Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions .github/workflows/bump-dikw-core.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
name: Bump dikw-core version

# Watches dikw-core for a newer published release and, when found, opens a PR
# bumping the live-integration verification target (DIKW_CORE_VERSION) and labels
# it `live-integration` so the real-core verification runs on the PR. The pin
# bumping the live-integration verification target and labels it
# `live-integration` so the real-core verification runs on the PR. The pin
# stays explicit + reviewed (reproducible nightly), but upgrades are surfaced
# automatically. See docs/integration-verification.md.
# automatically. The pin is single-sourced in scripts/live-core/harness.mjs
# (DEFAULT_CORE_VERSION) — deliberately NOT in a workflow file, so the bump
# commit trips neither GitHub's Workflows-permission push check nor the
# gate-integrity machinery rule. See docs/integration-verification.md.
#
# Requires a fine-grained PAT secret DIKW_BUMP_TOKEN (contents: read/write +
# pull requests: read/write on this repo). The default GITHUB_TOKEN cannot be
Expand Down Expand Up @@ -57,7 +60,7 @@ jobs:
if ! printf '%s' "$latest" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "::error::unexpected dikw-core version '$latest'"; exit 1
fi
current="$(grep -oE 'DIKW_CORE_VERSION: "[0-9.]+"' .github/workflows/live-integration.yml | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
current="$(grep -oE 'process\.env\.DIKW_CORE_VERSION \|\| "[0-9.]+"' scripts/live-core/harness.mjs | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
echo "pinned=$current latest=$latest"
newer="$(printf '%s\n%s\n' "$current" "$latest" | sort -V | tail -1)"
if [ "$latest" = "$current" ] || [ "$newer" != "$latest" ]; then
Expand Down Expand Up @@ -85,8 +88,7 @@ jobs:
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git checkout -b "$branch"
# Bump the two functional pins (CI env + harness default).
sed -i "s/DIKW_CORE_VERSION: \"[0-9.]*\"/DIKW_CORE_VERSION: \"$LATEST\"/" .github/workflows/live-integration.yml
# Bump the single pin (harness default; CI/nightly reads the same value).
sed -i "s#process.env.DIKW_CORE_VERSION || \"[0-9.]*\"#process.env.DIKW_CORE_VERSION || \"$LATEST\"#" scripts/live-core/harness.mjs
git add -A
git commit -m "chore(live): bump dikw-core verification target to $LATEST"
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/live-integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,10 @@ jobs:
timeout-minutes: 30
env:
CI: "true"
DIKW_CORE_VERSION: "0.6.5"
# DIKW_CORE_VERSION is deliberately NOT set here. The pin is single-sourced in
# scripts/live-core/harness.mjs (DEFAULT_CORE_VERSION), which the harness falls
# back to when the env override is absent — so the auto-bump PR edits no
# workflow file (no gate-integrity label, no Workflows PAT permission needed).
steps:
- uses: actions/checkout@v7

Expand Down
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,23 @@ file format introduced in `[0.0.1.0]` was dropped.

## [Unreleased]

## [0.8.10] - 2026-07-05

### Changed

- **dikw-core verification pin single-sourced in `scripts/live-core/harness.mjs`.**
`live-integration.yml` no longer sets a `DIKW_CORE_VERSION` env — CI/nightly falls
back to the harness's `DEFAULT_CORE_VERSION`, the same value local runs use — and
`bump-dikw-core.yml` now edits (and reads the current pin from) only the harness
file. This unjams the auto-bump loop discovered while bumping to core 0.6.5 (#150):
a bump commit that edited a workflow file was doubly blocked — GitHub rejects such
a push from a PAT without the Workflows permission, and the `gate-integrity`
required check flags any `.github/workflows/**` edit without a maintainer's
`gate-change` label. With the pin out of the workflow file, future auto-bump PRs
need neither. The `DIKW_CORE_VERSION` env override still works everywhere;
`docs/integration-verification.md` no longer hardcodes the pin value (one less
thing to drift per bump).

