From f5dfc58c5d86fdeece2efd0d394189e777363b04 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 10 May 2026 10:13:07 -0400 Subject: [PATCH] ci: stop recurring Release + security workflow failures on main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two workflows have been failing on every push to main since #34 landed. security.yml — startup_failure The fix in #34 replaced `secrets: inherit` with an explicit `SEMGREP_APP_TOKEN: ${{ ... }}` mapping to address zizmor's `secrets-inherit` warning. The upstream reusable workflow at `resq-software/.github/.github/workflows/security-scan.yml` does not declare a `workflow_call.secrets:` contract, and GitHub Actions rejects callers that try to pass named secrets to a workflow with no declared secrets surface — the run terminates as `startup_failure` before any job starts. Revert to `secrets: inherit` and pin the rationale in a comment. Add `.github/zizmor.yml` to ignore the `secrets-inherit` finding on `security.yml` only, with a TODO pointing to the upstream workflow update needed to make explicit secret passing valid again. publish.yml — `Release` failure `python-semantic-release` pushes the version-bump commit + tag back to main directly. The `default-branch-baseline` ruleset (id 15191038) requires every change to main to come through a PR; bypass mode is `pull_request`, so even bypass actors cannot push directly. The bot's push is rejected with remote: error: GH013: Repository rule violations found remote: - Changes must be made through a pull request. remote: - Required status check "required" is expected. Drop the `push: branches: [main]` trigger so the workflow no longer fires on every commit. `workflow_dispatch` remains, so releases can still be cut manually from the Actions tab or with `gh workflow run Release.yml`. Long-term, restore automation by either adding a bot to ruleset bypass with `bypass_mode: always` or restructuring to a PR-based release flow (semantic-release with `commit: false, push: false` + `peter-evans/create-pull- request`). The workflow file's header comment captures both paths. --- .github/workflows/publish.yml | 26 ++++++++++++++++++++++++-- .github/workflows/security.yml | 11 +++++++++-- .github/zizmor.yml | 19 +++++++++++++++++++ 3 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 48e0f00..f0c29a1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,8 +1,30 @@ name: Release +# Manual-only trigger. +# +# `python-semantic-release` needs to push the version-bump commit and +# tag back to `main`. The `default-branch-baseline` ruleset on this +# repo requires every change to `main` to come through a pull request +# (bypass mode is `pull_request`, so even bypass actors must use a PR). +# Direct pushes from the Actions GITHUB_TOKEN — including the bot's +# release commit — are rejected with `GH013: Repository rule +# violations`. Keeping `push: branches: [main]` on this trigger +# therefore caused every commit to fail the `Release` workflow. +# +# Options for restoring automatic releases on push: +# 1. Add a dedicated GitHub App / `resq-sw` PAT to `bypass_actors` on +# ruleset 15191038 with `bypass_mode: always`, then wire its token +# into `mcp-release` / `dsa-release` checkouts and the +# `python-semantic-release` action. +# 2. Restructure to a PR-based release flow: run semantic-release +# with `commit: false, push: false` to compute the version, then +# open a release PR via `peter-evans/create-pull-request` so the +# bump merges through the protected-branch policy normally. +# +# Until one of those lands, dispatch this workflow manually from the +# Actions tab (or via `gh workflow run Release.yml`) when you want to +# cut a release. on: - push: - branches: [main] workflow_dispatch: permissions: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e1c8e52..c5d209b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,5 +26,12 @@ jobs: with: languages: '["python","actions"]' enable-semgrep: true - secrets: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + # `secrets: inherit` is required here because the upstream reusable + # workflow does not declare a `workflow_call.secrets:` contract. + # Passing named secrets (e.g. `SEMGREP_APP_TOKEN: ${{ ... }}`) causes + # GitHub to reject the call with `startup_failure` before any job + # runs. Tracked: follow up on resq-software/.github to declare the + # secrets contract, after which this can become explicit. + # zizmor warning `secrets-inherit` (#43) is intentionally suppressed + # in `.github/zizmor.yml` for the same reason. + secrets: inherit diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..903131a --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,19 @@ +# Copyright 2026 ResQ Software +# SPDX-License-Identifier: Apache-2.0 +# +# zizmor configuration for resq-software/pypi. +# https://docs.zizmor.sh/configuration/ + +rules: + secrets-inherit: + ignore: + # The org-wide reusable workflow at + # resq-software/.github/.github/workflows/security-scan.yml does + # not declare a `workflow_call.secrets:` contract. With no + # contract, GitHub Actions rejects any caller that tries to pass + # named secrets explicitly — the run terminates as + # `startup_failure` before any job starts. `secrets: inherit` is + # the only valid option until the upstream workflow is updated to + # declare its secrets surface. Once that lands, drop this ignore + # and switch security.yml back to explicit `SEMGREP_APP_TOKEN`. + - security.yml