Skip to content

chore: sync workflow templates #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
stranske wants to merge 1 commit into from
Closed

chore: sync workflow templates #124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/agents-autofix-loop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,15 @@ jobs:
security_reason: ${{ steps.security_gate.outputs.reason }}
steps:
- name: Checkout (for security gate)
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
sparse-checkout: |
.github/scripts/prompt_injection_guard.js
sparse-checkout-cone-mode: false

- name: Security gate - prompt injection guard
id: security_gate
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -102,7 +102,7 @@ jobs:

- name: Evaluate workflow_run
id: evaluate
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const run = context.payload.workflow_run;
Expand Down Expand Up @@ -318,7 +318,7 @@ jobs:
environment: agent-standard
steps:
- name: Add needs-human label and comment
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const prNumber = Number('${{ needs.prepare.outputs.pr_number }}');
Expand Down Expand Up @@ -372,7 +372,7 @@ jobs:
steps:
- name: Collect metrics
id: collect
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -492,7 +492,7 @@ jobs:
PY

- name: Upload metrics artifact
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v4
with:
name: agents-autofix-metrics
path: autofix-metrics.ndjson
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/agents-bot-comment-handler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
steps:
- name: Resolve PR number and check conditions
id: resolve
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const eventName = context.eventName;
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Remove trigger label
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
try {
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/agents-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
steps:
- name: Checkout base ref for safety validation
if: github.event_name == 'pull_request_target'
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.sha }}
sparse-checkout: |
Expand All @@ -42,7 +42,7 @@ jobs:

- name: Verify pull_request_target safety invariants
if: github.event_name == 'pull_request_target'
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const path = require('path');
Expand All @@ -58,15 +58,15 @@ jobs:

- name: Checkout PR head for pull_request event
if: github.event_name == 'pull_request'
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
sparse-checkout: |
.github/scripts/agents-guard.js
.github/workflows/agents-guard.yml

- name: Evaluate protected file changes
id: evaluate
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
Expand Down Expand Up @@ -281,7 +281,7 @@ jobs:

- name: Post guard failure comment
if: steps.evaluate.outputs.blocked == 'true'
uses: actions/github-script@v8
uses: actions/github-script@v7
env:
COMMENT_BODY_B64: ${{ steps.evaluate.outputs.comment_body_b64 }}
COMMENT_MARKER: ${{ steps.evaluate.outputs.marker }}
Expand Down Expand Up @@ -399,7 +399,7 @@ jobs:

- name: Report agents guard commit status
if: always()
uses: actions/github-script@v8
uses: actions/github-script@v7
env:
BLOCKED: ${{ steps.evaluate.outputs.blocked || 'false' }}
SUMMARY: ${{ steps.evaluate.outputs.summary }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-issue-intake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:
steps:
- name: Check labels and extract info
id: check
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const eventName = context.eventName;
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/agents-keepalive-loop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,12 @@ jobs:
steps:
# Dual checkout pattern: consumer repo for context, Workflows repo for scripts
- name: Checkout consumer repository
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
path: consumer

- name: Checkout Workflows scripts
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
repository: stranske/Workflows
ref: main
Expand All @@ -97,7 +97,7 @@ jobs:

- name: Security gate - prompt injection guard
id: security_gate
uses: actions/github-script@v8
uses: actions/github-script@v7
env:
INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }}
with:
Expand Down Expand Up @@ -180,7 +180,7 @@ jobs:
- name: Evaluate keepalive conditions
id: evaluate
if: steps.security_gate.outputs.blocked != 'true'
uses: actions/github-script@v8
uses: actions/github-script@v7
env:
INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }}
with:
Expand Down Expand Up @@ -282,7 +282,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Workflows scripts
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
repository: stranske/Workflows
ref: main
Expand All @@ -292,7 +292,7 @@ jobs:
fetch-depth: 1

- name: Update summary with running status
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -342,7 +342,7 @@ jobs:
environment: agent-standard
steps:
- name: Checkout Workflows scripts
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
repository: stranske/Workflows
ref: main
Expand Down Expand Up @@ -419,7 +419,7 @@ jobs:
echo "$metrics_json" >> keepalive-metrics.ndjson

- name: Upload keepalive metrics artifact
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v4
with:
name: keepalive-metrics
path: keepalive-metrics.ndjson
Expand All @@ -428,7 +428,7 @@ jobs:

