From 77c2450fec0f07e106c17f738746fb88aa20a1dc Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Tue, 21 Apr 2026 10:48:50 -0400 Subject: [PATCH 1/2] gate.yml: split macOS leg to forks only; drop (macos-14) from LFG required checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Matrix is now computed from `github.repository` via `fromJSON` at plan time. On LFG/Zeta only `ubuntu-22.04` expands; on any fork (e.g. AceHack/Zeta) both Linux + macOS expand. Keeps YAML byte- identical on both sides — no repo-scoped variable, no second workflow file. `build-and-test (macos-14)` removed from main branch protection's required-checks list on LFG on the same change (ruleset has no required-status-checks rule; only classic branch-protection does). `docs/GITHUB-SETTINGS.md` and `github-settings.expected.json` updated to match; drift detector confirms zero drift. Job-level `if:` with `matrix.*` was the first attempt but actionlint rejects it (matrix context not available at job-level). The strategy-expansion pattern is the clean way to achieve the same split without generating a skipped check on LFG — a matrix leg that doesn't exist produces no check, whereas a skipped leg would still appear in the PR's checks list. Rationale: maintainer 2026-04-21 "Mac is very very expensive to run" + "we should leave [LFG's] build as linux only if that's possible where acehack also builds mac". macOS runner minutes run ≈10× Linux minutes; moving them to the fork keeps parity coverage on the contributor side without billing canonical-repo cost surface. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/gate.yml | 24 ++++++++++++++++++++- docs/GITHUB-SETTINGS.md | 16 ++++++++++++-- tools/hygiene/github-settings.expected.json | 1 - 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml index 965d7f1d..69f1f4eb 100644 --- a/.github/workflows/gate.yml +++ b/.github/workflows/gate.yml @@ -46,12 +46,34 @@ concurrency: jobs: build-and-test: + # Matrix is computed from `github.repository` at plan time so the + # macos-14 leg (≈10× Linux cost) only exists on forks, not on the + # canonical Lucent-Financial-Group/Zeta repo. On forks (e.g. a + # contributor's AceHack/Zeta) both legs exist; on LFG only the + # ubuntu leg exists. This keeps the YAML byte-identical on both + # sides — no repo-specific variable, no second workflow file — + # with runtime differentiation driven by the built-in + # `github.repository` context. + # + # Job-level `if:` with `matrix.*` is rejected by actionlint (the + # matrix context is not available at job-level), so the split is + # done at strategy-expansion time via `fromJSON`. The expression + # evaluates once per workflow run; each matrix leg that survives + # creates its own check status. + # + # Rationale: maintainer 2026-04-21 "Mac is very very expensive + # to run" + "we should leave [LFG's] build as linux only if + # that's possible where acehack also builds mac". `build-and- + # test (macos-14)` is NOT in LFG's required-checks list — it + # was removed from branch protection on the same change that + # introduced this matrix split so PRs don't block on a leg that + # no longer exists there. name: build-and-test (${{ matrix.os }}) timeout-minutes: 45 strategy: fail-fast: false matrix: - os: [ubuntu-22.04, macos-14] + os: ${{ fromJSON(github.repository == 'Lucent-Financial-Group/Zeta' && '["ubuntu-22.04"]' || '["ubuntu-22.04","macos-14"]') }} runs-on: ${{ matrix.os }} steps: diff --git a/docs/GITHUB-SETTINGS.md b/docs/GITHUB-SETTINGS.md index 634073d5..6c53afab 100644 --- a/docs/GITHUB-SETTINGS.md +++ b/docs/GITHUB-SETTINGS.md @@ -137,16 +137,28 @@ advanced-setup (untested). ### Classic branch protection (on `main`) -Overlaps with the ruleset; kept as defence-in-depth. Six +Overlaps with the ruleset; kept as defence-in-depth. Five required status checks (strict mode): - `build-and-test (ubuntu-22.04)` -- `build-and-test (macos-14)` - `lint (semgrep)` - `lint (shellcheck)` - `lint (actionlint)` - `lint (markdownlint)` +Note on `build-and-test (macos-14)`: intentionally NOT in the +required-checks list on LFG. The `gate.yml` workflow computes +its matrix from `github.repository` at plan time, so the +macos-14 leg only exists on forks (e.g. `AceHack/Zeta`), not on +the canonical LFG repo. Cost rationale: macOS runner minutes +run ≈10× Linux minutes; keeping the canonical-repo gate Linux- +only while forks retain the full Linux+macOS parity matrix +buys cross-platform coverage on the contributor side without +billing it against the canonical-repo cost surface. Reason: +maintainer 2026-04-21 "Mac is very very expensive to run" + +"we should leave [LFG's] build as linux only if that's +possible where acehack also builds mac". + Other protections: dismiss stale reviews on; required linear history; required conversation resolution; force pushes and deletions blocked; enforce_admins off. diff --git a/tools/hygiene/github-settings.expected.json b/tools/hygiene/github-settings.expected.json index 73eb03ea..a593f833 100644 --- a/tools/hygiene/github-settings.expected.json +++ b/tools/hygiene/github-settings.expected.json @@ -131,7 +131,6 @@ "required_signatures": false, "required_status_checks": { "contexts": [ - "build-and-test (macos-14)", "build-and-test (ubuntu-22.04)", "lint (actionlint)", "lint (markdownlint)", From db027411d1edbfdda582df41fcdc56a2c95e413a Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Tue, 21 Apr 2026 11:03:57 -0400 Subject: [PATCH 2/2] =?UTF-8?q?review:=20apply=20Copilot=20P1=20findings?