Skip to content

Commit 05e0213

Browse files
Harden canary bypass audit and mark temp branch-validation lines
- Warn step now uses always() so the bypass audit is never skipped by prior-step status; it fires whenever publish proceeds with test != success. - Add greppable 'TEMP: remove at finalize' markers on the temporary push trigger and the coupled publish.if event==push bypass clause. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
1 parent 578c247 commit 05e0213

1 file changed

Lines changed: 9 additions & 6 deletions

File tree

.github/workflows/sdk-canary.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ on:
3232
# workflow_dispatch entrypoint exists on main. Push events carry no dispatch
3333
# inputs, so the resolve job falls back to the currently pinned runtime from
3434
# public npm. Remove this trigger once the workflow lands on main.
35-
push:
35+
push: # TEMP: remove at finalize (coupled with the publish.if `event==push` clause)
3636
branches: [mackinnonbuck-sdk-canary-compat-gate]
3737

3838
permissions:
@@ -205,10 +205,11 @@ jobs:
205205
# Normally publish only runs when the e2e gate is green. Two bypasses:
206206
# - workflow_dispatch with force_publish=true: a human-acknowledged flake
207207
# override (audited via the actor on the run).
208-
# - github.event_name == 'push': TEMPORARY branch-validation bypass that
209-
# pairs with the temporary push trigger so we can exercise the publish +
210-
# bypass paths on this branch. Remove alongside the push trigger at
211-
# finalize; after that, force is honored only on real dispatches.
208+
# - github.event_name == 'push': TEMP: remove at finalize — branch-validation
209+
# bypass coupled with the temporary push trigger so we can exercise the
210+
# publish + bypass paths on this branch. Drop the `github.event_name ==
211+
# 'push'` clause from the `if:` below together with the push trigger; after
212+
# that, force is honored only on real dispatches.
212213
# The bypass only skips the e2e *signal* — the publish job still runs the
213214
# build (so a broken build can't publish) and enforces feed-only + read-back.
214215
if: >
@@ -234,7 +235,9 @@ jobs:
234235
working-directory: ./nodejs
235236
steps:
236237
- name: Warn — publishing despite failed e2e gate (bypass)
237-
if: needs.test.result != 'success'
238+
# always() so this audit is never skipped by prior-step status; it fires
239+
# specifically when publish proceeded without a green e2e gate.
240+
if: always() && needs.test.result != 'success'
238241
run: |
239242
echo "::warning title=e2e gate bypassed::Publishing SDK canary despite a non-passing e2e gate (test job result: ${{ needs.test.result }}). Triggered by '${{ github.actor }}' via '${{ github.event_name }}'${{ (github.event_name == 'workflow_dispatch' && inputs.force_publish) && ' with force_publish=true' || '' }}. The e2e signal was bypassed; build + feed-only + read-back guards still apply."
240243

0 commit comments

Comments
 (0)