feat(P3): Epic 3.2 — Extract SkillRepository CRUD from monolithic SkillStore [EPIC 3.2] #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================ | |
| # Emergency Bypass Audit — Track and report all enforcement overrides | |
| # ============================================================================ | |
| # | |
| # Fires when the `emergency:bypass` label is added or removed. | |
| # Creates a persistent audit record as a repo issue with the `audit` label. | |
| # Also removes the bypass label after merge to prevent re-use. | |
| name: Bypass Audit Trail | |
| on: | |
| pull_request: | |
| types: [closed, labeled] | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| jobs: | |
| # Record when bypass label is applied | |
| audit-bypass-applied: | |
| if: > | |
| github.event.action == 'labeled' && | |
| github.event.label.name == 'emergency:bypass' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Record bypass activation | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const pr = context.payload.pull_request; | |
| const actor = context.actor; | |
| // Extract bypass reason from PR body | |
| const body = pr.body || ''; | |
| const reasonIdx = body.indexOf('## ⚠️ Bypass Reason'); | |
| let reason = '(No reason provided)'; | |
| if (reasonIdx !== -1) { | |
| reason = body.slice(reasonIdx + '## ⚠️ Bypass Reason'.length).trim().split('\n')[0]; | |
| } | |
| // Create audit issue | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: `🔓 Bypass Activated: PR #${pr.number} by @${actor}`, | |
| body: [ | |
| `## Emergency Bypass Audit Record`, | |
| ``, | |
| `| Field | Value |`, | |
| `|-------|-------|`, | |
| `| **PR** | #${pr.number} |`, | |
| `| **Title** | ${pr.title} |`, | |
| `| **Actor** | @${actor} |`, | |
| `| **Timestamp** | ${new Date().toISOString()} |`, | |
| `| **Reason** | ${reason} |`, | |
| `| **PR Labels** | ${pr.labels.map(l => '`' + l.name + '`').join(', ')} |`, | |
| ``, | |
| `> This record was auto-generated by the bypass audit system.`, | |
| `> Bypass records are permanent and cannot be deleted.`, | |
| ].join('\n'), | |
| labels: ['audit', 'emergency:bypass'], | |
| }); | |
| core.info(`📝 Audit record created for bypass on PR #${pr.number}`); | |
| # Clean up bypass label after merge + create completion record | |
| audit-bypass-merged: | |
| if: > | |
| github.event.action == 'closed' && | |
| github.event.pull_request.merged == true && | |
| contains(github.event.pull_request.labels.*.name, 'emergency:bypass') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Record bypass merge and clean up | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const pr = context.payload.pull_request; | |
| // Remove the bypass label so it can't be re-used if PR is reopened | |
| try { | |
| await github.rest.issues.removeLabel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: pr.number, | |
| name: 'emergency:bypass', | |
| }); | |
| core.info('Removed emergency:bypass label from merged PR'); | |
| } catch (err) { | |
| core.warning(`Could not remove bypass label: ${err.message}`); | |
| } | |
| // Find the audit issue for this PR and add merge note | |
| const auditIssues = await github.rest.issues.listForRepo({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: 'audit,emergency:bypass', | |
| state: 'open', | |
| }); | |
| const auditIssue = auditIssues.data.find(i => | |
| i.title.includes(`PR #${pr.number}`) | |
| ); | |
| if (auditIssue) { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: auditIssue.number, | |
| body: [ | |
| `## ✅ Bypass Merge Complete`, | |
| ``, | |
| `PR #${pr.number} was merged at ${new Date().toISOString()}.`, | |
| `Merge commit: ${pr.merge_commit_sha}`, | |
| ``, | |
| `This audit record will remain open for 30-day review.`, | |
| ].join('\n'), | |
| }); | |
| } |