chore(manifest): bump SHA after #83 (extract-plan JSONL)#84
Merged
Conversation
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (13)
📝 WalkthroughWalkthroughAll GitHub Actions workflow files (agent, ci-self-test, ci, dependencies, deploy, docs, issue-ops, observability, on-maintenance, pull-request, release) and the manifest are updated to pin external reusable workflows and actions to a new commit SHA ( ChangesUnified OpenCI Dependency Pin Update
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 8/10 reviews remaining, refill in 10 minutes and 12 seconds. Comment |
|
Contributor
|
OpenCI issue agent executed:
Reasoning: |
1 task
YiWang24
added a commit
that referenced
this pull request
May 4, 2026
The workflow audit added in #84-era (commit 4415cb2) introduced bats tests that were already failing on main when authored: - `reusable workflow names match filenames` — `name:` field in `reusable-agent.yml` (claude-harness) and `reusable-deps.yml` (dep-auto-merge) didn't reference the filename suffix. - `workflow requests security-events: write permission` — `ci-self-test.yml` permissions block was missing `security-events: write`. - `auditor is clean against the live repository` — workflow-audit.sh rule W03 flagged `reusable-release.yml` for redeclaring the caller's `concurrency.group` (deadlock risk per issue #68). Fixes: - Rename `name:` to `reusable-agent` / `reusable-deps`. - Add `security-events: write` to ci-self-test.yml permissions. - Drop the `concurrency:` block from `reusable-release.yml` and leave the caller (release.yml) as the sole owner of the group. All 719 bats tests now pass.
YiWang24
added a commit
that referenced
this pull request
May 4, 2026
…ifacts (#86) * fix(deploy): pass image-digest + ssh/kubeconfig secrets to stg/prd Addresses 4 CRITICAL issues from #82: 1. image-digest not threaded — stg.yml/prd.yml built deploy refs as "registry/owner/name@" + empty string, every deploy failed silently. 2. stg-image-digest + stg-deploy-time not threaded to prd — the observation-window safety gate was a no-op; production could ship without staging verification. 3. ssh-key-stg / ssh-key-prd not forwarded — docker (default) deploy preflight aborts without them. 4. kubeconfig-prd not forwarded — k8s deploy mode aborts without it. ## Plumbing - Added 3 new workflow_dispatch inputs (image-digest, stg-image-digest, stg-deploy-time) so manual deploys take an explicit digest. - workflow_run paths read vars.LAST_*_IMAGE_DIGEST / LAST_STG_DEPLOY_TIME with empty fallbacks. Upstream ci.yml / stg deploy is expected to write these on success — that wiring is a follow-up since GHA doesn't directly expose nested workflow outputs across workflow_run boundaries. - Forwarded the full set of secrets each reusable declares (kubeconfig-stg, ssh-key-stg in stg; kubeconfig-prd, ssh-key-prd in prd) by mapping repo UPPER_SNAKE to reusable kebab-case. Refs #82 * chore: gitignore Claude runtime artifacts + add harness parity plan - Add .claude/{worktrees,scheduled_tasks.lock,agents,projects,todos} to .gitignore so per-developer Claude Code state doesn't leak into the repo. - Add docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md documenting the planned upstream parameter parity work for the _common/claude-harness wrapper. * fix(bump-sha): backfill missing PR + supersede stale bump branches The on-main-bump-sha workflow silently failed at `gh pr create --label "chore"` because no `chore` label exists in the repo, and `2>/dev/null || true` swallowed the error. Result: the workflow pushed bump branches (e.g. chore/bump-self-sha-89792333) without opening a PR, and stale orphan branches accumulated. Changes: - Drop the non-existent `chore` label from `gh pr create`. - Remove the `2>/dev/null || true` so future PR-creation errors surface and fail the workflow. - `set -euo pipefail` on the run block. - Switch to `git checkout -B` + `git push --force-with-lease` so workflow re-runs on the same SHA are idempotent instead of failing on existing branch. - After pushing the new branch, close older `chore/bump-self-sha-*` PRs against `main` with `--delete-branch` so only the latest bump PR is open at any time. - Sweep orphan `chore/bump-self-sha-*` branches that never got a PR (the exact failure mode that just happened) and delete them. - Make `gh pr create` idempotent: if a PR already exists for the branch, log and skip instead of erroring. * fix(workflows): satisfy audit tests inherited from main The workflow audit added in #84-era (commit 4415cb2) introduced bats tests that were already failing on main when authored: - `reusable workflow names match filenames` — `name:` field in `reusable-agent.yml` (claude-harness) and `reusable-deps.yml` (dep-auto-merge) didn't reference the filename suffix. - `workflow requests security-events: write permission` — `ci-self-test.yml` permissions block was missing `security-events: write`. - `auditor is clean against the live repository` — workflow-audit.sh rule W03 flagged `reusable-release.yml` for redeclaring the caller's `concurrency.group` (deadlock risk per issue #68). Fixes: - Rename `name:` to `reusable-agent` / `reusable-deps`. - Add `security-events: write` to ci-self-test.yml permissions. - Drop the `concurrency:` block from `reusable-release.yml` and leave the caller (release.yml) as the sole owner of the group. All 719 bats tests now pass.
This was referenced May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Final SHA bump for #81 fix.
Need help on this PR? Tag
@codesmithwith what you need.Summary by CodeRabbit