ci(workflows): add tailor baste step to builder workflow#49
Merged
flexiondotorg merged 6 commits intomainfrom Mar 12, 2026
Merged
ci(workflows): add tailor baste step to builder workflow#49flexiondotorg merged 6 commits intomainfrom
flexiondotorg merged 6 commits intomainfrom
Conversation
- Add `pull-requests: write` permission to test job for baste step - Build tailor binary before running baste - Run `tailor baste` with GitHub token to preview changes - Improve job naming consistency (rename Code Linter to Lint Code, Workflow Linter to Lint Action) Signed-off-by: Martin Wimpress <code@wimpress.io>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 1 file
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Requires human review: Modifications to CI/CD workflows and GitHub Action permissions are considered high-impact and require human review.
In GitHub Actions, the GITHUB_TOKEN (installation token) cannot call user-scoped endpoints like GET /user. Implement adaptive resolution: check GITHUB_ACTIONS=true and use GITHUB_REPOSITORY_OWNER directly, falling back to the API call for local and non-Actions environments. - Add CI detection in FetchUsername() with Actions env var fallback - Add three test cases: with Actions owner, without Actions owner, and non-Actions - Update SPECIFICATION.md behaviour for .github/FUNDING.yml and docket command - Document the pattern in AGENTS.md for future maintainers Signed-off-by: Martin Wimpress <code@wimpress.io>
- Clear GITHUB_ACTIONS in alter and docket test setup to prevent the shortcut path in FetchUsername from interfering with mock tests - Isolate GITHUB_REPOSITORY_OWNER in FetchUsernameGitHubActionsNoOwner with explicit t.Setenv call for clarity - Fixes flaky test behaviour when tests run in GitHub Actions Signed-off-by: Martin Wimpress <code@wimpress.io>
…ions Add graceful degradation when tailor runs in GitHub Actions with GITHUB_TOKEN. The installation token returns zero values for certain repository settings (merge strategies, branch settings), causing false-positive diffs. When GITHUB_ACTIONS=true is detected, nil out these fields and emit a synthetic insufficient-scope warning instead of producing WouldSet results in dry-run. - Detect GitHub Actions environment via GITHUB_ACTIONS env var - Identify unreliable fields: allow_auto_merge, allow_rebase_merge, allow_squash_merge, allow_update_branch, delete_branch_on_merge, squash_merge_commit_title, squash_merge_commit_message - Skip these fields in alter without error; report as insufficient scope in baste - Update builder.yml to use TAILOR_TOKEN secret for baste step - Document PAT requirements in README: classic (repo scope) or fine-grained (Administration permission) needed for actions/permissions/workflow endpoint - Update SPECIFICATION.md with graceful degradation behaviour Fixes two repository settings (default_workflow_permissions, can_approve_pull_request_reviews) that cannot be managed via GITHUB_TOKEN due to platform constraints. Users must provide a PAT as GH_TOKEN to manage these fields from CI. Signed-off-by: Martin Wimpress <code@wimpress.io>
Contributor
There was a problem hiding this comment.
2 issues found across 6 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/builder.yml">
<violation number="1" location=".github/workflows/builder.yml:103">
P2: Using a custom secret for `GH_TOKEN` in a `pull_request` workflow can break fork PR CI runs because that secret is unavailable there. Use `secrets.GITHUB_TOKEN` (or gate this step) so `baste` has a token consistently.</violation>
</file>
<file name="internal/gh/settings.go">
<violation number="1" location="internal/gh/settings.go:103">
P2: `GITHUB_ACTIONS=true` is not a reliable proxy for installation-token behavior. This will incorrectly suppress merge/branch setting diffs when CI is using a PAT.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Add token.go with IsInstallationToken() that probes GET /user to distinguish installation tokens (403) from PATs (200) - Cache token type detection per process via sync.Once to avoid repeated probes - Update FetchUsername to always try GET /user first, falling back to GITHUB_REPOSITORY_OWNER only on 403 (installation token) - Replace GITHUB_ACTIONS environment check in ReadRepoSettings with IsInstallationToken() for accurate field nilification - Add ResetTokenProbe() for test isolation to prevent cross-test pollution - Update all tests to reset token probe state before assertions Signed-off-by: Martin Wimpress <code@wimpress.io>
Allow workflows to use a GitHub-scoped Personal Access Token (TAILOR_TOKEN) when available for full repository settings management, falling back to GITHUB_TOKEN (with graceful skips for admin-scoped fields) in scenarios without a dedicated PAT. - builder.yml: Add fallback token selection to baste step - tailor.yml: Use conditional token selection in alter step This enables workflows to succeed in both personal repositories and forks without configuration changes or unexpected failures. Signed-off-by: Martin Wimpress <code@wimpress.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
pull-requests: writepermission to test job for baste steptailor bastewith GitHub token to preview changesChecklist