Skip to content

chore: reuse GitHub hygiene workflows#176

Merged
saagpatel merged 5 commits into
masterfrom
codex/chore/reusable-gha-workflows
Jun 21, 2026
Merged

chore: reuse GitHub hygiene workflows#176
saagpatel merged 5 commits into
masterfrom
codex/chore/reusable-gha-workflows

Conversation

@saagpatel

@saagpatel saagpatel commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Reuse shared GitHub workflow patterns for hygiene checks.
  • Refresh dependency metadata for the Vite security update.
  • Override tmp to the patched 0.2.7 line for dev-tool audit coverage.
  • Limit reusable workflow permissions without inheriting repository secrets.

Merge order

  • Merge the sovereign reusable-workflow PR before this PR so the called workflows exist on the default branch.

Lockfile rationale

  • pnpm-lock.yaml changed because package metadata now targets Vite 7.3.5 and tmp resolves to the patched 0.2.7 line.
  • The lockfile was refreshed through pnpm and formatted by repo hooks.

Verification

  • pnpm install --lockfile-only
  • pnpm audit --audit-level high
  • Workflow YAML parsed successfully.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 21, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 242e31476b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/git-hygiene.yml Outdated
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
git-hygiene:
uses: saagpatel/sovereign/.github/workflows/git-hygiene.yml@main
secrets: inherit

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid inheriting all secrets into shared workflow

On same-repository PR events, secrets: inherit implicitly exposes every available repository/org secret to the reusable workflow in saagpatel/sovereign@main, whereas the removed local jobs only used GITHUB_TOKEN. Because this hygiene check only needs token-scoped GitHub access, pass only the named token/permissions it needs or omit inherited secrets; the same exposure is introduced in lockfile-rationale.yml as well.

Useful? React with 👍 / 👎.

@saagpatel saagpatel force-pushed the codex/chore/reusable-gha-workflows branch from 242e314 to 33d5052 Compare June 21, 2026 09:45
@saagpatel saagpatel force-pushed the codex/chore/reusable-gha-workflows branch from 33d5052 to dcfe32e Compare June 21, 2026 09:46
@saagpatel saagpatel merged commit 3ffe91f into master Jun 21, 2026
36 checks passed
@saagpatel saagpatel deleted the codex/chore/reusable-gha-workflows branch June 21, 2026 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel