chore: update fullsend shim workflow

[fullsend-ai-fullsend]

This PR updates the fullsend shim workflow to match the current template in the .fullsend config repo.

The shim content has drifted from the template — this brings it back in sync.

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under the .github/ protected path. The PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link an authorizing issue that explains the need for this workflow change, or have a human reviewer approve directly.

Low

• [yaml-formatting] .github/workflows/fullsend.yaml:1 — The added YAML document separator (---) is inconsistent with existing workflow files. The repository's other workflow file (collect.yml) and YAML files (holidays.yaml) do not use document separators. While valid YAML, this breaks the established formatting pattern in this codebase.

• [unverified-template-sync] .github/workflows/fullsend.yaml — PR claims the shim "has drifted from the template" and this brings it "back in sync," but provides no reference to the canonical template or diff showing the drift. The change adds a management notice suggesting external template ownership, but the template source is not linked.

Info

• [code-analysis] .github/workflows/fullsend.yaml:47 — The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. No correctness or behavioral impact.

• [comment-style] .github/workflows/fullsend.yaml:2 — The management barrier comment introduces a new comment pattern not present elsewhere in the repository. This appears to be a convention from an external template rather than an established repository pattern.

• [code-style] .github/workflows/fullsend.yaml:47 — Removing secrets: {} eliminates an explicit empty-allowlist annotation. Both forms are functionally identical in GitHub Actions. The explicit form had marginal value as a documentation signal of intent, but this is a style preference, not a security concern. See also: [code-analysis] finding at this location.

• [missing-authorization] .github/workflows/fullsend.yaml — No linked issue for infrastructure change. PR is bot-authored with branch fullsend/onboard, suggesting automated maintenance. No template source or verification mechanism is visible in this PR context.

• [scope-tier-match] .github/workflows/fullsend.yaml — Change is appropriately labeled as chore: and the scope matches — only template synchronization comments and removal of a redundant line. No feature work, no scope creep.

Previous run

Review

Findings

High

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under the .github/ protected path. The PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link an authorizing issue that explains the need for this workflow change, or have a human reviewer approve directly.

Info

• [code-analysis] .github/workflows/fullsend.yaml:47 — The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness or behavioral impact.

• [code-style] .github/workflows/fullsend.yaml:47 — Removing secrets: {} eliminates an explicit empty-allowlist annotation. Both forms (omitted vs. secrets: {}) are functionally identical in GitHub Actions — no secrets are forwarded unless secrets: inherit is used. The explicit form had marginal value as a documentation signal of intent, but this is a style preference, not a security concern.

Previous run (2)

Review

Findings

High

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under the .github/ protected path. The PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link an authorizing issue that explains the need for this workflow change, or have a human reviewer approve directly.

Info

• [code-analysis] .github/workflows/fullsend.yaml:47 — The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness, security, or behavioral impact.

Previous run (3)

Review

Findings

High

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under the .github/ protected path. The PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link an authorizing issue that explains the need for this workflow change, or have a human reviewer approve directly.

Info

• [code-analysis] .github/workflows/fullsend.yaml:47 — The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness, security, or behavioral impact.

Previous run (4)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 1cfd588b, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's reusable workflow invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow header comment confirms: "No secrets are needed in the enrolled repo — agents fetch scoped tokens from the centralized token mint using GitHub OIDC."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — secrets: {} and omitting secrets both forward zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change; OIDC token flow unaffected
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR body or diff
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No in-repo docs reference the secrets key in the dispatch job

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (5)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at e096e666, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (6)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 8a0f1126, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (7)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at a7c40afd, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (8)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 5b554814, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (9)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at c4135208, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (10)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at c4135208, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (11)

Review — approve

Outcome: approve

Summary

This PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[info] code-analysis

The removal of secrets: {} from the dispatch job reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent. No correctness, security, or behavioral impact.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[info] code-analysis

The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness, security, or behavioral impact.

[fullsend-ai-review]

🤖 Finished Review · ❌ Failure · Started 6:48 AM UTC · Completed 6:48 AM UTC
Commit: 9bd7234 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:43 PM UTC · Completed 10:49 PM UTC
Commit: 4ed6da4 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[info] code-analysis

The removal of secrets: {} from the dispatch job reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness or behavioral impact.

[fullsend-ai-review]

[info] code-style

Removing secrets: {} eliminates an explicit empty-allowlist annotation. Both forms are functionally identical in GitHub Actions — no secrets are forwarded unless secrets: inherit is used. The explicit form had marginal value as a documentation signal of intent, but this is a style preference, not a security concern.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:01 PM UTC · Completed 6:09 PM UTC
Commit: 900cdad · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] yaml-formatting

The added YAML document separator (---) is inconsistent with existing workflow files in the repository. collect.yml and holidays.yaml do not use document separators.

[fullsend-ai-review]

[info] code-analysis

The removal of secrets: {} is a no-op change. Both forms are functionally equivalent in GitHub Actions.

[fullsend-ai-review]

[info] comment-style

The management barrier comment introduces a new comment pattern not present elsewhere in the repository.

[fullsend-ai-review]

[info] code-style

Removing secrets: {} eliminates an explicit empty-allowlist annotation. This is a style preference, not a security concern.