ci(tailor): fit with tailor project templates

[flexiondotorg]

No description provided.

[cubic-dev-ai]

5 issues found across 14 files

Confidence score: 3/5

• Moderate merge risk: there are two high-severity, high-confidence workflow issues (7/10) that can change PR automation behavior in user-visible ways, so this is not a clean low-risk merge.
• In .github/workflows/tailor-automerge.yml, the workflow_dispatch backfill path can merge all open Dependabot PRs, including major updates that the normal policy excludes, which raises regression risk from unintended dependency jumps.
• In .github/workflows/tailor.yml, both update-flake-lock and create-pull-request need an explicit PAT; relying on GITHUB_TOKEN/job-level GH_TOKEN means follow-up pull_request automerge workflows may not trigger as intended.
• Pay close attention to .github/workflows/tailor-automerge.yml and .github/workflows/tailor.yml - automerge scope and token wiring can cause unintended merges or stalled automation.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="SUPPORT.md">

<violation number="1" location="SUPPORT.md:7">
P2: The `../../...` links were copied from the `.github/SUPPORT.md` template and are wrong for a root-level `SUPPORT.md`, so the README/issues links in this support page will not resolve correctly.</violation>
</file>

<file name="CODE_OF_CONDUCT.md">

<violation number="1" location="CODE_OF_CONDUCT.md:49">
P2: This reporting instruction points to repository contact details that do not exist, so Code of Conduct violations currently have no documented reporting path.</violation>
</file>

<file name=".github/workflows/tailor-automerge.yml">

<violation number="1" location=".github/workflows/tailor-automerge.yml:68">
P1: The `workflow_dispatch` backfill path merges all open Dependabot PRs, including major updates that the main automerge policy intentionally excludes.</violation>
</file>

<file name=".github/workflows/tailor.yml">

<violation number="1" location=".github/workflows/tailor.yml:27">
P2: Pass the PAT to `create-pull-request`; the job-level `GH_TOKEN` is ignored here, so this PR still uses `GITHUB_TOKEN` and won't trigger follow-up workflows.</violation>

<violation number="2" location=".github/workflows/tailor.yml:50">
P1: Provide a PAT to `update-flake-lock`; otherwise its PRs are opened by the default GitHub Action token and your `pull_request` automerge workflow will not run.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Provide a PAT to update-flake-lock; otherwise its PRs are opened by the default GitHub Action token and your pull_request automerge workflow will not run.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tailor.yml, line 50:

<comment>Provide a PAT to `update-flake-lock`; otherwise its PRs are opened by the default GitHub Action token and your `pull_request` automerge workflow will not run.</comment>

<file context>
@@ -0,0 +1,52 @@
+
+      - name: Update flake.lock
+        if: steps.check.outputs.found == 'true'
+        uses: DeterminateSystems/update-flake-lock@v28
+        with:
+          pr-title: "chore: update flake.lock"
</file context>

[cubic-dev-ai]

P2: The ../../... links were copied from the .github/SUPPORT.md template and are wrong for a root-level SUPPORT.md, so the README/issues links in this support page will not resolve correctly.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At SUPPORT.md, line 7:

<comment>The `../../...` links were copied from the `.github/SUPPORT.md` template and are wrong for a root-level `SUPPORT.md`, so the README/issues links in this support page will not resolve correctly.</comment>

<file context>
@@ -0,0 +1,34 @@
+
+Before opening an issue, check the existing resources:
+
+- **[README](../../#readme)** for installation, usage, and configuration
+- **[Open issues](../../issues)** for known bugs and planned features
+- **[Closed issues](../../issues?q=is%3Aissue+is%3Aclosed)** for previously resolved problems
</file context>

[cubic-dev-ai]

P2: Pass the PAT to create-pull-request; the job-level GH_TOKEN is ignored here, so this PR still uses GITHUB_TOKEN and won't trigger follow-up workflows.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tailor.yml, line 27:

<comment>Pass the PAT to `create-pull-request`; the job-level `GH_TOKEN` is ignored here, so this PR still uses `GITHUB_TOKEN` and won't trigger follow-up workflows.</comment>

<file context>
@@ -0,0 +1,52 @@
+          alter: true
+
+      - name: Create PR
+        uses: peter-evans/create-pull-request@v8
+        with:
+          branch: tailor-alter
</file context>