fix(ci): tighten central workflow gates#382
Conversation
Scope central workflow tokens to read-only defaults with job-scoped writes, print Trivy SARIF findings in failing logs, and repair scheduler/Noema CI regressions caught by the full test suite.
|
Updated the active superseding central PR with the OpenCode outcome-gate cleanup from the closed #383 thread:
Verification on head
|
|
Follow-up on the timeout/model-order review note:
Rechecked on head |
|
Follow-up patch on the timeout/model-order note, now on head
Verification on head
Rechecked after push: no review threads, no PR-scoped code-scanning alerts, and the new current-head checks are queued behind the Actions backlog. |
|
Follow-up governance fix on head
Verification:
|
|
Central queue-control follow-up pushed in Why this was necessary:
What changed:
Verification:
This directly implements the current-head-only queue rule: new PR head events should cancel superseded OpenCode/Noema/Strix runs instead of letting stale heads accumulate. |
|
Queue hygiene update for #382: After pushing Some older |
|
Current-head validation for central #382 after the queue-concurrency update. Head tested: Scope checked:
Local validation from disposable worktree
GitHub Actions checks for this head remain queued; GitHub Status currently reports Actions degraded performance / delayed run starts. |
|
Added a central coverage-evidence fix on head Reason:
Change:
Verification:
Note: |
|
Central follow-up on head What changed now:
Why:
Verification:
Queue hygiene:
Timeout/model policy remains as previously updated in this PR: |
|
?? ??????. ?? head ??? ?? ??:
?? ??:
??:
?? ??:
?? GitHub ??:
|
|
Follow-up on the remaining Scorecard Added real fuzzing evidence on head
Verification before push:
After push, stale older-head OpenCode run |
…security-20260709 # Conflicts: # .github/workflows/opencode-review.yml # scripts/ci/run_opencode_review_model_pool.sh # scripts/ci/test_strix_quick_gate.sh # tests/test_opencode_agent_contract.py
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head mergeability evidence and changed-file flow before approval, then found merge conflicts on the affected path.
Findings
1. HIGH Merge Conflict Guidance - Resolve the PR branch against the latest base branch
- Problem: GitHub reports mergeStateStatus
DIRTYfor this pull request. - Root cause: Branch
fix/central-workflow-security-20260709cannot be merged cleanly intomain; the changed-file flow below shows which review/runtime path is blocked by the conflict. - Fix: Merge or rebase the latest
mainintofix/central-workflow-security-20260709, resolve conflict markers in the PR branch, rerun the focused checks, and push the same branch. - Repair commands:
gh pr checkout 382 --repo ContextualWisdomLab/.github
git fetch origin main
git merge --no-ff origin/main # or: git rebase origin/main
git status --short
# resolve files, then git add <resolved-files>
# merge path: git commit
# rebase path: git rebase --continue
git push origin HEAD:fix/central-workflow-security-20260709
# rebase path only: git push --force-with-lease origin HEAD:fix/central-workflow-security-20260709- Regression test: Keep OpenCode approval gated on mergeability so model-output failures cannot approve a conflicted PR.
