ci(release): require protected manual publishing#83
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
evaOS review status: stale headPR: #83 - ci(release): require protected manual publishing evaOS review stopped because this queued head is no longer the live PR head. Automation note: agents should wait for this comment to reach PR URL: #83 Details: live=5a617ad3a5f91b3f3ae91dd7d6e88fe65c147e01 |
CI Report✅ All checks passed Pipeline Status
Test Results
✅ All 14623 tests passed 62 test(s) skipped — expand for details
Code CoverageTests
📋 View full run · Generated by CI |
evaOS review status: stale headPR: #83 - ci(release): require protected manual publishing evaOS review stopped because this queued head is no longer the live PR head. Automation note: agents should wait for this comment to reach PR URL: #83 Details: Superseded by a newer PR head. |
…-release-governance
evaOS review status: completedPR: #83 - ci(release): require protected manual publishing evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #83 Review URL: #83 (review) |
There was a problem hiding this comment.
Walkthrough
PR: #83 - ci(release): require protected manual publishing
Head: bb307bd17d4384e7abe811e41d3a01dfc2716afe into reconcile/r19a-vector-delete-reopen. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 3/5 (~46 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
.github/scripts/check-release-governance.mjs |
added | +75/-0 | Changed file | Moderate: validated P3 finding |
.github/workflows/ci-quality.yml |
modified | +1/-0 | Changed file | Low |
.github/workflows/ci.yml |
modified | +3/-4 | Changed file | Low |
.github/workflows/codeql.yml |
modified | +2/-3 | Changed file | Low |
.github/workflows/publish.yml |
modified | +6/-12 | Changed file | Low |
.github/workflows/workflow-lint.yml |
modified | +2/-4 | Changed file | Low |
package-lock.json |
modified | +2/-1 | Configuration | Low |
package.json |
modified | +3/-1 | Configuration | Low |
Review Signal
Validated inline findings: 1 (P0: 0, P1: 0, P2: 0, P3: 1).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- Runtime correctness: 1
Validation and Proof
2 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
- required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
Proof status: missing - 2 required validation/proof recommendation(s) missing from PR metadata.
Profile validation hints: Call out stale index, wrong repo identity, memory growth, and destructive analyze behavior.
Profile proof expectations: Look for focused CLI, index, query, or migration proof.
Related Context
Related issues/PRs: #61.
Suggested labels: none.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions: none
- Label suggestions: gitnexus, code-intelligence, backend
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
| 'dependency-review.yml', | ||
| 'workflow-lint.yml', | ||
| ]) { | ||
| const candidate = readWorkflow(filename); |
There was a problem hiding this comment.
P3: Missing workflow file crashes script instead of failing gracefully
readWorkflow() (line 9-10) calls fs.readFileSync without a try/catch. In the loop at line 51-71, if any of ci.yml, codeql.yml, gitleaks.yml, dependency-review.yml, or workflow-lint.yml is absent on a branch (e.g. a long-lived branch predating one of these workflows, or a fork that removed one), the script throws an uncaught ENOENT with a stack trace rather than emitting a governance 'fail()' message and exitCode=1. The effect is still a CI failure, so this is cosmetic, but wrapping readWorkflow in a try/catch that calls fail(${filename} could not be read: ...) would produce a legible governance error consistent with the script's own messaging contract.
Category: Runtime correctness
Why this matters: A stack trace from a missing-file ENOENT is a confusing CI signal for a governance check; the script already has a fail() channel designed exactly for this. Low impact because all five files exist on main and this branch.
Closes #61
Summary
mainpushes while retaining manual RC and stable-tag routesinternal-releaseenvironment before the artifact-producing jobmainPRGitHub governance applied
mainrequires a current-head aggregate CI gate, both CodeQL languages, Gitleaks, Dependency Review, actionlint, and zizmorinternal-releaserequires administrator approval and permits only branchmainor tagsv*Validation
npm run check:release-governanceactionlinton all changed and required workflowsnpx prettier --check .git diff --checkBoundaries
This PR does not publish, tag, merge, deploy, roll out runtime changes, or touch a live index. It is based temporarily on the proven R19a P0 head and will be retargeted behind R19 scale evidence before promotion.