fix(ci): bump-sha PR backfill + deploy secrets + gitignore Claude artifacts#86
Merged
Conversation
Addresses 4 CRITICAL issues from #82: 1. image-digest not threaded — stg.yml/prd.yml built deploy refs as "registry/owner/name@" + empty string, every deploy failed silently. 2. stg-image-digest + stg-deploy-time not threaded to prd — the observation-window safety gate was a no-op; production could ship without staging verification. 3. ssh-key-stg / ssh-key-prd not forwarded — docker (default) deploy preflight aborts without them. 4. kubeconfig-prd not forwarded — k8s deploy mode aborts without it. ## Plumbing - Added 3 new workflow_dispatch inputs (image-digest, stg-image-digest, stg-deploy-time) so manual deploys take an explicit digest. - workflow_run paths read vars.LAST_*_IMAGE_DIGEST / LAST_STG_DEPLOY_TIME with empty fallbacks. Upstream ci.yml / stg deploy is expected to write these on success — that wiring is a follow-up since GHA doesn't directly expose nested workflow outputs across workflow_run boundaries. - Forwarded the full set of secrets each reusable declares (kubeconfig-stg, ssh-key-stg in stg; kubeconfig-prd, ssh-key-prd in prd) by mapping repo UPPER_SNAKE to reusable kebab-case. Refs #82
- Add .claude/{worktrees,scheduled_tasks.lock,agents,projects,todos}
to .gitignore so per-developer Claude Code state doesn't leak into
the repo.
- Add docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md
documenting the planned upstream parameter parity work for the
_common/claude-harness wrapper.
The on-main-bump-sha workflow silently failed at `gh pr create --label "chore"` because no `chore` label exists in the repo, and `2>/dev/null || true` swallowed the error. Result: the workflow pushed bump branches (e.g. chore/bump-self-sha-89792333) without opening a PR, and stale orphan branches accumulated. Changes: - Drop the non-existent `chore` label from `gh pr create`. - Remove the `2>/dev/null || true` so future PR-creation errors surface and fail the workflow. - `set -euo pipefail` on the run block. - Switch to `git checkout -B` + `git push --force-with-lease` so workflow re-runs on the same SHA are idempotent instead of failing on existing branch. - After pushing the new branch, close older `chore/bump-self-sha-*` PRs against `main` with `--delete-branch` so only the latest bump PR is open at any time. - Sweep orphan `chore/bump-self-sha-*` branches that never got a PR (the exact failure mode that just happened) and delete them. - Make `gh pr create` idempotent: if a PR already exists for the branch, log and skip instead of erroring.
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughAdds dispatch inputs and secrets plumbing to the deploy workflow for image-digest/stage safety gates; hardens the on-main bump-sha workflow to force-replace branches, force-with-lease push, close/cleanup superseded PRs, and reuse existing PRs; renames and trims reusable workflows; small CI permission change, .gitignore entries, docs, and test linter comments. ChangesDeploy Workflow Input & Secrets Plumbing
SHA Bump Workflow Hardening
Reusable Workflow Metadata Changes
CI Permissions
Tests / Linting Adjustments
Developer Environment Ignore
Parameter Parity Planning Documentation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
Contributor
|
OpenCI issue agent executed:
Reasoning: |
…ssues # Conflicts: # .github/workflows/deploy.yml # .github/workflows/on-main-bump-sha.yml
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (2)
docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md (2)
379-379:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winReplace hardcoded absolute path (duplicate issue).
Same portability issue: the path
/Users/wy/projects/yiagent/OpenCIshould be replaced with a relative reference or repository root variable.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line 379, Replace the hardcoded absolute path used in the shell command "cd /Users/wy/projects/yiagent/OpenCI" with a portable reference (e.g., a repository-root variable, environment variable like $REPO_ROOT, or a relative path) so the script works across machines; locate the literal "cd /Users/wy/projects/yiagent/OpenCI" in the file and update it to use the chosen repo-root symbol or a relative path and ensure any callers export or resolve that variable before this command runs.
201-201:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winReplace hardcoded absolute path (duplicate issue).
Same portability issue as Task 1: use a relative path or repository root placeholder instead of
/Users/wy/projects/yiagent/OpenCI.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line 201, Replace the hardcoded absolute cd command "cd /Users/wy/projects/yiagent/OpenCI" with a portable alternative: use a relative path (e.g., "cd ./OpenCI" or "cd ../OpenCI" depending on context) or a repository-root placeholder/lookup (e.g., "${REPO_ROOT}" or computing root via "git rev-parse --show-toplevel") so the script is not tied to a single developer's home directory; update the line in docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md to use the chosen portable form and ensure any surrounding instructions reflect that change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy.yml:
- Around line 97-103: Update the input fallback and pre-checks so PRD digest
validation can't be bypassed: add vars.LAST_CI_IMAGE_DIGEST to the fallback
chain for the image-digest input (so image-digest uses inputs.image-digest ||
vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || ''), and then add
a non-empty validation step before invoking the prd path (or before calling
verify-version-align) that fails the workflow if any of image-digest,
stg-image-digest, or stg-deploy-time resolve to an empty string; ensure the
check references the inputs/vars names (image-digest, stg-image-digest,
stg-deploy-time, vars.LAST_RELEASE_IMAGE_DIGEST, vars.LAST_STG_IMAGE_DIGEST,
vars.LAST_CI_IMAGE_DIGEST) and prevents running verify-version-align/prd when
any are empty.
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md`:
- Line 410: Replace the hard-coded branch name "claude/objective-galileo-742e23"
used in the git push command with a reusable placeholder (e.g.,
`<feature-branch>`) or an environment variable token (e.g., `${BRANCH_NAME}`) so
the plan is reusable; update the line `git push -u origin
claude/objective-galileo-742e23` to use the chosen placeholder/token throughout
the document wherever that branch name appears.
- Line 68: Replace the hardcoded absolute path command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative—use a relative
path or a placeholder variable such as cd "${REPO_ROOT}" (and add a note to set
REPO_ROOT) or simply cd . to use the current repository root; update the line
that contains the "cd /Users/wy/projects/yiagent/OpenCI" command accordingly so
the plan is portable across machines.
- Around line 400-402: The grep command in the snippet uses an invalid option
`--exclude-path`; update the invocation that searches for the pattern
"classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch"
to either use grep's `--exclude-dir` to skip the "claude-harness" directory or
replace the pipeline with a find + grep approach to exclude paths (e.g., use
find to select "*.yml" files and filter out "*/claude-harness/*" before running
grep), ensuring the final behavior still echoes "No callers use new inputs —
backward compat confirmed" when nothing is found.
---
Duplicate comments:
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md`:
- Line 379: Replace the hardcoded absolute path used in the shell command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable reference (e.g., a
repository-root variable, environment variable like $REPO_ROOT, or a relative
path) so the script works across machines; locate the literal "cd
/Users/wy/projects/yiagent/OpenCI" in the file and update it to use the chosen
repo-root symbol or a relative path and ensure any callers export or resolve
that variable before this command runs.
- Line 201: Replace the hardcoded absolute cd command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative: use a relative
path (e.g., "cd ./OpenCI" or "cd ../OpenCI" depending on context) or a
repository-root placeholder/lookup (e.g., "${REPO_ROOT}" or computing root via
"git rev-parse --show-toplevel") so the script is not tied to a single
developer's home directory; update the line in
docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md to use the
chosen portable form and ensure any surrounding instructions reflect that
change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: d57e23e7-f985-4407-a6d2-9196af9d48b5
📒 Files selected for processing (4)
.github/workflows/deploy.yml.github/workflows/on-main-bump-sha.yml.gitignoredocs/superpowers/plans/2026-05-02-claude-harness-param-parity.md
Comment on lines
+97
to
+103
| # The 3 prd-specific safety-gate inputs MUST be set or the | ||
| # observation-window check is skipped silently. Source order: | ||
| # 1. workflow_dispatch input (manual override) | ||
| # 2. vars.* recorded by the upstream stg deploy on success | ||
| image-digest: ${{ inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST || '' }} | ||
| stg-image-digest: ${{ inputs.stg-image-digest || vars.LAST_STG_IMAGE_DIGEST || '' }} | ||
| stg-deploy-time: ${{ inputs.stg-deploy-time || vars.LAST_STG_DEPLOY_TIME || '' }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify which workflows write/read the digest variables and whether LAST_RELEASE_IMAGE_DIGEST is guaranteed.
