From 55ef25fd82ae02a556a6ee6362cd076f24ddc8b3 Mon Sep 17 00:00:00 2001 From: John Morrissey <544926+tachyon-beep@users.noreply.github.com> Date: Thu, 25 Jun 2026 16:52:13 +1000 Subject: [PATCH] ci(release): restore skip-not-fail for live Loomweave conformance Owner decision 2026-06-25: Legis does not run live Loomweave SEI conformance in remote CI (no CI-reachable Loomweave oracle is stood up). The 1.1.1 hardening (551ff64) made the conformance job fail closed when the oracle config is absent, which permanently blocks the PyPI publish in this setup. Restore the previously-reviewed skip-not-fail behavior (0dafc83): when LOOMWEAVE_URL / LOOMWEAVE_LIVE_ORACLE_LOCATOR / LEGIS_LOOMWEAVE_HMAC_KEY are unset the job passes as a no-op and emits a ::notice::, so publish proceeds; when they ARE present the live oracle still runs and a failure still blocks publish. The HMAC secret stays scoped to the steps that use it (preserving 87cb54d). This narrows only the live oracle check. The build job still gates publish on the full offline suite, mypy, per-package coverage floors, the offline SEI conformance oracle, the policy-boundary honesty gate, and the tag/version match. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 39 ++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b735f6..0000804 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -82,43 +82,48 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Require live oracle configuration + # Skip-not-fail: live Loomweave conformance is NOT run in remote CI + # (owner decision 2026-06-25 — Legis does not stand up a CI-reachable + # Loomweave oracle). When the live oracle config is absent this job passes + # as a fast no-op so it never blocks the PyPI publish. When the config IS + # present (e.g. a provisioned/self-hosted runner), the oracle runs for + # real and a conformance failure blocks publish — the gate still bites + # where it can. Do NOT reintroduce a fail-on-missing-config check here + # (that was the rc4 publish blocker; re-added in 1.1.1, reverted again + # here per the owner decision above). + - name: Detect live oracle configuration + id: oracle_config + env: + LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }} run: | missing=() - for name in LOOMWEAVE_URL LOOMWEAVE_LIVE_ORACLE_LOCATOR; do + for name in LOOMWEAVE_URL LOOMWEAVE_LIVE_ORACLE_LOCATOR LEGIS_LOOMWEAVE_HMAC_KEY; do if [ -z "${!name}" ]; then missing+=("${name}") fi done if [ "${#missing[@]}" -ne 0 ]; then joined="$(IFS=', '; echo "${missing[*]}")" - echo "::error::Missing required release conformance environment: ${joined}" - exit 1 + echo "::notice::Live Loomweave oracle not provisioned (${joined} unset) — skipping conformance, not blocking publish." + echo "configured=false" >> "$GITHUB_OUTPUT" + else + echo "configured=true" >> "$GITHUB_OUTPUT" fi - uses: astral-sh/setup-uv@v5 + if: steps.oracle_config.outputs.configured == 'true' with: enable-cache: true - name: Install dependencies + if: steps.oracle_config.outputs.configured == 'true' run: uv sync --dev - name: Run live Loomweave oracle + if: steps.oracle_config.outputs.configured == 'true' env: LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }} - run: | - missing=() - for name in LOOMWEAVE_URL LOOMWEAVE_LIVE_ORACLE_LOCATOR LEGIS_LOOMWEAVE_HMAC_KEY; do - if [ -z "${!name}" ]; then - missing+=("${name}") - fi - done - if [ "${#missing[@]}" -ne 0 ]; then - joined="$(IFS=', '; echo "${missing[*]}")" - echo "::error::Missing required release conformance environment: ${joined}" - exit 1 - fi - uv run pytest tests/conformance/test_live_loomweave_oracle.py + run: uv run pytest tests/conformance/test_live_loomweave_oracle.py publish: name: Publish to PyPI