ci(live): single-source the dikw-core pin in harness.mjs#151
Conversation
The auto-bump loop was doubly jammed by the pin living in live-integration.yml: GitHub rejects a workflow-file push from a PAT without the Workflows permission (2026-06-29 run), and gate-integrity flags any .github/workflows/** edit without a maintainer's gate-change label. Move the pin to a single source — DEFAULT_CORE_VERSION in scripts/live-core/harness.mjs — by dropping the workflow env override (the harness fallback now serves CI/nightly too) and teaching bump-dikw-core.yml to read and sed only the harness file. Future bump PRs touch no workflow file, so they need neither the extra PAT permission nor a gate label. Docs no longer hardcode the pin value. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR consolidates the dikw-core verification version pin into a single source, ChangesSingle-source version pin
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested labels: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
Moves the dikw-core verification pin to a single source —
DEFAULT_CORE_VERSIONinscripts/live-core/harness.mjs:live-integration.ymlno longer sets aDIKW_CORE_VERSIONenv; CI/nightly falls back to the harness default (the exact value CI ran with before — behavior-identical), with a comment explaining why the env is deliberately absent.bump-dikw-core.ymlnow reads the current pin from and seds only the harness file.docs/integration-verification.mdstops hardcoding the pin value (one less doc line to drift per bump); PAT one-time-setup note drops the Workflows-permission requirement.Why
Discovered while bumping to core 0.6.5 (#150): the auto-bump loop was doubly jammed because the pin lived in a workflow file —
.github/workflows/**from a PAT without the Workflows permission (2026-06-29 scheduled run failed exactly there);gate-integrityflags any workflow edit without a maintainer'sgate-changelabel, so even a permission-fixed bump PR would arrive unmergeable.With the pin out of workflow files, future auto-bump PRs touch only
scripts/live-core/harness.mjs— no extra PAT permission, no gate label, gate-integrity green by construction. The gate itself keeps its zero-exception rule (option "auto-apply the label from the bot" was rejected: it dilutes the label's audit meaning and the label would keep authorizing later commits pushed onto the same PR).gate-change label (this PR only, maintainer-authorized)
This one-time refactor itself edits the two workflow files, so it carries the
gate-changelabel — applied per the maintainer's explicit go-ahead in session ("按照 B 方案来做吧"). Local rehearsal:npm run check:gateflags exactlygate-machinery-modifiedfor the two workflow files (no other violation); with the override it proceeds and records for audit. Future bump PRs will NOT need this label.Verification
0.6.5from harness.mjs, version-compare correctly no-ops at latest, the sed pattern matches exactly once.lint+format:checkpass.live-integrationlabel on this PR runs the full real-core verification with the changed workflow (env line deleted) — green there proves the harness fallback serves CI before this merges.🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Documentation