set -euo pipefail
echo "== Writers/readers of digest/time vars =="
rg -n -C2 'LAST_(CI|RELEASE|STG)_(IMAGE_DIGEST|DEPLOY_TIME)' .github/workflows
echo
echo "== Any explicit variable writes/updates in workflows =="
rg -n -C3 '(gh variable set|LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST|LAST_STG_IMAGE_DIGEST|LAST_STG_DEPLOY_TIME)' .github/workflowsRepository: YiAgent/OpenCI
Length of output: 4708
🏁 Script executed:
cat -n .github/workflows/deploy.yml | sed -n '75,120p'Repository: YiAgent/OpenCI
Length of output: 3088
🏁 Script executed:
# Check the reusable-prd.yml for input validation
fd -name 'reusable-prd.yml' .github/workflows && cat -n .github/workflows/reusable-prd.yml | head -80
echo
echo "== Looking for gh variable set commands =="
rg -n 'gh variable set' .github/workflowsRepository: YiAgent/OpenCI
Length of output: 351
🏁 Script executed:
# Find reusable-prd.yml
fd 'reusable-prd' .github/
echo
echo "== Check for variable writes (broader search) =="
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_STG_IMAGE_DIGEST|LAST_STG_DEPLOY_TIME' --type yaml
echo
echo "== Check for gh command usage anywhere =="
rg 'gh ' --type yaml | head -20Repository: YiAgent/OpenCI
Length of output: 2311
🏁 Script executed:
cat -n .github/workflows/reusable-prd.yml | head -150Repository: YiAgent/OpenCI
Length of output: 5696
🏁 Script executed:
cat -n .github/workflows/reusable-prd.yml | sed -n '150,300p'Repository: YiAgent/OpenCI
Length of output: 7139
🏁 Script executed:
fd 'pre-check' .openci/actions 2>/dev/null || find . -name 'pre-check' -type d 2>/dev/null | head -5Repository: YiAgent/OpenCI
Length of output: 82
🏁 Script executed:
cat -n ./actions/prd/pre-check/action.ymlRepository: YiAgent/OpenCI
Length of output: 4041
🏁 Script executed:
cat -n ./actions/prd/observe-window/action.yml
echo
echo "=== verify-version-align ==="
cat -n ./actions/prd/verify-version-align/action.ymlRepository: YiAgent/OpenCI
Length of output: 2854
🏁 Script executed:
cat -n ./actions/prd/observe-window/check.shRepository: YiAgent/OpenCI
Length of output: 2210
🏁 Script executed:
# Check if there are any other places where these vars are written/set
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST' --type bashRepository: YiAgent/OpenCI
Length of output: 87
🏁 Script executed:
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST' -t shRepository: YiAgent/OpenCI
Length of output: 40
🏁 Script executed:
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST|LAST_STG' --type yaml --type jsonRepository: YiAgent/OpenCI
Length of output: 40
Add non-empty validation for PRD digest inputs; harmonize fallback chain with STG.
Lines 101-103: The image-digest and stg-image-digest inputs can resolve to empty strings (if LAST_RELEASE_IMAGE_DIGEST and LAST_STG_IMAGE_DIGEST are unset), which silently bypass digest validation in verify-version-align since equal empty strings pass the equality check. Additionally, image-digest at line 101 lacks the vars.LAST_CI_IMAGE_DIGEST fallback that the STG deployment uses at line 68, reducing resilience when LAST_RELEASE_IMAGE_DIGEST is unavailable.
