From 212597d3e3a958aea7befded81d4e97c910956c6 Mon Sep 17 00:00:00 2001 From: Justin Date: Sat, 9 May 2026 16:56:19 -0500 Subject: [PATCH] ci: bump ops-routines-workflows shims to v0.6.1 + enable PR comments on age-check failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When dependabot bumps a recently-released action / Go module / docker base image / npm or pip package, our age-check correctly blocks merge until the pin clears the quarantine. Today, "how many more days until this can merge?" is buried two clicks deep in the run log. v0.6.1 makes the answer land as a sticky comment on the PR itself — one row per too-new pin (id, age, eligible date, days remaining). For each age-check shim: bumps pin to v0.6.1, sets `comment_on_failure: true`, and grants `pull-requests: write` at the calling job (Dependabot token defaults to read-only; without the grant the post-step soft-fails to a `::notice` and the comment is suppressed). For non-age-check shims (issue-priority, validate-issue-templates, dispatch-deploy): pin bump only. v0.6.1 dist for those reusables is byte-identical to earlier versions; the bump is purely version-alignment so this repo full ops-routines-workflows surface sits on a single tag. --- .github/workflows/dependency-age-check-actions.yml | 14 +++++++++++++- .github/workflows/dependency-age-check-pip.yml | 14 +++++++++++++- .github/workflows/issue-priority.yml | 2 +- .github/workflows/validate-issue-templates.yml | 2 +- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-age-check-actions.yml b/.github/workflows/dependency-age-check-actions.yml index a682ce7..d26a02a 100644 --- a/.github/workflows/dependency-age-check-actions.yml +++ b/.github/workflows/dependency-age-check-actions.yml @@ -35,8 +35,20 @@ jobs: # only if/name/needs/permissions/secrets/strategy/uses/with/concurrency # are valid on a job that calls a reusable workflow. The reusable # workflow itself sets `timeout-minutes: 5` internally. - uses: layervai/ops-routines-workflows/.github/workflows/age-check-actions.yml@39fcb54fc36ea7b6032e138bd8b57647f2bb32f0 # v0.4.0 + uses: layervai/ops-routines-workflows/.github/workflows/age-check-actions.yml@4edea7408d64f424780e08f68a54000308817a08 # v0.6.1 with: min_age_days: 7 + # Post a sticky PR comment when an age-check fails, listing each + # pin with its eligible-after date and days remaining. The PR + # author / reviewer sees the retry-after date inline on the PR + # instead of having to click into the run log to find it. Sticky + # comment is updated in place on re-runs and deleted on a clean + # pass; soft-fails to a `::notice` if the token can't write. + comment_on_failure: true permissions: contents: read + # Required for `comment_on_failure: true` to actually post. + # Dependabot PRs default to read-only and need this grant + # explicitly. Without it, the workflow still fails the age check + # correctly — only the inline comment is suppressed. + pull-requests: write diff --git a/.github/workflows/dependency-age-check-pip.yml b/.github/workflows/dependency-age-check-pip.yml index 7975d16..47fe9cb 100644 --- a/.github/workflows/dependency-age-check-pip.yml +++ b/.github/workflows/dependency-age-check-pip.yml @@ -34,8 +34,20 @@ jobs: # only if/name/needs/permissions/secrets/strategy/uses/with/concurrency # are valid on a job that calls a reusable workflow. The reusable # workflow itself sets `timeout-minutes: 5` internally. - uses: layervai/ops-routines-workflows/.github/workflows/age-check-pip.yml@39fcb54fc36ea7b6032e138bd8b57647f2bb32f0 # v0.4.0 + uses: layervai/ops-routines-workflows/.github/workflows/age-check-pip.yml@4edea7408d64f424780e08f68a54000308817a08 # v0.6.1 with: min_age_days: 7 + # Post a sticky PR comment when an age-check fails, listing each + # pin with its eligible-after date and days remaining. The PR + # author / reviewer sees the retry-after date inline on the PR + # instead of having to click into the run log to find it. Sticky + # comment is updated in place on re-runs and deleted on a clean + # pass; soft-fails to a `::notice` if the token can't write. + comment_on_failure: true permissions: contents: read + # Required for `comment_on_failure: true` to actually post. + # Dependabot PRs default to read-only and need this grant + # explicitly. Without it, the workflow still fails the age check + # correctly — only the inline comment is suppressed. + pull-requests: write diff --git a/.github/workflows/issue-priority.yml b/.github/workflows/issue-priority.yml index e24357a..7fe57b4 100644 --- a/.github/workflows/issue-priority.yml +++ b/.github/workflows/issue-priority.yml @@ -48,6 +48,6 @@ jobs: # reusable's own `sender.type != 'Bot'` check short-circuits them # before setFailed — net effect is a near-instant no-op run. if: ${{ github.actor != 'github-actions[bot]' }} - uses: layervai/ops-routines-workflows/.github/workflows/issue-priority.yml@39fcb54fc36ea7b6032e138bd8b57647f2bb32f0 # v0.4.0 + uses: layervai/ops-routines-workflows/.github/workflows/issue-priority.yml@4edea7408d64f424780e08f68a54000308817a08 # v0.6.1 permissions: issues: write diff --git a/.github/workflows/validate-issue-templates.yml b/.github/workflows/validate-issue-templates.yml index eb54728..b0031f5 100644 --- a/.github/workflows/validate-issue-templates.yml +++ b/.github/workflows/validate-issue-templates.yml @@ -35,4 +35,4 @@ permissions: jobs: validate-templates: - uses: layervai/ops-routines-workflows/.github/workflows/validate-issue-templates.yml@39fcb54fc36ea7b6032e138bd8b57647f2bb32f0 # v0.4.0 + uses: layervai/ops-routines-workflows/.github/workflows/validate-issue-templates.yml@4edea7408d64f424780e08f68a54000308817a08 # v0.6.1