ci: auto-bump platform submodule on merge to main

.github/workflows/bump-platform-submodule.yml

@@ -0,0 +1,83 @@
+name: Bump platform submodule pointer
+
+# When this repo's main moves, push a matching gitlink bump to the
+# FailproofAI/platform monorepo so its `failproofai/oss` submodule tracks
+# upstream automatically. Direct push to platform `main` — no PR.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+# Serialize runs so back-to-back merges produce sequential bumps,
+# not a race that loses one of them.
+concurrency:
+  group: bump-platform-submodule
+  cancel-in-progress: false
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout FailproofAI/platform main
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: FailproofAI/platform
+          token: ${{ secrets.PLATFORM_BUMP_TOKEN }}
+          ref: main
+          fetch-depth: 1
+          # Don't fetch submodule contents — we only edit the gitlink.
+          submodules: false
+          # Don't persist the cross-repo token in git config; auth is
+          # set inline on the push/fetch commands below.
+          persist-credentials: false
+
+      - name: Bump failproofai/oss gitlink and push
+        env:
+          NEW_SHA: ${{ github.sha }}
+          COMMIT_SUBJECT: ${{ github.event.head_commit.message }}
+          UPSTREAM_REPO: ${{ github.repository }}
+          PLATFORM_BUMP_TOKEN: ${{ secrets.PLATFORM_BUMP_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}"
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          CURRENT_SHA=$(git ls-tree HEAD failproofai/oss | awk '{print $3}')
+          if [ -z "$CURRENT_SHA" ]; then
+            echo "::error::failproofai/oss is not a gitlink in platform main — aborting."
+            exit 1
+          fi
+          if [ "$CURRENT_SHA" = "$NEW_SHA" ]; then
+            echo "Already at $NEW_SHA — nothing to do."
+            exit 0
+          fi
+
+          # Rewrite the gitlink (mode 160000 = submodule entry) without
+          # needing the submodule contents on disk.
+          git update-index --add --cacheinfo "160000,$NEW_SHA,failproofai/oss"
+
+          SUBJECT_LINE=$(printf '%s\n' "${COMMIT_SUBJECT:-Manual trigger}" | head -n 1)
+          SHORT_SHA=${NEW_SHA:0:7}
+
+          git commit -m "Bump failproofai/oss to $SHORT_SHA" \
+                     -m "Upstream: $SUBJECT_LINE" \
+                     -m "https://github.com/$UPSTREAM_REPO/commit/$NEW_SHA"
+
+          # Race-safe push: if platform main moved between checkout and push,
+          # rebase the single bump commit on top and try again.
+          for attempt in 1 2 3; do
+            if git -c http.extraheader="$AUTH_HEADER" push origin main; then
+              echo "Pushed bump on attempt $attempt"
+              exit 0
+            fi
+            echo "Push failed on attempt $attempt — rebasing onto latest main"
+            git -c http.extraheader="$AUTH_HEADER" fetch origin main
+            git rebase origin/main
+          done
+
+          echo "::error::Failed to push submodule bump after 3 attempts"
+          exit 1

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 0.0.11-beta.3 — 2026-05-25
 
 ### Features
+- Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push (#394).
 - Add a supply-chain security CI gate: OSV-Scanner (`.github/workflows/osv-scanner.yml`) scans the resolved `bun.lock` tree against OSV.dev (GitHub/npm advisories + the OpenSSF malicious-packages feed) on every PR (incl. Dependabot bumps), on pushes to `main`, and weekly, and **blocks on any known-vulnerable or malicious dependency**. Adds a Socket GitHub App behavioral early-warning layer, an `osv-scanner.toml` allow-list for unfixable advisories, a README supply-chain status badge, and a `SECURITY.md` policy/runbook. Remediates the 18 pre-existing transitive advisories surfaced by the new gate (brace-expansion, flatted, minimatch, picomatch, postcss, vite, ws) by refreshing `bun.lock` within range, with `overrides` pinning `postcss` to the patched 8.5.x line (Next.js pins the vulnerable 8.4.31) and holding `eslint-plugin-react-hooks` at main's 7.0.1 so the refresh doesn't also bump the linter (#391).
 - Stamp `product: "failproofai-oss"` on every PostHog event across all four telemetry channels — hooks/audit (`trackHookEvent`), server (`trackEvent`), web UI (`captureClientEvent`), and npm-lifecycle install/uninstall (`trackInstallEvent`) — so OSS events stay distinguishable from any future hosted surface. The value lives in a single `POSTHOG_PRODUCT` constant in `src/posthog-key.ts`, reused by the three TypeScript channels; the standalone `scripts/install-telemetry.mjs` inlines the same literal because it can't import the TS module at install time. Honors `FAILPROOFAI_TELEMETRY_DISABLED=1` like all other telemetry (#380).