From 5c4cc421debd7869e45f31ae32555355855a5e2e Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Wed, 29 Apr 2026 08:29:56 -0500 Subject: [PATCH 1/2] chore(ci): check PR author instead of actor for vendored-file-warning skip Use github.event.pull_request.user.login so follow-up commits from bots like autofix-ci don't re-trigger the warning on release PRs opened by mise-en-dev. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/vendored-file-warning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vendored-file-warning.yml b/.github/workflows/vendored-file-warning.yml index c843286bd7..1dbde9f466 100644 --- a/.github/workflows/vendored-file-warning.yml +++ b/.github/workflows/vendored-file-warning.yml @@ -9,7 +9,7 @@ permissions: {} jobs: warn: - if: github.actor != 'jdx' && github.actor != 'mise-en-dev' + if: github.event.pull_request.user.login != 'jdx' && github.event.pull_request.user.login != 'mise-en-dev' runs-on: ubuntu-latest steps: - name: Comment on PR From a4446d1a6b39bb93f0ef05d41f8c43f9e125d6a6 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Wed, 29 Apr 2026 08:31:46 -0500 Subject: [PATCH 2/2] chore(ci): fail vendored-file-warning instead of commenting Switch the workflow from posting a PR comment (which required a token with write scope, and was flaky when actors like autofix-ci re-triggered the run) to simply failing the check with the explanatory message in the job log. Drops pull_request_target in favor of pull_request since no write access is needed anymore. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/vendored-file-warning.yml | 26 ++++++++++----------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/vendored-file-warning.yml b/.github/workflows/vendored-file-warning.yml index 1dbde9f466..0ad21b6688 100644 --- a/.github/workflows/vendored-file-warning.yml +++ b/.github/workflows/vendored-file-warning.yml @@ -1,7 +1,7 @@ name: vendored-file-warning on: - pull_request_target: + pull_request: paths: - "crates/aqua-registry/aqua-registry/**" @@ -12,18 +12,16 @@ jobs: if: github.event.pull_request.user.login != 'jdx' && github.event.pull_request.user.login != 'mise-en-dev' runs-on: ubuntu-latest steps: - - name: Comment on PR - env: - GH_TOKEN: ${{ secrets.MISE_PR_COMMENT_TOKEN }} + - name: Fail on vendored file changes run: | - existing=$(gh pr view "${{ github.event.pull_request.number }}" \ - -R "${{ github.repository }}" \ - --json comments --jq '.comments[].body' \ - | grep -c "vendored from the upstream" || true) - if [ "$existing" = "0" ]; then - gh pr comment "${{ github.event.pull_request.number }}" \ - -R "${{ github.repository }}" \ - --body "The aqua registry files under \`crates/aqua-registry/aqua-registry/\` are vendored from the upstream [aqua-registry](https://github.com/aquaproj/aqua-registry) and should not be modified directly in this repo. Please submit package definition changes to the upstream aqua-registry instead, and they will be picked up here when we next update the vendored copy. + cat <<'EOF' + The aqua registry files under `crates/aqua-registry/aqua-registry/` are vendored + from the upstream aqua-registry (https://github.com/aquaproj/aqua-registry) and + should not be modified directly in this repo. Please submit package definition + changes to the upstream aqua-registry instead, and they will be picked up here + when we next update the vendored copy. - The \`registry/*.toml\` files are fine to add here, but the backend should reference the package after it's been accepted upstream." - fi + The `registry/*.toml` files are fine to add here, but the backend should + reference the package after it's been accepted upstream. + EOF + exit 1