ci: auditor PR-flow phase 2 — fan out to remaining 12 workflows#299
Open
xiaolai wants to merge 1 commit into
Open
ci: auditor PR-flow phase 2 — fan out to remaining 12 workflows#299xiaolai wants to merge 1 commit into
xiaolai wants to merge 1 commit into
Conversation
Migrates every auditor workflow that pushes directly to main to use the shared commit-via-pr.sh helper introduced in phase 1 (#296). Workflows migrated: - auditor-suppressions - auditor-classify - auditor-render-dashboard - auditor-daily-report - auditor-docs-diff - auditor-repo-report - auditor-vocab-drift - auditor-exemplar - auditor-discover - auditor-case-study (3 commit blocks) - auditor-audit (2 commit blocks — main report + disclosure-pending) - auditor-contribute (4 commit blocks — three policy gates + no-high-confidence) Each migration replaces `git config / set-url / git diff --cached --quiet || { commit; push-with-retry }` with `git add ... ; commit-via-pr.sh "<msg>"`, adds `PAT_TOKEN` to the step env (required so the bot PR triggers the gate). Helper hardening — two pre-existing bugs that would surface in phase 2: - Branch name now includes the short SHA of the just-made commit, so a workflow that creates multiple commits in one run (case-study and audit do) does not collide on the same branch name. - gh label create --force runs idempotently before gh pr create, so the helper is portable to any repo where the `auditor-bot` label may not exist yet. After this lands, every direct push to main from an auditor workflow is replaced by an auto-merging bot PR. Phase 3 can re-enable branch protection requiring `gate` without re-breaking the pipeline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Migrates every remaining auditor workflow that pushes directly to `main` to use the shared `commit-via-pr.sh` helper from phase 1 (#296). After this lands, zero auditor workflows push to main directly — every state change goes through an auto-merging bot PR.
Each step's env now includes `PAT_TOKEN: ${{ secrets.PAT_TOKEN }}` so its bot PR triggers downstream workflows (required for phase 3).
Net -116 LOC — the helper absorbs the boilerplate.
Helper hardening (also in this PR)
Two pre-existing bugs in `commit-via-pr.sh` that phase 1 didn't hit but phase 2 would:
What's next
Phase 3 recreates branch protection requiring `gate` once this lands. With every auditor workflow now opening bot PRs that trigger `gate` (skip-passes for non-release), the required check resolves uniformly for both human and bot PRs.
Verification plan
The gate will skip-pass on this PR itself. Post-merge, I'll dispatch one of the migrated workflows (probably `auditor-render-dashboard` — small, fast, low-blast-radius) to confirm the helper works end-to-end across the new call sites. If anything misbehaves, phase 3 stays parked.