Skip to content

fix: Docker sandbox agent execution + role template rendering + --model propagation for non-Claude CLIs #707

fix: Docker sandbox agent execution + role template rendering + --model propagation for non-Claude CLIs

fix: Docker sandbox agent execution + role template rendering + --model propagation for non-Claude CLIs #707

Workflow file for this run

name: main-red-guard
# Blocks PR merges while the most recent CI run on main is failed or
# cancelled and main HEAD has NOT yet advanced past the failing SHA.
#
# The auto-merge flow on this repo previously allowed PRs to merge into a
# red main when the CI gate ran on a stale SHA: the rapid burst of merges
# cancelled each other's CI runs, leaving "green" only on a SHA that was
# never actually committed. Adding this guard as a required check forces
# the operator to either:
#
# * Wait for the next push to main that produces a green CI run, or
# * Roll forward main with a fix commit that supersedes the failing SHA.
#
# Either way, the next PR merge happens on top of a known-good main.
on:
pull_request:
types: [opened, synchronize, ready_for_review, auto_merge_enabled]
concurrency:
group: main-red-guard-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
actions: read
jobs:
guard:
name: main-red-guard
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: read
actions: read
# Only enforce when the PR is targeting main. PRs against other branches
# (release branches, hotfix branches) are out of scope for this gate.
if: github.event.pull_request.base.ref == 'main'
steps:
- name: Harden runner (audit mode)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Inspect the most recent completed CI run on main
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
# Query the last 10 CI runs on main and pick the most recent one
# whose top-level status is 'completed'. Pending / in-progress
# runs are ignored - they will be observed on the next PR event.
API_PATH="repos/${REPO}/actions/workflows/ci.yml/runs?branch=main&per_page=10"
RUNS_JSON="$(gh api "${API_PATH}")"
# Filter to completed runs.
LATEST="$(printf '%s' "${RUNS_JSON}" | jq -r '
[.workflow_runs[] | select(.status == "completed")]
| sort_by(.run_started_at) | reverse
| .[0] // empty
')"
if [ -z "${LATEST}" ] || [ "${LATEST}" = "null" ]; then
echo "::notice::No completed CI run on main was found in the last 10 runs; gate is a no-op PASS."
{
echo "## main-red-guard"
echo ""
echo "Status: PASS (no completed CI run on main found in the last 10 runs)"
} >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
CONCLUSION="$(printf '%s' "${LATEST}" | jq -r '.conclusion')"
RUN_SHA="$(printf '%s' "${LATEST}" | jq -r '.head_sha')"
RUN_URL="$(printf '%s' "${LATEST}" | jq -r '.html_url')"
RUN_ID="$(printf '%s' "${LATEST}" | jq -r '.id')"
echo "Latest completed CI on main: conclusion=${CONCLUSION} sha=${RUN_SHA} run=${RUN_ID}"
# Resolve current main HEAD via the refs API (no checkout needed).
MAIN_HEAD="$(gh api "repos/${REPO}/commits/main" --jq '.sha')"
echo "Current main HEAD: ${MAIN_HEAD}"
# PASS when the latest completed CI on main succeeded.
if [ "${CONCLUSION}" = "success" ]; then
{
echo "## main-red-guard"
echo ""
echo "Status: PASS"
echo ""
echo "Latest CI on main conclusion: \`success\` (sha \`${RUN_SHA}\`)"
} >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
# PASS when main has rolled forward past the failing SHA (a
# subsequent push produced a newer commit that we expect the
# operator to validate before this PR merges).
if [ "${MAIN_HEAD}" != "${RUN_SHA}" ]; then
{
echo "## main-red-guard"
echo ""
echo "Status: PASS (main rolled forward past the failing SHA)"
echo ""
echo "- Latest completed CI on main: \`${CONCLUSION}\` (sha \`${RUN_SHA}\`)"
echo "- Current main HEAD: \`${MAIN_HEAD}\`"
echo "- Run URL: ${RUN_URL}"
} >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
# FAIL: main HEAD still pins the failing SHA. Block the merge
# until either a green run lands or main rolls forward.
{
echo "## main-red-guard"
echo ""
echo "Status: FAIL"
echo ""
echo "Most recent completed CI on main is \`${CONCLUSION}\` and main HEAD still points at the failing SHA."
echo ""
echo "- Failing SHA: \`${RUN_SHA}\`"
echo "- Current main HEAD: \`${MAIN_HEAD}\`"
echo "- Failing run: ${RUN_URL}"
echo ""
echo "Either land a fix commit on main, or wait for a fresh green CI run, before this PR can merge."
} >> "$GITHUB_STEP_SUMMARY"
echo "::error::main is red (CI conclusion=${CONCLUSION} on ${RUN_SHA}); blocking merge. See ${RUN_URL}."
exit 1