From e60f608b7a72da2ed4a6bc8e3c52ca238df086a2 Mon Sep 17 00:00:00 2001 From: YiWang24 Date: Mon, 4 May 2026 21:51:36 -0400 Subject: [PATCH 1/2] fix(reusable): correct preflight script path to .openci/.github/scripts/ Scripts live in OpenCI and are vendored to .openci/ by resolve-openci. All four callers were referencing .github/scripts/ (the caller repo's own tree, where the scripts don't exist), causing exit 127 on Probe secrets. - reusable-ci.yml: resolve-openci already ran; just fix the path - reusable-stg.yml: resolve-openci already ran; just fix the path (2 calls) - reusable-prd.yml: resolve-openci already ran; just fix the path (2 calls) - reusable-pr.yml: preflight had no OpenCI vendor at all; add resolve-openci step before Probe secrets and fix path. Same fix applied to verify-sha job. Fixes #148 --- .github/workflows/reusable-ci.yml | 2 +- .github/workflows/reusable-pr.yml | 12 ++++++++++-- .github/workflows/reusable-prd.yml | 4 ++-- .github/workflows/reusable-stg.yml | 4 ++-- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml index d4846df..d05d015 100644 --- a/.github/workflows/reusable-ci.yml +++ b/.github/workflows/reusable-ci.yml @@ -133,7 +133,7 @@ jobs: REGISTRY_TOKEN: ${{ secrets.registry-token || github.token }} ANTHROPIC_API_KEY: ${{ secrets.anthropic-api-key }} run: | - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "REGISTRY_TOKEN" \ --optional "ANTHROPIC_API_KEY" diff --git a/.github/workflows/reusable-pr.yml b/.github/workflows/reusable-pr.yml index 812b985..3628665 100644 --- a/.github/workflows/reusable-pr.yml +++ b/.github/workflows/reusable-pr.yml @@ -97,6 +97,10 @@ jobs: uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 with: persist-credentials: false + - name: Resolve OpenCI ref and checkout + uses: YiAgent/OpenCI/actions/_common/resolve-openci@a3231202c05a0d1dd9d6e867ae660004f8451c59 + with: + openci-ref: ${{ inputs.openci-ref }} - name: Probe secrets env: ANTHROPIC_API_KEY: ${{ secrets.anthropic-api-key }} @@ -104,7 +108,7 @@ jobs: SONAR_TOKEN: ${{ secrets.sonar-token }} SNYK_TOKEN: ${{ secrets.snyk-token }} run: | - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "" \ --optional "ANTHROPIC_API_KEY,CODECOV_TOKEN,SONAR_TOKEN,SNYK_TOKEN" @@ -412,6 +416,10 @@ jobs: with: persist-credentials: false fetch-depth: 0 # required so git ls-tree can resolve the self-ref SHA + - name: Resolve OpenCI ref and checkout + uses: YiAgent/OpenCI/actions/_common/resolve-openci@a3231202c05a0d1dd9d6e867ae660004f8451c59 + with: + openci-ref: ${{ inputs.openci-ref }} - name: Install yq run: | if ! command -v yq >/dev/null 2>&1; then @@ -420,7 +428,7 @@ jobs: sudo chmod +x /usr/local/bin/yq fi - name: Run verify-sha-consistency.sh - run: bash .github/scripts/verify-sha-consistency.sh + run: bash .openci/.github/scripts/verify-sha-consistency.sh lint: permissions: {} diff --git a/.github/workflows/reusable-prd.yml b/.github/workflows/reusable-prd.yml index 6eeda19..6ed1051 100644 --- a/.github/workflows/reusable-prd.yml +++ b/.github/workflows/reusable-prd.yml @@ -186,11 +186,11 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} run: | if [ "$DEPLOY_TYPE" = "k8s" ]; then - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "KUBECONFIG_PRD" \ --optional "SLACK_WEBHOOK_URL" else - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "SSH_KEY_PRD" \ --optional "SLACK_WEBHOOK_URL" fi diff --git a/.github/workflows/reusable-stg.yml b/.github/workflows/reusable-stg.yml index 0c551a9..f9485e4 100644 --- a/.github/workflows/reusable-stg.yml +++ b/.github/workflows/reusable-stg.yml @@ -169,11 +169,11 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} run: | if [ "$DEPLOY_TYPE" = "k8s" ]; then - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "KUBECONFIG_STG" \ --optional "SLACK_WEBHOOK_URL" else - bash .github/scripts/preflight-secrets.sh \ + bash .openci/.github/scripts/preflight-secrets.sh \ --required "SSH_KEY_STG" \ --optional "SLACK_WEBHOOK_URL" fi From 5056d04dc08249153ce3e2d1a1a17fc65c482189 Mon Sep 17 00:00:00 2001 From: YiWang24 Date: Mon, 4 May 2026 21:53:02 -0400 Subject: [PATCH 2/2] fix(reusable-pr): use manifest SHA for resolve-openci bootstrap --- .github/workflows/reusable-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-pr.yml b/.github/workflows/reusable-pr.yml index 3628665..60bbbd0 100644 --- a/.github/workflows/reusable-pr.yml +++ b/.github/workflows/reusable-pr.yml @@ -98,7 +98,7 @@ jobs: with: persist-credentials: false - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@a3231202c05a0d1dd9d6e867ae660004f8451c59 + uses: YiAgent/OpenCI/actions/_common/resolve-openci@9bd9cf085ba9d3a199b701d42ea054e1625a65ce with: openci-ref: ${{ inputs.openci-ref }} - name: Probe secrets @@ -417,7 +417,7 @@ jobs: persist-credentials: false fetch-depth: 0 # required so git ls-tree can resolve the self-ref SHA - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@a3231202c05a0d1dd9d6e867ae660004f8451c59 + uses: YiAgent/OpenCI/actions/_common/resolve-openci@9bd9cf085ba9d3a199b701d42ea054e1625a65ce with: openci-ref: ${{ inputs.openci-ref }} - name: Install yq