## [0.8.9] - 2026-06-29

### Added
Expand Down
37 changes: 18 additions & 19 deletions docs/integration-verification.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,37 +106,36 @@ token and Postgres password per run, so those are not secrets.

## Tracking new dikw-core versions

The verification target is **pinned** (`DIKW_CORE_VERSION`, default `0.6.5`) — by
design: a fixed version keeps the nightly reproducible, so a red run means *your*
code regressed, not that core changed under you. The pin lives in two places:
`.github/workflows/live-integration.yml` (CI/nightly) and
`scripts/live-core/harness.mjs` (local default).
The verification target is **pinned** — by design: a fixed version keeps the
nightly reproducible, so a red run means *your* code regressed, not that core
changed under you. The pin is **single-sourced** in `scripts/live-core/harness.mjs`
(`DEFAULT_CORE_VERSION`); CI/nightly deliberately sets no `DIKW_CORE_VERSION` env,
so it reads the same default. Keeping the pin out of `.github/workflows/**` means
a bump PR touches no workflow file: GitHub accepts the push from a PAT without the
Workflows permission, and the `gate-integrity` check passes without a
`gate-change` label.

`.github/workflows/bump-dikw-core.yml` keeps the pin current automatically:
weekly (and on `workflow_dispatch`) it resolves dikw-core's latest GitHub release
(`vX.Y.Z` → image tag `X.Y.Z`), and if it's newer than the pin, opens a
`chore/bump-dikw-core-<version>` PR editing both pin sites and labels it
`chore/bump-dikw-core-<version>` PR editing the harness pin and labels it
`live-integration` so the full real-core verification runs on the PR. Upgrades
are thus explicit and reviewed (green/red signal per PR), not silent.

> **One-time setup:** the bump workflow needs a repo secret `DIKW_BUMP_TOKEN` — a
> fine-grained PAT with **contents: read/write** + **pull requests: read/write** +
> **workflows: read/write** on this repo (the bump commit edits
> `.github/workflows/live-integration.yml`, and GitHub rejects a push touching
> workflow files from a token without the workflows permission — observed in the
> 2026-06-29 scheduled run). The default `GITHUB_TOKEN` can't be used: a PR it
> opens does not trigger the required CI checks or the `labeled` event, so the
> bump PR would be unmergeable. Without the secret the workflow no-ops with a
> warning. Note the bump PR also edits a workflow file, so the `gate-integrity`
> check requires a maintainer to add the `gate-change` label before it can merge.

To bump manually instead, edit `DIKW_CORE_VERSION` in those two files (or run any
`live:*` command with `DIKW_CORE_VERSION=<x.y.z>` in the environment).
> fine-grained PAT with **contents: read/write** + **pull requests: read/write**
> on this repo. The default `GITHUB_TOKEN` can't be used: a PR it opens does not
> trigger the required CI checks or the `labeled` event, so the bump PR would be
> unmergeable. Without the secret the workflow no-ops with a warning.

To bump manually instead, edit `DEFAULT_CORE_VERSION` in
`scripts/live-core/harness.mjs` (or run any `live:*` command with
`DIKW_CORE_VERSION=<x.y.z>` in the environment).

## Configuration knobs

| Env | Default | Purpose |
| --- | --- | --- |
| `DIKW_CORE_VERSION` | `0.6.5` | GHCR image tag to verify against. |
| `DIKW_CORE_VERSION` | `DEFAULT_CORE_VERSION` in `scripts/live-core/harness.mjs` | GHCR image tag to verify against (override for a one-off run against a different core). |
| `DIKW_CORE_LLM_MODEL` | `MiniMax-M3` | MiniMax model name in the core `dikw.yml` LLM leg. |
| `DIKW_LIVE_PROJECT` | `dikw-web-live` | Compose project name; override to run parallel stacks. |
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "dikw-web",
"version": "0.8.9",
"version": "0.8.10",
"private": true,
"type": "module",
"engines": {
Expand Down
Loading