fix(ci): robust SHA sync in bump-self-sha + final fixes

.github/workflows/agent.yml

@@ -40,7 +40,7 @@ concurrency:
 
 jobs:
   agent:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-agent.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-agent.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       task: ${{ inputs.task }}
       prompt: ${{ inputs.prompt }}

.github/workflows/ci-self-test.yml

@@ -44,7 +44,7 @@ concurrency:
 
 jobs:
   self-test:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-self-test.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-self-test.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       runner: ubuntu-latest
     secrets: inherit

.github/workflows/ci.yml

@@ -45,7 +45,7 @@ jobs:
   ci:
     needs: guard
     if: needs.guard.outputs.has-dockerfile == 'true'
-    uses: YiAgent/OpenCI/.github/workflows/reusable-ci.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-ci.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       openci-ref:      ${{ github.sha }}
       registry:        ghcr.io

.github/workflows/dependencies.yml

@@ -15,6 +15,6 @@ concurrency:
 
 jobs:
   deps:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-deps.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-deps.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       runner: blacksmith-2vcpu-ubuntu-2404

.github/workflows/docs.yml

@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   docs:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-docs.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-docs.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       build-cmd:    ${{ vars.DOCS_BUILD_CMD || '' }}
       docs-path:    ${{ vars.DOCS_DIR || 'docs' }}

.github/workflows/issue-ops.yml

@@ -39,7 +39,7 @@ jobs:
         && !contains(github.actor, '[bot]'))
       || (github.event_name == 'issue_comment'
           && !contains(github.event.comment.user.login, '[bot]'))
-    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       mode: lifecycle
       runner: blacksmith-2vcpu-ubuntu-2404
@@ -52,7 +52,7 @@ jobs:
 
   maintenance:
     if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'maintenance')
-    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       mode: maintenance
       runner: blacksmith-2vcpu-ubuntu-2404
@@ -65,7 +65,7 @@ jobs:
 
   manual:
     if: github.event_name == 'workflow_dispatch' && inputs.mode != 'maintenance'
-    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-issue.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       mode: ${{ inputs.mode }}
       runner: blacksmith-2vcpu-ubuntu-2404

.github/workflows/on-maintenance.yml

@@ -118,7 +118,7 @@ jobs:
     if: |
       !contains(fromJSON('["pr-review","flag-audit"]'),
         needs.resolve-mode.outputs.mode)
-    uses: YiAgent/OpenCI/.github/workflows/reusable-maintenance.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-maintenance.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       mode:       ${{ needs.resolve-mode.outputs.mode }}
       openci-ref: ${{ needs.resolve-mode.outputs.openci-ref }}

.github/workflows/pull-request.yml

@@ -28,7 +28,7 @@ concurrency:
 
 jobs:
   checks:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-pr.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-pr.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     with:
       enable-ai-review: true
       enable-eval:      true

.github/workflows/release.yml

@@ -22,7 +22,7 @@ concurrency:
 
 jobs:
   release:
-    uses: YiAgent/OpenCI/.github/workflows/reusable-release.yml@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+    uses: YiAgent/OpenCI/.github/workflows/reusable-release.yml@119c3eab2c613bdcc1fbed9b97535f34955defba
     secrets: inherit
     with:
       mode: ${{ inputs.mode || 'marketplace' }}

.github/workflows/reusable-ci.yml

@@ -123,7 +123,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Probe secrets
@@ -149,7 +149,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: detect
@@ -173,7 +173,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: build
@@ -199,7 +199,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: scan
@@ -218,7 +218,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
@@ -261,7 +261,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: ./.openci/actions/ci/check-migration
@@ -280,7 +280,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: ./.openci/actions/ci/eval-smoke
@@ -303,7 +303,7 @@ jobs:
           persist-credentials: false
           fetch-depth: 0   # required so git ls-tree can resolve the self-ref SHA
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Install yq
@@ -467,7 +467,7 @@ jobs:
       - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Download ci-context artifact

.github/workflows/reusable-pr.yml

@@ -96,7 +96,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Probe secrets
@@ -128,7 +128,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Detect (or honour caller override)
@@ -414,7 +414,7 @@ jobs:
           persist-credentials: false
           fetch-depth: 0   # required so git ls-tree can resolve the self-ref SHA
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Install yq

.github/workflows/reusable-self-test.yml

@@ -70,7 +70,7 @@ jobs:
         with: { persist-credentials: false }
 
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: main
 
@@ -187,7 +187,7 @@ jobs:
         with: { persist-credentials: false }
 
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: main
 
@@ -210,7 +210,7 @@ jobs:
           fetch-depth: 0
 
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: main
 
@@ -255,7 +255,7 @@ jobs:
           persist-credentials: false
 
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@34a93579aac0d1682cc65ab8b7c2c9e2d06b0953
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@119c3eab2c613bdcc1fbed9b97535f34955defba
         with:
           openci-ref: main
 

manifest.yml

@@ -101,7 +101,7 @@ deps:
   softprops/action-gh-release:            "b4309332981a82ec1c5618f44dd2e27cc8bfbfda"  # v3.0.0
 
   # ── Self (OpenCI vendoring itself via remote action reference) ──────────
-  YiAgent/OpenCI:                         "f6d93cbfd9e1a8aa63c45830f1f9f499168549e4"  # resolve-openci bootstrap
+  YiAgent/OpenCI:                         "119c3eab2c613bdcc1fbed9b97535f34955defba"  # resolve-openci bootstrap
 
 # ─────────────────────────────────────────────────────────────────────────────
 # Reusable workflow catalog (consumed via `uses: YiAgent/OpenCI/.github/workflows/<id>.yml@<ref>`)

scripts/bump-self-sha.sh

@@ -98,18 +98,25 @@
 perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$MANIFEST"
 info "Updated manifest.yml"
 
-# ── 5. Update all workflow files that reference the old SHA ──────────────────
+# ── 5. Update all YiAgent/OpenCI SHA references ──────────────────────────────
+# Instead of searching only for the manifest.yml SHA (which can diverge from
+# workflow files), replace ANY YiAgent/OpenCI@<40-char-hex> reference with
+# the new SHA. This works even when workflow files have a different old SHA
+# than manifest.yml (e.g., after a revert-workflow-files cycle).
 
 updated=0
 while IFS= read -r -d '' f; do
-  if grep -q "$old_sha" "$f" 2>/dev/null; then
-    perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$f"
+  # Compare checksums to detect if perl actually changed the file.
+  before=$(shasum -a 256 "$f" 2>/dev/null || true)
+  perl -pi -e "s|(YiAgent/OpenCI/[^\s@]+)\@[a-f0-9]{40}|\1\@${new_sha}|g" "$f"
+  after=$(shasum -a 256 "$f" 2>/dev/null || true)
+  if [ "$before" != "$after" ]; then
     info "Updated $f"
     updated=$((updated + 1))
   fi
 done < <(find "$REPO_ROOT/.github/workflows" "$REPO_ROOT/actions" \
            -name "*.yml" -o -name "*.yaml" 2>/dev/null | tr '\n' '\0')
 
 echo ""
-echo "Done. Updated manifest.yml + $updated workflow file(s) to $new_sha"
+echo "Done. Updated manifest.yml + $updated workflow/action file(s) to $new_sha"
 echo "Stage and commit: git add manifest.yml .github/workflows actions/ && git commit -m 'chore(manifest): bump YiAgent/OpenCI SHA to $new_sha'"