- name: Auto-reconcile task checkboxes
if: needs.run-codex.outputs.changes-made == 'true'
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -461,7 +461,7 @@ jobs:
core.setOutput('reconciliation_details', result.details);

- name: Update summary comment
uses: actions/github-script@v8
uses: actions/github-script@v7
env:
CODEX_SUMMARY: ${{ needs.run-codex.outputs.final-message-summary || '' }}
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-pr-meta.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ jobs:
steps:
- name: Resolve PR from workflow_run
id: resolve
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
script: |
const run = context.payload.workflow_run;
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/maint-coverage-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ jobs:
runs-on: ubuntu-latest
steps:
Copy link

Copilot AI Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GitHub Actions are being downgraded from newer versions to older versions. Specifically:

  • actions/checkout: v6 → v4 (skipping v5)
  • actions/github-script: v8 → v7
  • actions/download-artifact: v7 → v4 (skipping v5 and v6)
  • actions/upload-artifact: v6 → v4 (skipping v5)

These downgrades appear suspicious as they revert to older versions. If this is intentional for compatibility reasons, please verify that:

  1. The older versions support all features currently being used
  2. There are no security fixes in the newer versions that should be retained
  3. The downgrade is documented in the PR description or workflow comments

If this sync is coming from a template repository, consider whether the template versions are correctly maintained.

Suggested change
steps:
steps:
# NOTE: actions/checkout is intentionally pinned to v4 here.
# v4 provides all features required by this workflow and includes
# the relevant security fixes; no newer major version is currently
# required for compatibility with this repository or template.

Copilot uses AI. Check for mistakes.
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@v4

- name: Locate latest Gate workflow run
id: discover
uses: actions/github-script@v8
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -79,7 +79,7 @@ jobs:

- name: Download coverage trend artifact
if: ${{ steps.discover.outputs.run_id }}
uses: actions/download-artifact@v7
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: gate-coverage-trend
Expand All @@ -89,7 +89,7 @@ jobs:

- name: Download coverage artifact
if: ${{ steps.discover.outputs.run_id }}
uses: actions/download-artifact@v7
uses: actions/download-artifact@v4
continue-on-error: true
with:
pattern: gate-coverage-*
Expand Down
39 changes: 35 additions & 4 deletions scripts/sync_test_dependencies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

REPO_ROOT = Path(__file__).resolve().parents[1]
SRC_PATH = REPO_ROOT / "src"
LOCAL_MODULES_FILE = REPO_ROOT / ".project_modules.txt"
if SRC_PATH.exists():
sys.path.insert(0, str(SRC_PATH))

Expand Down Expand Up @@ -137,8 +138,6 @@
"fallback_split",
"parse_chatgpt_topics",
"health_summarize",
"diff_holdings",
"embeddings",
}


Expand Down Expand Up @@ -178,9 +177,41 @@ def _detect_local_project_modules() -> set[str]:
return detected


def _read_local_modules() -> set[str]:
"""Read repo-specific module names from .project_modules.txt if it exists.

This allows consumer repos to specify additional first-party modules
(like standalone .py files in root) without modifying this script.
One module name per line, comments start with #.
"""
if not LOCAL_MODULES_FILE.exists():
return set()
modules: set[str] = set()
try:
content = LOCAL_MODULES_FILE.read_text(encoding="utf-8")
except (OSError, UnicodeDecodeError) as exc:
print(
f"Warning: could not read {LOCAL_MODULES_FILE}: {exc}",
file=sys.stderr,
)
return set()
for line in content.splitlines():
line = line.strip()
if not line or line.startswith("#"):
continue
if not line.isidentifier():
print(
f"Warning: ignoring invalid module name in {LOCAL_MODULES_FILE}: {line!r}",
file=sys.stderr,
)
continue
modules.add(line)
return modules


def get_project_modules() -> set[str]:
"""Return the full set of project modules (static + dynamically detected)."""
return _BASE_PROJECT_MODULES | _detect_local_project_modules()
"""Return the full set of project modules (static + dynamically detected + local)."""
return _BASE_PROJECT_MODULES | _detect_local_project_modules() | _read_local_modules()


# For backward compatibility - will be populated on first use
Expand Down
Loading