ci: repair ci/lint-test/trufflehog workflows (newline-swallow + phantom actions)#1015
Draft
KooshaPari wants to merge 8 commits into
Draft
ci: repair ci/lint-test/trufflehog workflows (newline-swallow + phantom actions)#1015KooshaPari wants to merge 8 commits into
KooshaPari wants to merge 8 commits into
Conversation
…om actions)
A SHA-pinning pass corrupted many workflows by swallowing the newline after
`# vN` pin comments, mashing the next line onto the pin (and appending a second
`@sha`). This fixes the three most important / PR-blocking ones:
- ci.yml: rebuilt the `test` job (the checkout/setup-go/cache/codecov steps had
`@sha@sha` double-pins and `# v4-`/`# v5with:`/`# v3with:` mashed lines), and
removed the `phenotype-validate` job that called the nonexistent
KooshaPari/phenotypeActions reusable workflow (also invalid: a job cannot set
both `uses:` and `runs-on:`).
- lint-test.yml: replaced the corrupted checkout+phantom-action step with real
inline Go vet+test.
- trufflehog.yml: `trufflehog/actions/setup@main` (nonexistent) -> canonical
trufflesecurity/trufflehog; fixed the escaped `\${{ }}` token interpolation.
All three validated as well-formed YAML. The remaining ~18 workflow files carry
the same newline-swallow corruption and are tracked for follow-up.
Traces to CLI/AX CI coherence (dom-cli-ax audit).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Note
|
Same newline-swallow corruption: `# v3with:` had the `with:` mapping mashed onto the pin comment. Split back into a `# v3` pin + a properly-indented `with:` block. Validated as well-formed YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same newline-swallow corruption from the SHA-pinning pass. Fixed by dropping the spurious second `@sha` pin and restoring the swallowed line/indentation: - ci-rerun-flaky, coderabbit-rate-limit-retry: `# v7with:` -> `# v7` + `with:` - policy-gate, quality-gate, required-check-names-guard, tag-automation: `# v4- name: X` -> `# v4` + a separate `- name: X` step - journey-gate: stray double `@sha@sha` checkout pin -> single pinned `# v4` - release-drafter: `# v6env:` -> `# v6` + `env:` - security-guard-hook-audit: `# v4with:` -> `# v4` + `with:` All nine validated as well-formed YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ease-batch) Same newline-swallow corruption, including multi-step chains: - codeql: separated the mashed Checkout/Initialize-CodeQL steps and the second `analyze-skip-for-migrated-router-fix` JOB that was swallowed onto an analyze step's pin; restored with:/v4 boundaries. - pages-deploy: three `- uses:` steps (checkout/configure-pages/ upload-pages-artifact) were mashed onto one line; split into three steps. - scorecard: fixed `# v4with:`/`# v2.4.2with:`/`# v3with:` and a double `@sha@sha` upload-artifact pin. - pr-path-guard, release-batch: `# v4with:`/`# v45with:`/`# v5with:` splits. All five validated as well-formed YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same newline-swallow corruption (with:/env:/if:/`- name:` steps and double `@sha@sha` pins mashed onto `# vN` comments). docs.yml (4 spots incl a swallowed Deploy step + double-sha setup-node), release.yaml (5 spots incl a swallowed `if:` on the gh-release step), generate-sdks.yaml (6 spots incl swallowed Setup Python/Node steps). All validated as well-formed YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same newline-swallow corruption: separated mashed Checkout/Initialize-CodeQL steps, a swallowed `trivy-repo` JOB boundary, chained `- uses:` step pairs, and swallowed `with:`/`env:`/`if:`/`continue-on-error:` keys across both SAST workflows. All validated as well-formed YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Separated the mashed Checkout/Refresh-models/Set-up-Buildx/Login steps (incl a triple-`- uses:` chain in docker_manifest) and the swallowed `with:` blocks on the login and build-push steps across all three jobs. Validated YAML. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The most heavily corrupted workflow (13 jobs). Fixed the recurring mashed Checkout/Set-up-Go step pairs and swallowed `with:` blocks across all jobs, the double `@sha@sha` checkout/upload-artifact/setup-node pins, and the swallowed `- name: Refresh models catalog` / `Setup Node` steps. Also fixed the `arduino/setup-task` ref, which the SHA-pinning pass had replaced with a literal GitHub API 404 JSON blob — pinned to v2.0.0 (b91d5d2c96a56797b48ac1e0e89220bf64044611). Validated as well-formed YAML. With this, all 25 corrupted workflows in the repo are repaired. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A SHA-pinning pass corrupted 23 of 28 workflow files by swallowing the newline after
# vNpin comments — mashing the following line onto the pin and appending a second@sha. Examples:This makes 18 of them invalid YAML. Several also reference the nonexistent
KooshaPari/phenotypeActionsreusable-actions repo and the wrongtrufflehog/actionspath.This PR (the 3 most important / PR-blocking)
testjob (checkout/setup-go/cache/codecov steps were all mashed) and removed thephenotype-validatejob that called the nonexistentKooshaPari/phenotypeActions/.github/workflows/validate-governance.yml(also structurally invalid: a job cannot set bothuses:andruns-on:).vet+test.trufflehog/actions/setup@main(nonexistent) → canonicaltrufflesecurity/trufflehog; fixed the escaped\${{ }}interpolation that never expanded.All three validated as well-formed YAML locally.
Follow-up
The remaining ~18 corrupted workflow files (auto-merge, codeql, docker-image, docs, generate-sdks, journey-gate, pages-deploy, pr-path-guard, pr-test-build, release*, sast-*, scorecard, security-guard-hook-audit, …) carry the identical newline-swallow corruption and are tracked for a careful follow-up PR (each needs per-file boundary reconstruction; not safe to mass-rush).
Traceability
dom-cli-ax CLI/AX CI coherence — corrupted/phantom workflow references.
🤖 Generated with Claude Code