Skip to content

ci(live): single-source the dikw-core pin in harness.mjs#151

Merged
helebest merged 1 commit into
mainfrom
ci/single-source-core-pin
Jul 5, 2026
Merged

ci(live): single-source the dikw-core pin in harness.mjs#151
helebest merged 1 commit into
mainfrom
ci/single-source-core-pin

Conversation

@helebest

@helebest helebest commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

What

Moves the dikw-core verification pin to a single sourceDEFAULT_CORE_VERSION in scripts/live-core/harness.mjs:

  • live-integration.yml no longer sets a DIKW_CORE_VERSION env; CI/nightly falls back to the harness default (the exact value CI ran with before — behavior-identical), with a comment explaining why the env is deliberately absent.
  • bump-dikw-core.yml now reads the current pin from and seds only the harness file.
  • docs/integration-verification.md stops hardcoding the pin value (one less doc line to drift per bump); PAT one-time-setup note drops the Workflows-permission requirement.
  • CHANGELOG 0.8.10 + version bump.

Why

Discovered while bumping to core 0.6.5 (#150): the auto-bump loop was doubly jammed because the pin lived in a workflow file

  1. GitHub rejects a push editing .github/workflows/** from a PAT without the Workflows permission (2026-06-29 scheduled run failed exactly there);
  2. gate-integrity flags any workflow edit without a maintainer's gate-change label, so even a permission-fixed bump PR would arrive unmergeable.

With the pin out of workflow files, future auto-bump PRs touch only scripts/live-core/harness.mjs — no extra PAT permission, no gate label, gate-integrity green by construction. The gate itself keeps its zero-exception rule (option "auto-apply the label from the bot" was rejected: it dilutes the label's audit meaning and the label would keep authorizing later commits pushed onto the same PR).

gate-change label (this PR only, maintainer-authorized)

This one-time refactor itself edits the two workflow files, so it carries the gate-change label — applied per the maintainer's explicit go-ahead in session ("按照 B 方案来做吧"). Local rehearsal: npm run check:gate flags exactly gate-machinery-modified for the two workflow files (no other violation); with the override it proceeds and records for audit. Future bump PRs will NOT need this label.

Verification

  • YAML of both workflows parses clean.
  • Bump-logic simulation against this branch: current-detection extracts 0.6.5 from harness.mjs, version-compare correctly no-ops at latest, the sed pattern matches exactly once.
  • lint + format:check pass.
  • The live-integration label on this PR runs the full real-core verification with the changed workflow (env line deleted) — green there proves the harness fallback serves CI before this merges.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Updated the app version to 0.8.10.
    • Simplified live integration setup so the core version is now managed in one place, reducing workflow edits during bumps.
  • Documentation

    • Updated setup and verification docs to reflect the new version-pinning approach.
    • Clarified the steps for manual version updates and release bumping.

The auto-bump loop was doubly jammed by the pin living in
live-integration.yml: GitHub rejects a workflow-file push from a PAT
without the Workflows permission (2026-06-29 run), and gate-integrity
flags any .github/workflows/** edit without a maintainer's gate-change
label. Move the pin to a single source — DEFAULT_CORE_VERSION in
scripts/live-core/harness.mjs — by dropping the workflow env override
(the harness fallback now serves CI/nightly too) and teaching
bump-dikw-core.yml to read and sed only the harness file. Future bump
PRs touch no workflow file, so they need neither the extra PAT
permission nor a gate label. Docs no longer hardcode the pin value.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@helebest helebest added gate-change Authorizes a deliberate, reviewed weakening of a verification gate live-integration Trigger the live dikw-core integration workflow labels Jul 5, 2026
@helebest helebest closed this Jul 5, 2026
@helebest helebest reopened this Jul 5, 2026
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9d4770a0-07b8-46d6-be54-35c29ce19d63

📥 Commits

Reviewing files that changed from the base of the PR and between e58d3fc and 24bf061.

📒 Files selected for processing (5)
  • .github/workflows/bump-dikw-core.yml
  • .github/workflows/live-integration.yml
  • CHANGELOG.md
  • docs/integration-verification.md
  • package.json

📝 Walkthrough

Walkthrough

This PR consolidates the dikw-core verification version pin into a single source, DEFAULT_CORE_VERSION in scripts/live-core/harness.mjs. The bump-dikw-core.yml workflow now reads and updates only that pin, live-integration.yml removes its explicit env override, documentation is revised accordingly, and the package version is bumped to 0.8.10.

Changes

Single-source version pin

Layer / File(s) Summary
Bump workflow reads/edits single pin
.github/workflows/bump-dikw-core.yml
Header comments, version-resolution step, and bump-PR step now source and update only the DEFAULT_CORE_VERSION pin in scripts/live-core/harness.mjs, removing edits to live-integration.yml.
Live-integration workflow drops explicit env pin
.github/workflows/live-integration.yml
Removes the DIKW_CORE_VERSION job env value, replacing it with comments noting the harness default is used instead.
Documentation and configuration knobs updated
docs/integration-verification.md
Describes the pin as single-sourced in the harness file, updates DIKW_BUMP_TOKEN scope requirements, manual bump instructions, and the configuration knobs table.
Changelog and version bump
CHANGELOG.md, package.json
Adds a 0.8.10 changelog entry describing the pin centralization and bumps the package version from 0.8.9 to 0.8.10.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: javascript

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: centralizing the dikw-core pin in harness.mjs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/single-source-core-pin

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@helebest helebest merged commit ab87419 into main Jul 5, 2026
14 of 19 checks passed
@helebest helebest deleted the ci/single-source-core-pin branch July 5, 2026 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gate-change Authorizes a deliberate, reviewed weakening of a verification gate live-integration Trigger the live dikw-core integration workflow

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant