core-devops
ecbfa60f04
Some checks failed
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 15s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s
sop-tier-check / tier-check (pull_request) Successful in 19s
gate-check-v3 / gate-check (pull_request) Failing after 30s
CI / Detect changes (pull_request) Successful in 44s
E2E API Smoke Test / detect-changes (pull_request) Successful in 43s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 43s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 37s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 45s
publish-runtime-autobump / pr-validate (pull_request) Successful in 47s
CI / Platform (Go) (pull_request) Successful in 8s
CI / Canvas (Next.js) (pull_request) Successful in 10s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 12s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 12s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m15s
CI / Python Lint & Test (pull_request) Successful in 7m16s
Addresses hongming-pc review #1421 on PR #535. Blocker 1 (fail-open privilege gate): Original v1.2 design `if:`-gated the "Check out BASE" and "Evaluate" steps on the privilege-check step's `proceed` output. A non-collaborator commenting `/qa-recheck` produced proceed=false → both steps skipped → job conclusion = success → `qa-review / approved` context published as success with ZERO real APPROVE. Any visitor could green the gate. Fix per RFC#324 v1.3 §A1.1 option (b): drop privilege-gating of the eval entirely. The eval is read-only and idempotent (reads pulls/{N}/reviews + teams/{id}/members/{u}, both server-side state uninfluenced by who commented). Re-running on a non-collaborator's comment is harmless: if a real team-member APPROVE exists, the eval flips green; if not, it stays red. The privilege step is retained as a `::notice::` log line only (griefer-spotting), not a gate. Non-blocking nit 5 (dead jq fallback): `apt-get install jq` (no root) and `curl -o /usr/local/bin/jq` (no write perm on uid-1001 rootless runner) both can't succeed. Per feedback_ci_runner_install_needs_writable_path + #391/#402, jq is already baked into runner-base. Replace the install dance with a clear `exit 1` + diagnostic so a missing-jq runner fails loud rather than confusingly. Smoke-test (mocked Gitea API): no-approve → exit 1 (gate red) self-approve → exit 1 (gate red) dismissed-approve → exit 1 (gate red) non-team-approve → exit 1 (gate red) team-approve → exit 0 (gate green) Blocker 2 (A1-α event-suffix context-name verification) is the smoke-PR's job and is flagged in a follow-up comment on this PR — does not require workflow changes here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| scripts | ||
| workflows | ||