Merge Conflict Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (5 files)"]
S1 --> I1["repository behavior"]
I1 --> Conflict["Merge conflict blocks this path"]
Conflict --> V1["required checks"]
Evidence --> S2["Workflow (9 files)"]
S2 --> I2["GitHub Actions review job"]
I2 --> Conflict["Merge conflict blocks this path"]
Conflict --> V2["actionlint plus required checks"]
Evidence --> S3["CI script (4 files)"]
S3 --> I3["review and security gate shell path"]
I3 --> Conflict["Merge conflict blocks this path"]
Conflict --> V3["bash -n plus Strix self-test"]
Evidence --> S4["Test (7 files)"]
S4 --> I4["regression suite"]
I4 --> Conflict["Merge conflict blocks this path"]
Conflict --> V4["targeted test run"]
- Result: REQUEST_CHANGES
- Reason: mergeStateStatus is
DIRTY; mergeable isCONFLICTING. - Head SHA:
cc66bb541ce92b121acd30af4d06be5e304cb4b6 - Workflow run: 29052503121
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (5 files)"]
S1 --> I1["repository behavior"]
I1 --> Conflict["Merge conflict blocks this path"]
Conflict --> V1["required checks"]
Evidence --> S2["Workflow (9 files)"]
S2 --> I2["GitHub Actions review job"]
I2 --> Conflict["Merge conflict blocks this path"]
Conflict --> V2["actionlint plus required checks"]
Evidence --> S3["CI script (4 files)"]
S3 --> I3["review and security gate shell path"]
I3 --> Conflict["Merge conflict blocks this path"]
Conflict --> V3["bash -n plus Strix self-test"]
Evidence --> S4["Test (7 files)"]
S4 --> I4["regression suite"]
I4 --> Conflict["Merge conflict blocks this path"]
Conflict --> V4["targeted test run"]
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head mergeability evidence and changed-file flow before approval, then found merge conflicts on the affected path. Findings1. HIGH Merge Conflict Guidance - Resolve the PR branch against the latest base branch
gh pr checkout 382 --repo ContextualWisdomLab/.github
git fetch origin main
git merge --no-ff origin/main # or: git rebase origin/main
git status --short
# resolve files, then git add <resolved-files>
# merge path: git commit
# rebase path: git rebase --continue
git push origin HEAD:fix/central-workflow-security-20260709
# rebase path only: git push --force-with-lease origin HEAD:fix/central-workflow-security-20260709
Merge Conflict Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (5 files)"]
S1 --> I1["repository behavior"]
I1 --> Conflict["Merge conflict blocks this path"]
Conflict --> V1["required checks"]
Evidence --> S2["Workflow (9 files)"]
S2 --> I2["GitHub Actions review job"]
I2 --> Conflict["Merge conflict blocks this path"]
Conflict --> V2["actionlint plus required checks"]
Evidence --> S3["CI script (4 files)"]
S3 --> I3["review and security gate shell path"]
I3 --> Conflict["Merge conflict blocks this path"]
Conflict --> V3["bash -n plus Strix self-test"]
Evidence --> S4["Test (7 files)"]
S4 --> I4["regression suite"]
I4 --> Conflict["Merge conflict blocks this path"]
Conflict --> V4["targeted test run"]
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (5 files)"]
S1 --> I1["repository behavior"]
I1 --> Conflict["Merge conflict blocks this path"]
Conflict --> V1["required checks"]
Evidence --> S2["Workflow (9 files)"]
S2 --> I2["GitHub Actions review job"]
I2 --> Conflict["Merge conflict blocks this path"]
Conflict --> V2["actionlint plus required checks"]
Evidence --> S3["CI script (4 files)"]
S3 --> I3["review and security gate shell path"]
I3 --> Conflict["Merge conflict blocks this path"]
Conflict --> V3["bash -n plus Strix self-test"]
Evidence --> S4["Test (7 files)"]
S4 --> I4["regression suite"]
I4 --> Conflict["Merge conflict blocks this path"]
Conflict --> V4["targeted test run"]
Merge Conflict Guidance
gh pr checkout 382 --repo ContextualWisdomLab/.github
git fetch origin main
git merge --no-ff origin/main # or: git rebase origin/main
git status --short
# resolve files, then git add <resolved-files>
# merge path: git commit
# rebase path: git rebase --continue
git push origin HEAD:fix/central-workflow-security-20260709
# rebase path only: git push --force-with-lease origin HEAD:fix/central-workflow-security-20260709 |
Summary
trivy-fsfailure logs so required-check failures show package/CVE/path/message reasons.Verification
python3 -m pytest-> 175 passed, 5 warningspython3 -m compileall -q scripts testsgit diff --cached --checkbash scripts/ci/test_strix_quick_gate.shremains nonzero on existing stale contract-string assertions unrelated to this diff; full pytest covers the updated contracts.Direct push
Direct push to
mainwas rejected by repository rules: required workflows are not satisfied and changes must be made through a pull request.