ci(release): restore skip-not-fail for live Loomweave conformance#18
Conversation
Owner decision 2026-06-25: Legis does not run live Loomweave SEI conformance in remote CI (no CI-reachable Loomweave oracle is stood up). The 1.1.1 hardening (551ff64) made the conformance job fail closed when the oracle config is absent, which permanently blocks the PyPI publish in this setup. Restore the previously-reviewed skip-not-fail behavior (0dafc83): when LOOMWEAVE_URL / LOOMWEAVE_LIVE_ORACLE_LOCATOR / LEGIS_LOOMWEAVE_HMAC_KEY are unset the job passes as a no-op and emits a ::notice::, so publish proceeds; when they ARE present the live oracle still runs and a failure still blocks publish. The HMAC secret stays scoped to the steps that use it (preserving 87cb54d). This narrows only the live oracle check. The build job still gates publish on the full offline suite, mypy, per-package coverage floors, the offline SEI conformance oracle, the policy-boundary honesty gate, and the tag/version match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 55ef25fd82
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| echo "::error::Missing required release conformance environment: ${joined}" | ||
| exit 1 | ||
| echo "::notice::Live Loomweave oracle not provisioned (${joined} unset) — skipping conformance, not blocking publish." | ||
| echo "configured=false" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
The release build still runs the full offline suite via uv run pytest ..., and tests/test_ci_workflow.py::test_release_publish_requires_live_loomweave_conformance still asserts that the live job does not emit configured=false/true, does not mention not blocking publish, and has no conditional oracle step. With this new output/skip path, that test fails during the build job, so the release remains blocked even when the live oracle is intentionally skipped; please update or remove the stale workflow invariant with this change.
Useful? React with 👍 / 👎.
1 participant
Why
Owner decision (2026-06-25): Legis does not run live Loomweave SEI conformance in remote CI — no CI-reachable Loomweave oracle is provisioned (the local dogfood Loomweave is
127.0.0.1-only, unreachable from a GitHub Actions runner).The 1.1.1 hardening (
551ff64 fix(ci): fail closed on missing release conformance) made thelive-loomweave-conformancejob fail closed whenLOOMWEAVE_URL/LOOMWEAVE_LIVE_ORACLE_LOCATOR/LEGIS_LOOMWEAVE_HMAC_KEYare unset. In this setup that config is permanently absent, so the job always fails and thepublishjob is always skipped — the v1.2.0 PyPI publish is blocked with no path forward.What
Restore the previously-reviewed skip-not-fail behavior (
0dafc83 fix(release): make live-Loomweave conformance skip-not-fail, never block publish):::notice::, andpublishproceeds.LEGIS_LOOMWEAVE_HMAC_KEYsecret stays scoped to the steps that use it (preserving87cb54d fix(ci): scope release oracle secret).Scope of the change
This narrows only the live oracle check. The
buildjob still gates publish on the full offline test suite,mypy, per-package coverage floors, the offline SEI conformance oracle (test_sei_oracle.py), the policy-boundary honesty gate, and the tag↔version match.Note:
release.yml's release-triggered jobs are not exercised by PR CI; this PR's value is the recorded rationale for the governance-control change.🤖 Generated with Claude Code