/ciflow.js', 'audit', '--path', projectDir], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(auditOutput.includes('pipeline.yml'));
+  assert(auditOutput.includes('Outdated action: actions/checkout@v3'));
+
+  const upgradeOutput = execFileSync(process.execPath, ['bin/ciflow.js', 'upgrade', '--path', projectDir], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(upgradeOutput.includes('pipeline.yml'));
+  assert(fs.readFileSync(path.join(projectDir, 'ci', 'pipeline.yml'), 'utf8').includes('uses: actions/checkout@v4'));
+});
+
 test('CLI supports opting back into split workflow files', () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {
@@ -903,7 +1056,7 @@ test('CLI supports opting back into split workflow files', () => {
   });
 
   assert(output.includes('.github/workflows/ci.yml'));
-  assert(output.includes('.github/workflows/security.yml'));
+  assert(output.includes('.github/workflows/deploy.yml') || output.includes('.github/workflows/ci.yml'));
   assert(output.includes('Done! Your GitHub Actions pipeline is ready.'));
 });