Skip to content

Epic 5.7: SkillContext + MessageSafety — grounding/ package #30

Epic 5.7: SkillContext + MessageSafety — grounding/ package

Epic 5.7: SkillContext + MessageSafety — grounding/ package #30

Workflow file for this run

# ============================================================================
# Emergency Bypass Audit — Track and report all enforcement overrides
# ============================================================================
#
# Fires when the `emergency:bypass` label is added or removed.
# Creates a persistent audit record as a repo issue with the `audit` label.
# Also removes the bypass label after merge to prevent re-use.
name: Bypass Audit Trail
on:
pull_request:
types: [closed, labeled]
branches: [main]
permissions:
contents: read
issues: write
pull-requests: write
jobs:
# Record when bypass label is applied
audit-bypass-applied:
if: >
github.event.action == 'labeled' &&
github.event.label.name == 'emergency:bypass'
runs-on: ubuntu-latest
steps:
- name: Record bypass activation
uses: actions/github-script@v7
with:
script: |
const pr = context.payload.pull_request;
const actor = context.actor;
// Extract bypass reason from PR body
const body = pr.body || '';
const reasonIdx = body.indexOf('## ⚠️ Bypass Reason');
let reason = '(No reason provided)';
if (reasonIdx !== -1) {
reason = body.slice(reasonIdx + '## ⚠️ Bypass Reason'.length).trim().split('\n')[0];
}
// Create audit issue
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🔓 Bypass Activated: PR #${pr.number} by @${actor}`,
body: [
`## Emergency Bypass Audit Record`,
``,
`| Field | Value |`,
`|-------|-------|`,
`| **PR** | #${pr.number} |`,
`| **Title** | ${pr.title} |`,
`| **Actor** | @${actor} |`,
`| **Timestamp** | ${new Date().toISOString()} |`,
`| **Reason** | ${reason} |`,
`| **PR Labels** | ${pr.labels.map(l => '`' + l.name + '`').join(', ')} |`,
``,
`> This record was auto-generated by the bypass audit system.`,
`> Bypass records are permanent and cannot be deleted.`,
].join('\n'),
labels: ['audit', 'emergency:bypass'],
});
core.info(`📝 Audit record created for bypass on PR #${pr.number}`);
# Clean up bypass label after merge + create completion record
audit-bypass-merged:
if: >
github.event.action == 'closed' &&
github.event.pull_request.merged == true &&
contains(github.event.pull_request.labels.*.name, 'emergency:bypass')
runs-on: ubuntu-latest
steps:
- name: Record bypass merge and clean up
uses: actions/github-script@v7
with:
script: |
const pr = context.payload.pull_request;
// Remove the bypass label so it can't be re-used if PR is reopened
try {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
name: 'emergency:bypass',
});
core.info('Removed emergency:bypass label from merged PR');
} catch (err) {
core.warning(`Could not remove bypass label: ${err.message}`);
}
// Find the audit issue for this PR and add merge note
const auditIssues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
labels: 'audit,emergency:bypass',
state: 'open',
});
const auditIssue = auditIssues.data.find(i =>
i.title.includes(`PR #${pr.number}`)
);
if (auditIssue) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: auditIssue.number,
body: [
`## ✅ Bypass Merge Complete`,
``,
`PR #${pr.number} was merged at ${new Date().toISOString()}.`,
`Merge commit: ${pr.merge_commit_sha}`,
``,
`This audit record will remain open for 30-day review.`,
].join('\n'),
});
}