= =?UTF-8?q?=20=E2=80=94=20role-based=20wording=20per=20BP=20'No=20name=20a?= =?UTF-8?q?ttribution'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Copilot's PR #46 review flagged two `AceHack/Zeta` contributor-handle references in the gate.yml comment block + GITHUB-SETTINGS.md note as BP violations (AGENT-BEST-PRACTICES.md:284-290 — "No name attribution in code, docs, or skills. Direct names of contributors (human or agent) appear only in persona memory directories"). The references were in bodies that read stable across contributor turnover — the role-based rewrite matches the rule's intent without losing information. Maintainer quote inside the blockquote keeps the "[the canonical repo's]" bracket-edit pattern already used for anonymisation in this repo. Files: - `.github/workflows/gate.yml:52` — "a contributor's AceHack/Zeta" → "any fork"; "acehack also builds mac" → "a contributor fork also builds mac". - `docs/GITHUB-SETTINGS.md:152` — "forks (e.g. `AceHack/Zeta`)" → "contributor forks"; "LFG" → "the canonical repo"; maintainer quote anonymised to "[the canonical repo's]". The no-name-attribution rule has an explicit carve-out for `memory/persona//` and `docs/BACKLOG.md` capture, which is why historical-record files (ROUND-HISTORY.md, HUMAN-BACKLOG.md, the transfer-event documentation) keep their concrete repo-name references. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/gate.yml | 23 ++++++++++++----------- docs/GITHUB-SETTINGS.md | 22 +++++++++++----------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml index 69f1f4eb..a9b29f49 100644 --- a/.github/workflows/gate.yml +++ b/.github/workflows/gate.yml @@ -47,13 +47,13 @@ concurrency: jobs: build-and-test: # Matrix is computed from `github.repository` at plan time so the - # macos-14 leg (≈10× Linux cost) only exists on forks, not on the - # canonical Lucent-Financial-Group/Zeta repo. On forks (e.g. a - # contributor's AceHack/Zeta) both legs exist; on LFG only the - # ubuntu leg exists. This keeps the YAML byte-identical on both - # sides — no repo-specific variable, no second workflow file — - # with runtime differentiation driven by the built-in - # `github.repository` context. + # macos-14 leg (≈10× Linux cost) only exists on contributor forks, + # not on the canonical Lucent-Financial-Group/Zeta repo. On any + # fork both legs exist; on the canonical repo only the ubuntu leg + # exists. This keeps the YAML byte-identical on both sides — no + # repo-specific variable, no second workflow file — with runtime + # differentiation driven by the built-in `github.repository` + # context. # # Job-level `if:` with `matrix.*` is rejected by actionlint (the # matrix context is not available at job-level), so the split is @@ -63,10 +63,11 @@ jobs: # # Rationale: maintainer 2026-04-21 "Mac is very very expensive # to run" + "we should leave [LFG's] build as linux only if - # that's possible where acehack also builds mac". `build-and- - # test (macos-14)` is NOT in LFG's required-checks list — it - # was removed from branch protection on the same change that - # introduced this matrix split so PRs don't block on a leg that + # that's possible where a contributor fork also builds mac". + # `build-and-test (macos-14)` is NOT in the canonical repo's + # required-checks list — it was removed from branch protection + # on the same change that introduced this matrix split so PRs + # don't block on a leg that # no longer exists there. name: build-and-test (${{ matrix.os }}) timeout-minutes: 45 diff --git a/docs/GITHUB-SETTINGS.md b/docs/GITHUB-SETTINGS.md index 6c53afab..4e37950f 100644 --- a/docs/GITHUB-SETTINGS.md +++ b/docs/GITHUB-SETTINGS.md @@ -147,17 +147,17 @@ required status checks (strict mode): - `lint (markdownlint)` Note on `build-and-test (macos-14)`: intentionally NOT in the -required-checks list on LFG. The `gate.yml` workflow computes -its matrix from `github.repository` at plan time, so the -macos-14 leg only exists on forks (e.g. `AceHack/Zeta`), not on -the canonical LFG repo. Cost rationale: macOS runner minutes -run ≈10× Linux minutes; keeping the canonical-repo gate Linux- -only while forks retain the full Linux+macOS parity matrix -buys cross-platform coverage on the contributor side without -billing it against the canonical-repo cost surface. Reason: -maintainer 2026-04-21 "Mac is very very expensive to run" + -"we should leave [LFG's] build as linux only if that's -possible where acehack also builds mac". +required-checks list on the canonical repo. The `gate.yml` +workflow computes its matrix from `github.repository` at plan +time, so the macos-14 leg only exists on contributor forks, not +on the canonical repo. Cost rationale: macOS runner minutes run +≈10× Linux minutes; keeping the canonical-repo gate Linux-only +while forks retain the full Linux+macOS parity matrix buys +cross-platform coverage on the contributor side without billing +it against the canonical-repo cost surface. Reason: maintainer +2026-04-21 "Mac is very very expensive to run" + "we should +leave [the canonical repo's] build as linux only if that's +possible where a contributor fork also builds mac". Other protections: dismiss stale reviews on; required linear history; required conversation resolution; force pushes and