Skip to content

Commit 11c84ba

Browse files
author
ikemilian-lewis
committed
Merge origin/main into common-code-fixes
2 parents 8d55154 + 2ba37a4 commit 11c84ba

947 files changed

Lines changed: 115240 additions & 11214 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitattributes

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
11

22
# Use bd merge for beads JSONL files
33
.beads/issues.jsonl merge=beads
4+
5+
# Enforce LF line endings for shell scripts
6+
*.sh text eol=lf
7+
8+
# Legacy k8s-legacy/tools/ are shell scripts without .sh extension
9+
# (executed by kubelet via PATH lookup inside pods).
10+
k8s-legacy/tools/* text eol=lf
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
name: 'ORB CICD App Token'
2+
description: 'Mint an installation token for the ORB CICD GitHub App and resolve its bot identity for git commit attribution.'
3+
4+
inputs:
5+
app-id:
6+
description: 'GitHub App ID (from secrets.GH_APP_ID)'
7+
required: true
8+
private-key:
9+
description: 'GitHub App private key (from secrets.GH_APP_PRIVATE_KEY)'
10+
required: true
11+
12+
outputs:
13+
token:
14+
description: 'Short-lived installation access token for the App'
15+
value: ${{ steps.app-token.outputs.token }}
16+
app-slug:
17+
description: "App slug (e.g. open-resource-broker-cicd)"
18+
value: ${{ steps.app-token.outputs.app-slug }}
19+
user-id:
20+
description: "Numeric user id of the App's bot account"
21+
value: ${{ steps.app-user.outputs.user-id }}
22+
committer-name:
23+
description: 'Git committer name for App-authored commits'
24+
value: ${{ steps.app-user.outputs.committer-name }}
25+
committer-email:
26+
description: 'Git committer email for App-authored commits'
27+
value: ${{ steps.app-user.outputs.committer-email }}
28+
29+
runs:
30+
using: 'composite'
31+
steps:
32+
- name: Mint App installation token
33+
id: app-token
34+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
35+
with:
36+
app-id: ${{ inputs.app-id }}
37+
private-key: ${{ inputs.private-key }}
38+
39+
- name: Resolve App bot identity
40+
id: app-user
41+
shell: bash
42+
env:
43+
GH_TOKEN: ${{ steps.app-token.outputs.token }}
44+
APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
45+
run: |
46+
USER_ID=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)
47+
echo "user-id=${USER_ID}" >> "$GITHUB_OUTPUT"
48+
echo "committer-name=${APP_SLUG}[bot]" >> "$GITHUB_OUTPUT"
49+
echo "committer-email=${USER_ID}+${APP_SLUG}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT"
50+
51+
- name: Configure git remote with App token
52+
shell: bash
53+
env:
54+
APP_TOKEN: ${{ steps.app-token.outputs.token }}
55+
REPO: ${{ github.repository }}
56+
run: |
57+
git remote set-url origin "https://x-access-token:${APP_TOKEN}@github.com/${REPO}.git"

.github/dependabot.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ updates:
1212
- "dependencies"
1313
- "python"
1414
commit-message:
15-
prefix: "chore(deps)"
15+
prefix: "chore"
1616
include: "scope"
1717
open-pull-requests-limit: 3
1818

@@ -97,7 +97,7 @@ updates:
9797
- "dependencies"
9898
- "go"
9999
commit-message:
100-
prefix: "chore(deps)"
100+
prefix: "chore"
101101
include: "scope"
102102
open-pull-requests-limit: 2
103103

@@ -113,6 +113,6 @@ updates:
113113
- "dependencies"
114114
- "docker"
115115
commit-message:
116-
prefix: "chore(docker)"
116+
prefix: "chore"
117117
include: "scope"
118118
open-pull-requests-limit: 1

.github/workflows/cache-management.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
cache-hit: ${{ steps.cache.outputs.cache-hit }}
3535
steps:
3636
- name: Checkout code
37-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
37+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3838

3939
- name: Generate cache key
4040
id: cache-key
@@ -58,7 +58,7 @@ jobs:
5858
5959
- name: Restore cache
6060
id: cache
61-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
61+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5
6262
with:
6363
path: |
6464
~/.cache/uv

.github/workflows/changelog-validation.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
default-python-version: ${{ steps.config.outputs.default-python-version }}
2121
steps:
2222
- name: Checkout code
23-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
23+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2424
- name: Get project configuration
2525
id: config
2626
uses: ./.github/actions/get-config
@@ -43,7 +43,7 @@ jobs:
4343