Add the missing fallback to line 101 and validate all three inputs are non-empty before running prd:
Suggested hardening diff
prd:
if: >-
(github.event_name == 'workflow_run'
&& github.event.workflow_run.name == 'release'
&& github.event.workflow_run.conclusion == 'success')
- || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd')
+ || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd')
+ && ((inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || '') != '')
+ && ((inputs.stg-image-digest || vars.LAST_STG_IMAGE_DIGEST || '') != '')
+ && ((inputs.stg-deploy-time || vars.LAST_STG_DEPLOY_TIME || '') != '')
uses: YiAgent/OpenCI/.github/workflows/reusable-prd.yml@cd1b427370ebacb56cc9c0b418d6d8985c9be539
with:
app-name: ${{ vars.APP_NAME || github.event.repository.name }}
image-name: ${{ vars.IMAGE_NAME || github.event.repository.name }}
# The 3 prd-specific safety-gate inputs MUST be set or the
# observation-window check is skipped silently. Source order:
# 1. workflow_dispatch input (manual override)
# 2. vars.* recorded by the upstream stg deploy on success
- image-digest: ${{ inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST || '' }}
+ image-digest: ${{ inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || '' }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy.yml around lines 97 - 103, Update the input
fallback and pre-checks so PRD digest validation can't be bypassed: add
vars.LAST_CI_IMAGE_DIGEST to the fallback chain for the image-digest input (so
image-digest uses inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST ||
vars.LAST_CI_IMAGE_DIGEST || ''), and then add a non-empty validation step
before invoking the prd path (or before calling verify-version-align) that fails
the workflow if any of image-digest, stg-image-digest, or stg-deploy-time
resolve to an empty string; ensure the check references the inputs/vars names
(image-digest, stg-image-digest, stg-deploy-time,
vars.LAST_RELEASE_IMAGE_DIGEST, vars.LAST_STG_IMAGE_DIGEST,
vars.LAST_CI_IMAGE_DIGEST) and prevents running verify-version-align/prd when
any are empty.
| - [ ] **Step 3: Verify no YAML parse errors** | ||
|
|
||
| ```bash | ||
| cd /Users/wy/projects/yiagent/OpenCI |
There was a problem hiding this comment.
Replace hardcoded absolute path with relative path or placeholder.
The absolute path /Users/wy/projects/yiagent/OpenCI is machine-specific and reduces the portability of this plan. Use a relative path or a placeholder like cd "${REPO_ROOT}" with a note to set the variable appropriately.
📝 Suggested fix
-cd /Users/wy/projects/yiagent/OpenCI
+cd "${REPO_ROOT:-$(git rev-parse --show-toplevel)}"
python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK"Or simply:
-cd /Users/wy/projects/yiagent/OpenCI
+# Run from repository root
python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| cd /Users/wy/projects/yiagent/OpenCI | |
| cd "${REPO_ROOT:-$(git rev-parse --show-toplevel)}" | |
| python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line 68,
Replace the hardcoded absolute path command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative—use a relative
path or a placeholder variable such as cd "${REPO_ROOT}" (and add a note to set
REPO_ROOT) or simply cd . to use the current repository root; update the line
that contains the "cd /Users/wy/projects/yiagent/OpenCI" command accordingly so
the plan is portable across machines.
Comment on lines
+400
to
+402
| grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \ | ||
| /Users/wy/projects/yiagent/OpenCI/actions --include="*.yml" \ | ||
| --exclude-path="*/claude-harness/*" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed" |
There was a problem hiding this comment.
Fix invalid grep option.
The --exclude-path option is not valid for grep. Use --exclude-dir to skip directories, or restructure the command to filter results differently.
🔧 Suggested fix
-grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
- /Users/wy/projects/yiagent/OpenCI/actions --include="*.yml" \
- --exclude-path="*/claude-harness/*" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"
+grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
+ actions --include="*.yml" \
+ --exclude-dir="claude-harness" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"Or use find with grep for more control:
find actions -name "*.yml" -not -path "*/claude-harness/*" -exec grep -H "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" {} + || echo "No callers use new inputs — backward compat confirmed"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \ | |
| /Users/wy/projects/yiagent/OpenCI/actions --include="*.yml" \ | |
| --exclude-path="*/claude-harness/*" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed" | |
| grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \ | |
| actions --include="*.yml" \ | |
| --exclude-dir="claude-harness" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` around
lines 400 - 402, The grep command in the snippet uses an invalid option
`--exclude-path`; update the invocation that searches for the pattern
"classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch"
to either use grep's `--exclude-dir` to skip the "claude-harness" directory or
replace the pipeline with a find + grep approach to exclude paths (e.g., use
find to select "*.yml" files and filter out "*/claude-harness/*" before running
grep), ensuring the final behavior still echoes "No callers use new inputs —
backward compat confirmed" when nothing is found.
