From cf1f424405b3278198ca695f1a440b64a18b2373 Mon Sep 17 00:00:00 2001 From: topcoder1 Date: Sat, 23 May 2026 21:17:02 -0700 Subject: [PATCH] ci(risk-paths): exclude .env.example/template/sample from blocked glob Fleet rollout of the fix shipped in whois-api-llc/wxa-graph#155 on 2026-05-23. The blocked-glob **/.env* matched .env.example (a docs template), causing claude-author-automerge.yml to refuse PRs that added env-var documentation. Replaced with explicit secrets-bearing variants so .env.example, .env.sample, .env.template, .env.dist fall through to standard classification. Includes the .env..local framework variants (Vite, CRA, Next.js, Nuxt) per Claude review feedback on wxa-graph#155. Co-Authored-By: Claude Sonnet 4.7 --- .github/risk-paths.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/risk-paths.yml b/.github/risk-paths.yml index 4590f4f..d83167d 100644 --- a/.github/risk-paths.yml +++ b/.github/risk-paths.yml @@ -21,7 +21,21 @@ blocked: - 'Dockerfile*' - 'docker-compose*.yaml' - 'docker-compose*.yml' - - '**/.env*' + # Only the actual secrets-bearing .env variants are blocked. Documentation + # templates (.env.example, .env.sample, .env.template, .env.dist) are NOT + # secrets — they ship literal-string placeholders to teach readers which + # env vars exist. Treating them as `blocked` was a false-positive that + # bounced wxa-graph PR #154 in 2026-05-23. + - '**/.env' + - '**/.env.local' + - '**/.env.development' + - '**/.env.development.local' + - '**/.env.production' + - '**/.env.production.local' + - '**/.env.staging' + - '**/.env.staging.local' + - '**/.env.test' + - '**/.env.test.local' - '**/secrets*' - '.github/workflows/**' - '.github/risk-paths.yml'