Skip to content

fix: exclude .workflows-lib from consumer repo CI checks#618

Merged
stranske merged 2 commits intomainfrom
fix/exclude-workflows-lib-from-ci
Jan 7, 2026
Merged

fix: exclude .workflows-lib from consumer repo CI checks#618
stranske merged 2 commits intomainfrom
fix/exclude-workflows-lib-from-ci

Conversation

@stranske
Copy link
Copy Markdown
Owner

@stranske stranske commented Jan 7, 2026
edited by agents-workflows-bot bot
Loading

Source: Issue #273

Automated Status Summary

Scope

Address unmet acceptance criteria from PR #272.

Original scope:

  • Context / problem:
  • - Current orchestration depends on PATs and/or mixed identities, which is fragile and painful to maintain.
  • - GitHub Actions has recursion protection: pushes/labels/comments made with GITHUB_TOKEN generally will NOT trigger other workflows.
  • - A GitHub App installation token is the cleanest way to get predictable “workflow triggers workflow” behavior without tying everything to a human PAT.
  • Goal:
  • - Create a GitHub App (single org/user app) that can be installed on your repos.
  • - Mint short-lived installation tokens inside workflows.
  • - Replace all PAT usage in orchestrator + keepalive + dispatch workflows with the App token.

Context for Agent

Related Issues/PRs

References

Tasks

  • Create GitHub App (UI, not code): name it "agents-workflows-bot" (or similar)
  • Set App permissions (minimal but sufficient):
  • Contents: Read & write
  • Pull requests: Read & write
  • Issues: Read & write
  • Actions: Read & write (for dispatching / reading runs)
  • Metadata: Read-only
  • Install the App on: Workflows, Workflows-Integration-Tests, Travel-Plan-Permission, Portable-Alpha-Extension-Model, Trend_Model_Project
  • Add secrets to Workflows repo (or org secrets):
  • WORKFLOWS_APP_ID
  • WORKFLOWS_APP_PRIVATE_KEY (the PEM contents)
  • Update all workflows that currently use PATs to:
  • mint app token
  • export GH_TOKEN to that token
  • (optional) checkout using that token so git push is clean
  • Add a “compat mode” fallback (temporarily) so you can flip back to PAT if needed during rollout

Acceptance criteria

  • No workflow in Workflows repo requires a PAT for:
  • labeling PRs/issues
  • creating comments
  • pushing commits to PR branches
  • dispatching workflows
  • A commit pushed by the bot identity reliably triggers the Gate workflow (no “dead loop”).
  • Secrets inventory is reduced: only App ID + private key (and OPENAI_API_KEY) are required for the automation system.
  • Roll out in Workflows-Integration-Tests first, then Workflows, then consumer repos.

Head SHA: ec588f4
Latest Runs: ✅ success — Gate
Required: gate: ✅ success

Workflow / Job Result Logs
Agents PR meta manager ❔ in progress View run
CI Autofix Loop ✅ success View run
Gate ✅ success View run
Health 40 Sweep ✅ success View run
Health 44 Gate Branch Protection ✅ success View run
Health 45 Agents Guard ✅ success View run
Health 50 Security Scan ✅ success View run
Maint 52 Validate Workflows ✅ success View run
PR 11 - Minimal invariant CI ✅ success View run
Selftest CI ✅ success View run
Validate Sync Manifest ✅ success View run

@stranske
fix: exclude .workflows-lib from consumer repo CI checks
388b453 
The synced .workflows-lib scripts use different ruff/black/mypy config than
consumer repos. Exclude them from linting to avoid false failures.
Copilot AI review requested due to automatic review settings January 7, 2026 00:30
@stranske stranske temporarily deployed to agent-high-privilege January 7, 2026 00:30 — with GitHub Actions Inactive
@github-actions github-actions bot added the autofix Opt-in automated formatting & lint remediation label Jan 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 7, 2026
edited
Loading

Automated Status Summary

Head SHA: 1f82de7
Latest Runs: ⏳ pending — Gate
Required contexts: Gate / gate, Health 45 Agents Guard / Enforce agents workflow protections
Required: core tests (3.11): ⏳ pending, core tests (3.12): ⏳ pending, docker smoke: ⏳ pending, gate: ⏳ pending

Workflow / Job Result Logs
(no jobs reported) ⏳ pending

Coverage Overview

  • Coverage history entries: 1

Coverage Trend

Metric Value
Current 92.21%
Baseline 85.00%
Delta +7.21%
Minimum 70.00%
Status ✅ Pass

Top Coverage Hotspots (lowest coverage)