| - [ ] **Open a PR** | ||
|
|
||
| ```bash | ||
| git push -u origin claude/objective-galileo-742e23 |
There was a problem hiding this comment.
Use a placeholder for the branch name.
The branch name claude/objective-galileo-742e23 appears to be specific to a particular implementation run. For a reusable plan document, use a placeholder like <feature-branch> or an environment variable like ${BRANCH_NAME}.
📝 Suggested improvement
-git push -u origin claude/objective-galileo-742e23
+# Replace <feature-branch> with your actual branch name
+git push -u origin <feature-branch>Or:
-git push -u origin claude/objective-galileo-742e23
+git push -u origin "$(git branch --show-current)"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line
410, Replace the hard-coded branch name "claude/objective-galileo-742e23" used
in the git push command with a reusable placeholder (e.g., `<feature-branch>`)
or an environment variable token (e.g., `${BRANCH_NAME}`) so the plan is
reusable; update the line `git push -u origin claude/objective-galileo-742e23`
to use the chosen placeholder/token throughout the document wherever that branch
name appears.
The workflow audit added in #84-era (commit 4415cb2) introduced bats tests that were already failing on main when authored: - `reusable workflow names match filenames` — `name:` field in `reusable-agent.yml` (claude-harness) and `reusable-deps.yml` (dep-auto-merge) didn't reference the filename suffix. - `workflow requests security-events: write permission` — `ci-self-test.yml` permissions block was missing `security-events: write`. - `auditor is clean against the live repository` — workflow-audit.sh rule W03 flagged `reusable-release.yml` for redeclaring the caller's `concurrency.group` (deadlock risk per issue #68). Fixes: - Rename `name:` to `reusable-agent` / `reusable-deps`. - Add `security-events: write` to ci-self-test.yml permissions. - Drop the `concurrency:` block from `reusable-release.yml` and leave the caller (release.yml) as the sole owner of the group. All 719 bats tests now pass.
|
Contributor
|
OpenCI issue agent executed:
Reasoning: |
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three CI/infra fixes bundled together:
image-digest+ ssh/kubeconfig secrets to staging and production deploy jobs so the deploy step can actually authenticate and target the right image..claude/worktrees/,.claude/scheduled_tasks.lock,.claude/agents/,.claude/projects/,.claude/todos/) so they stop leaking into commits. Also adds the harness parity plan doc atdocs/superpowers/plans/2026-05-02-claude-harness-param-parity.md.on-main-bump-sha.ymlafter a silent failure where the workflow pushedchore/bump-self-sha-89792333but never opened a PR. Root cause:gh pr create --label "chore"failed because nochorelabel exists, and2>/dev/null || trueswallowed the error.bump-sha workflow changes
chorelabel and the error-swallowing redirectset -euo pipefailon the run blockgit checkout -B+git push --force-with-leaseso re-runs are idempotentchore/bump-self-sha-*PRs (with--delete-branchand a "Superseded by" comment) and sweep orphan bump branches that never got a PRgh pr createitself is now idempotent: skip if a PR already exists for the head branchRelated
chore/bump-self-sha-cd1b4273was deleted from origin.Test plan
maintriggerson-main-bump-shaand either no-ops (SHA already current) or opens a fresh PR with all olderchore/bump-self-sha-*PRs closed and their branches deleted.claude/runtime artifacts no longer show up ingit statusfor new contributorsimage-digestand authenticate via ssh/kubeconfig secretsNeed help on this PR? Tag
@codesmithwith what you need.Summary by CodeRabbit
Chores
Documentation
Tests