4444
steps:
4545
- name: Checkout code
46-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
46+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4747
with:
4848
fetch-depth: 0 # Need full history for changelog generation
4949

.github/workflows/ci-quality.yml

Lines changed: 104 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,27 @@ on:
2121
- 'uv.lock'
2222
- '.ruff.toml'
2323
- '.github/workflows/ci-quality.yml'
24+
# pull_request_target is needed only for the auto-format-suggest job to call
25+
# the PR Reviews API on fork PRs. All other jobs gate on event_name to avoid
26+
# double execution.
27+
pull_request_target:
28+
branches: [ main, develop ]
29+
paths:
30+
- 'src/**'
31+
- 'tests/**'
32+
- 'pyproject.toml'
33+
- 'requirements*.txt'
34+
- 'uv.lock'
35+
- '.ruff.toml'
36+
- '.github/workflows/ci-quality.yml'
37+
38+
# Cancel in-progress runs when a new push arrives on the same branch/ref.
39+
# The auto-format job is exempted via its own job-level concurrency block
40+
# (cancel-in-progress: false) because it pushes a commit back to the branch —
41+
# cancelling it mid-push could leave the branch in a partially formatted state.
42+
concurrency:
43+
group: ci-${{ github.workflow }}-${{ github.ref }}
44+
cancel-in-progress: true
2445

2546
permissions:
2647
contents: read
@@ -32,6 +53,8 @@ jobs:
3253

3354
quality-check:
3455
name: Quality Standards
56+
# Skip on pull_request_target — only auto-format-suggest needs that event.
57+
if: github.event_name != 'pull_request_target'
3558
runs-on: ubuntu-latest
3659
needs: config
3760
permissions:
@@ -45,7 +68,7 @@ jobs:
4568
TESTING: ${{ needs.config.outputs.testing-flag }}
4669

4770
steps:
48-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
71+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4972
with:
5073
fetch-depth: 0
5174

@@ -65,6 +88,8 @@ jobs:
6588
6689
setup-cache:
6790
name: Setup Cache
91+
# Runs on both pull_request and pull_request_target — auto-format-suggest
92+
# depends on it and needs to run on pull_request_target for fork PRs.
6893
needs: config
6994
uses: ./.github/workflows/cache-management.yml
7095
with:
@@ -73,18 +98,40 @@ jobs:
7398
python-version: ${{ needs.config.outputs.default-python-version }}
7499

75100
auto-format:
76-
name: Auto-Format Code
77-
if: github.event_name == 'pull_request'
101+
name: Auto-Format Code
102+
# Same-repo PRs only. Fork PRs handled by auto-format-suggest below.
103+
# Bot-actor guard prevents the job re-triggering on its own push.
104+
if: |
105+
github.event_name == 'pull_request'
106+
&& github.event.pull_request.head.repo.full_name == github.repository
107+
&& github.actor != 'open-resource-broker-cicd[bot]'
78108
runs-on: ubuntu-latest
79109
needs: [config, setup-cache]
110+
# Override the workflow-level concurrency so this job is never cancelled
111+
# mid-run. If it were interrupted after `ruff` rewrites files but before
112+
# `git push`, the PR branch would be left in a half-formatted state.
113+
concurrency:
114+
group: ci-auto-format-${{ github.ref }}
115+
cancel-in-progress: false
80116
permissions:
81117
contents: write
82118
steps:
83119
- name: Checkout code
84-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
120+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
85121
with:
86-
token: ${{ secrets.GITHUB_TOKEN }}
87122
ref: ${{ github.head_ref }}
123+
# See semantic-release.yml for the rationale - the App-token URL
124+
# set by the composite below must be the only credential source
125+
# so the auto-format push lands as the ORB CICD App rather than
126+
# falling back to github-actions[bot] via the persisted extraheader.
127+
persist-credentials: false
128+
129+
- name: ORB CICD App token
130+
id: cicd
131+
uses: ./.github/actions/orb-cicd-app-token
132+
with:
133+
app-id: ${{ secrets.GH_APP_ID }}
134+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
88135

89136
- name: Setup UV with cache
90137
uses: ./.github/actions/setup-uv-cached
@@ -97,26 +144,66 @@ jobs:
97144