File Coverage Missing
scripts/workflow_health_check.py 62.6% 28
scripts/classify_test_failures.py 62.9% 37
scripts/ledger_validate.py 65.3% 63
scripts/mypy_return_autofix.py 82.6% 11
scripts/ledger_migrate_base.py 85.5% 13
scripts/fix_cosmetic_aggregate.py 92.3% 1
scripts/coverage_history_append.py 92.8% 2
scripts/workflow_validator.py 93.3% 4
scripts/update_autofix_expectations.py 93.9% 1
scripts/pr_metrics_tracker.py 95.7% 3
scripts/generate_residual_trend.py 96.6% 1
scripts/build_autofix_pr_comment.py 97.0% 2
scripts/aggregate_agent_metrics.py 97.2% 0
scripts/fix_numpy_asserts.py 98.1% 0
scripts/sync_test_dependencies.py 98.3% 1

Updated automatically; will refresh on subsequent CI/Docker completions.

Keepalive checklist

Scope

Address unmet acceptance criteria from PR #272.

Original scope:

  • Context / problem:
  • - Current orchestration depends on PATs and/or mixed identities, which is fragile and painful to maintain.
  • - GitHub Actions has recursion protection: pushes/labels/comments made with GITHUB_TOKEN generally will NOT trigger other workflows.
  • - A GitHub App installation token is the cleanest way to get predictable “workflow triggers workflow” behavior without tying everything to a human PAT.
  • Goal:
  • - Create a GitHub App (single org/user app) that can be installed on your repos.
  • - Mint short-lived installation tokens inside workflows.
  • - Replace all PAT usage in orchestrator + keepalive + dispatch workflows with the App token.

Context for Agent

Related Issues/PRs

References

Tasks

  • Create GitHub App (UI, not code): name it "agents-workflows-bot" (or similar)
  • Set App permissions (minimal but sufficient):
  • Contents: Read & write
  • Pull requests: Read & write
  • Issues: Read & write
  • Actions: Read & write (for dispatching / reading runs)
  • Metadata: Read-only
  • Install the App on: Workflows, Workflows-Integration-Tests, Travel-Plan-Permission, Portable-Alpha-Extension-Model, Trend_Model_Project
  • Add secrets to Workflows repo (or org secrets):
  • WORKFLOWS_APP_ID
  • WORKFLOWS_APP_PRIVATE_KEY (the PEM contents)
  • Update all workflows that currently use PATs to:
  • mint app token
  • export GH_TOKEN to that token
  • (optional) checkout using that token so git push is clean
  • Add a “compat mode” fallback (temporarily) so you can flip back to PAT if needed during rollout

Acceptance criteria

  • No workflow in Workflows repo requires a PAT for:
  • labeling PRs/issues
  • creating comments
  • pushing commits to PR branches
  • dispatching workflows
  • A commit pushed by the bot identity reliably triggers the Gate workflow (no “dead loop”).
  • Secrets inventory is reduced: only App ID + private key (and OPENAI_API_KEY) are required for the automation system.
  • Roll out in Workflows-Integration-Tests first, then Workflows, then consumer repos.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 7, 2026

Status | ✅ autofix updates applied
History points | 1
Timestamp | 2026-01-07 00:31:48 UTC
Report artifact | autofix-report-pr-618
Remaining | 0
New | 0
No additional artifacts

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 7, 2026

Autofix updated these files:

  • scripts/langchain/issue_formatter.py

@agents-workflows-bot agents-workflows-bot bot temporarily deployed to agent-high-privilege January 7, 2026 00:31 Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 7, 2026
edited
Loading

🤖 Keepalive Loop Status

PR #618 | Agent: Codex | Iteration 0/5

Current State

Metric Value
Iteration progress [----------] 0/5
Action wait (missing-agent-label)
Disposition skipped (transient)
Gate success
Tasks 0/24 complete
Keepalive ❌ disabled
Autofix ❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses CI failures in consumer repositories that sync .workflows-lib scripts from the source Workflows repository. Since the synced scripts use different linting configurations (ruff, black, mypy) than consumer repos, they need to be excluded from CI checks to prevent false failures.

Key Changes

  • Added .workflows-lib directory exclusions to all Python linting tools (black, ruff, mypy) in the CI workflow
  • Removed extraneous blank line in issue_formatter.py for better code formatting

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

File Description
.github/workflows/reusable-10-ci-python.yml Added --exclude flags for .workflows-lib directory to black (line 563), ruff (line 844), and mypy (lines 1146-1147) commands with explanatory comments
scripts/langchain/issue_formatter.py Removed unnecessary blank line between imports in the same group (lines 96-97)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stranske stranske merged commit 4596d02 into main Jan 7, 2026
170 checks passed
@stranske stranske deleted the fix/exclude-workflows-lib-from-ci branch January 7, 2026 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

autofix:patch autofix Opt-in automated formatting & lint remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranske