diff --git a/.github/workflows/bump-dikw-core.yml b/.github/workflows/bump-dikw-core.yml index 84be2c3..239ad7d 100644 --- a/.github/workflows/bump-dikw-core.yml +++ b/.github/workflows/bump-dikw-core.yml @@ -1,10 +1,13 @@ name: Bump dikw-core version # Watches dikw-core for a newer published release and, when found, opens a PR -# bumping the live-integration verification target (DIKW_CORE_VERSION) and labels -# it `live-integration` so the real-core verification runs on the PR. The pin +# bumping the live-integration verification target and labels it +# `live-integration` so the real-core verification runs on the PR. The pin # stays explicit + reviewed (reproducible nightly), but upgrades are surfaced -# automatically. See docs/integration-verification.md. +# automatically. The pin is single-sourced in scripts/live-core/harness.mjs +# (DEFAULT_CORE_VERSION) — deliberately NOT in a workflow file, so the bump +# commit trips neither GitHub's Workflows-permission push check nor the +# gate-integrity machinery rule. See docs/integration-verification.md. # # Requires a fine-grained PAT secret DIKW_BUMP_TOKEN (contents: read/write + # pull requests: read/write on this repo). The default GITHUB_TOKEN cannot be @@ -57,7 +60,7 @@ jobs: if ! printf '%s' "$latest" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then echo "::error::unexpected dikw-core version '$latest'"; exit 1 fi - current="$(grep -oE 'DIKW_CORE_VERSION: "[0-9.]+"' .github/workflows/live-integration.yml | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" + current="$(grep -oE 'process\.env\.DIKW_CORE_VERSION \|\| "[0-9.]+"' scripts/live-core/harness.mjs | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" echo "pinned=$current latest=$latest" newer="$(printf '%s\n%s\n' "$current" "$latest" | sort -V | tail -1)" if [ "$latest" = "$current" ] || [ "$newer" != "$latest" ]; then @@ -85,8 +88,7 @@ jobs: git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git checkout -b "$branch" - # Bump the two functional pins (CI env + harness default). - sed -i "s/DIKW_CORE_VERSION: \"[0-9.]*\"/DIKW_CORE_VERSION: \"$LATEST\"/" .github/workflows/live-integration.yml + # Bump the single pin (harness default; CI/nightly reads the same value). sed -i "s#process.env.DIKW_CORE_VERSION || \"[0-9.]*\"#process.env.DIKW_CORE_VERSION || \"$LATEST\"#" scripts/live-core/harness.mjs git add -A git commit -m "chore(live): bump dikw-core verification target to $LATEST" diff --git a/.github/workflows/live-integration.yml b/.github/workflows/live-integration.yml index 109a970..6428ac5 100644 --- a/.github/workflows/live-integration.yml +++ b/.github/workflows/live-integration.yml @@ -30,7 +30,10 @@ jobs: timeout-minutes: 30 env: CI: "true" - DIKW_CORE_VERSION: "0.6.5" + # DIKW_CORE_VERSION is deliberately NOT set here. The pin is single-sourced in + # scripts/live-core/harness.mjs (DEFAULT_CORE_VERSION), which the harness falls + # back to when the env override is absent — so the auto-bump PR edits no + # workflow file (no gate-integrity label, no Workflows PAT permission needed). steps: - uses: actions/checkout@v7 diff --git a/CHANGELOG.md b/CHANGELOG.md index cd4835b..308e480 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,23 @@ file format introduced in `[0.0.1.0]` was dropped. ## [Unreleased] +## [0.8.10] - 2026-07-05 + +### Changed + +- **dikw-core verification pin single-sourced in `scripts/live-core/harness.mjs`.** + `live-integration.yml` no longer sets a `DIKW_CORE_VERSION` env — CI/nightly falls + back to the harness's `DEFAULT_CORE_VERSION`, the same value local runs use — and + `bump-dikw-core.yml` now edits (and reads the current pin from) only the harness + file. This unjams the auto-bump loop discovered while bumping to core 0.6.5 (#150): + a bump commit that edited a workflow file was doubly blocked — GitHub rejects such + a push from a PAT without the Workflows permission, and the `gate-integrity` + required check flags any `.github/workflows/**` edit without a maintainer's + `gate-change` label. With the pin out of the workflow file, future auto-bump PRs + need neither. The `DIKW_CORE_VERSION` env override still works everywhere; + `docs/integration-verification.md` no longer hardcodes the pin value (one less + thing to drift per bump). + ## [0.8.9] - 2026-06-29 ### Added diff --git a/docs/integration-verification.md b/docs/integration-verification.md index 8b17df9..9821b9b 100644 --- a/docs/integration-verification.md +++ b/docs/integration-verification.md @@ -106,37 +106,36 @@ token and Postgres password per run, so those are not secrets. ## Tracking new dikw-core versions -The verification target is **pinned** (`DIKW_CORE_VERSION`, default `0.6.5`) — by -design: a fixed version keeps the nightly reproducible, so a red run means *your* -code regressed, not that core changed under you. The pin lives in two places: -`.github/workflows/live-integration.yml` (CI/nightly) and -`scripts/live-core/harness.mjs` (local default). +The verification target is **pinned** — by design: a fixed version keeps the +nightly reproducible, so a red run means *your* code regressed, not that core +changed under you. The pin is **single-sourced** in `scripts/live-core/harness.mjs` +(`DEFAULT_CORE_VERSION`); CI/nightly deliberately sets no `DIKW_CORE_VERSION` env, +so it reads the same default. Keeping the pin out of `.github/workflows/**` means +a bump PR touches no workflow file: GitHub accepts the push from a PAT without the +Workflows permission, and the `gate-integrity` check passes without a +`gate-change` label. `.github/workflows/bump-dikw-core.yml` keeps the pin current automatically: weekly (and on `workflow_dispatch`) it resolves dikw-core's latest GitHub release (`vX.Y.Z` → image tag `X.Y.Z`), and if it's newer than the pin, opens a -`chore/bump-dikw-core-` PR editing both pin sites and labels it +`chore/bump-dikw-core-` PR editing the harness pin and labels it `live-integration` so the full real-core verification runs on the PR. Upgrades are thus explicit and reviewed (green/red signal per PR), not silent. > **One-time setup:** the bump workflow needs a repo secret `DIKW_BUMP_TOKEN` — a -> fine-grained PAT with **contents: read/write** + **pull requests: read/write** + -> **workflows: read/write** on this repo (the bump commit edits -> `.github/workflows/live-integration.yml`, and GitHub rejects a push touching -> workflow files from a token without the workflows permission — observed in the -> 2026-06-29 scheduled run). The default `GITHUB_TOKEN` can't be used: a PR it -> opens does not trigger the required CI checks or the `labeled` event, so the -> bump PR would be unmergeable. Without the secret the workflow no-ops with a -> warning. Note the bump PR also edits a workflow file, so the `gate-integrity` -> check requires a maintainer to add the `gate-change` label before it can merge. - -To bump manually instead, edit `DIKW_CORE_VERSION` in those two files (or run any -`live:*` command with `DIKW_CORE_VERSION=` in the environment). +> fine-grained PAT with **contents: read/write** + **pull requests: read/write** +> on this repo. The default `GITHUB_TOKEN` can't be used: a PR it opens does not +> trigger the required CI checks or the `labeled` event, so the bump PR would be +> unmergeable. Without the secret the workflow no-ops with a warning. + +To bump manually instead, edit `DEFAULT_CORE_VERSION` in +`scripts/live-core/harness.mjs` (or run any `live:*` command with +`DIKW_CORE_VERSION=` in the environment). ## Configuration knobs | Env | Default | Purpose | | --- | --- | --- | -| `DIKW_CORE_VERSION` | `0.6.5` | GHCR image tag to verify against. | +| `DIKW_CORE_VERSION` | `DEFAULT_CORE_VERSION` in `scripts/live-core/harness.mjs` | GHCR image tag to verify against (override for a one-off run against a different core). | | `DIKW_CORE_LLM_MODEL` | `MiniMax-M3` | MiniMax model name in the core `dikw.yml` LLM leg. | | `DIKW_LIVE_PROJECT` | `dikw-web-live` | Compose project name; override to run parallel stacks. | diff --git a/package.json b/package.json index 1fa3449..e316662 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "dikw-web", - "version": "0.8.9", + "version": "0.8.10", "private": true, "type": "module", "engines": {