98145
- name: Commit formatting changes
99146
env:
100-
GIT_AUTHOR_NAME: github-actions[bot]
101-
GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
102-
GIT_COMMITTER_NAME: github-actions[bot]
103-
GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
147+
GIT_AUTHOR_NAME: ${{ steps.cicd.outputs.committer-name }}
148+
GIT_AUTHOR_EMAIL: ${{ steps.cicd.outputs.committer-email }}
149+
GIT_COMMITTER_NAME: ${{ steps.cicd.outputs.committer-name }}
150+
GIT_COMMITTER_EMAIL: ${{ steps.cicd.outputs.committer-email }}
104151
run: |
105152
git add .
106153
if ! git diff --staged --quiet; then
107-
git commit -m "style: auto-format code with ruff [skip ci]"
154+
git commit -m "style: auto-format code with ruff"
108155
git push
109156
fi
110157
158+
auto-format-suggest:
159+
name: Auto-Format Suggestions
160+
# Fork PRs: post formatted changes as PR review suggestions for the
161+
# contributor to apply via the GitHub UI's "Commit suggestion" button.
162+
# Uses pull_request_target so the GITHUB_TOKEN can call the PR Reviews API
163+
# (POST /pulls/{id}/reviews) — pull_request fork-PR tokens cannot.
164+
# The workflow file is evaluated at the base ref (safe); only the PR head
165+
# code is checked out into a non-elevated working tree for formatting.
166+
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
167+
runs-on: ubuntu-latest
168+
needs: [config, setup-cache]
169+
permissions:
170+
contents: read
171+
pull-requests: write
172+
steps:
173+
- name: Checkout PR head
174+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
175+
with:
176+
ref: ${{ github.event.pull_request.head.sha }}
177+
# No token here — formatter does not need write access; this prevents
178+
# untrusted PR code from authenticating with elevated permissions.
179+
persist-credentials: false
180+
181+
- name: Setup UV with cache
182+
uses: ./.github/actions/setup-uv-cached
183+
with:
184+
cache-key: ${{ needs.setup-cache.outputs.cache-key }}
185+
fail-on-cache-miss: false
186+
187+
- name: Run formatter
188+
run: make format-fix
189+
190+
- name: Post review suggestions
191+
uses: reviewdog/action-suggester@2558ba17e65a9039e73764a73009fc05fef28a46 # v1.24.3
192+
with:
193+
tool_name: ruff
194+
level: warning
195+
fail_on_error: false
196+
111197
lint-ruff:
112198
name: Ruff (Code Quality)
199+
if: github.event_name != 'pull_request_target'
113200
runs-on: ubuntu-latest
114201
needs: [config, setup-cache]
115202
permissions:
116203
contents: read
117204
steps:
118205
- name: Checkout code
119-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
206+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
120207

121208
- name: Setup UV with cache
122209
uses: ./.github/actions/setup-uv-cached
@@ -129,13 +216,14 @@ jobs:
129216

130217
lint-ruff-optional:
131218
name: Ruff (Extended Checks)
219+
if: github.event_name != 'pull_request_target'
132220
runs-on: ubuntu-latest
133221
needs: [config, setup-cache, lint-ruff]
134222
permissions:
135223
contents: read
136224
steps:
137225
- name: Checkout code
138-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
226+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
139227

140228
- name: Setup UV with cache
141229
uses: ./.github/actions/setup-uv-cached
@@ -149,13 +237,14 @@ jobs:
149237

150238
lint-pyright:
151239
name: Type Checking (pyright)
240+
if: github.event_name != 'pull_request_target'
152241
runs-on: ubuntu-latest
153242
needs: [config, setup-cache, lint-ruff]
154243
permissions:
155244
contents: read
156245
steps:
157246
- name: Checkout code
158-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
247+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
159248

160249
- name: Setup UV with cache
161250
uses: ./.github/actions/setup-uv-cached
@@ -169,6 +258,7 @@ jobs:
169258

170259
arch-validation:
171260
name: Architecture Validation
261+
if: github.event_name != 'pull_request_target'
172262
runs-on: ubuntu-latest
173263
needs: [config, setup-cache, lint-ruff]
174264
permissions:
@@ -187,7 +277,7 @@ jobs:
187277
description: "File Size Compliance"
188278
steps:
189279
- name: Checkout code
190-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
280+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
191281

192282
- name: Setup UV with cache
193283
uses: ./.github/actions/setup-uv-cached

0 commit comments

Comments
 (0)