Skip to content

fix(ci): provision upstream policy parser#2

Merged
Eli Pinkerton (wallstop) merged 1 commit into
mainfrom
dev/wallstop/upstream-sync-acceptance
Jul 13, 2026
Merged

fix(ci): provision upstream policy parser#2
Eli Pinkerton (wallstop) merged 1 commit into
mainfrom
dev/wallstop/upstream-sync-acceptance

Conversation

@wallstop

@wallstop Eli Pinkerton (wallstop) commented Jul 13, 2026

Copy link
Copy Markdown

Summary

  • provision the verifier's exact YAML parser in isolated temporary directories for both discover and validate
  • disable dependency scripts and keep checkout credentials unavailable during parser installation
  • authenticate Git only immediately before the trusted sync-branch push

Root cause

The first post-merge acceptance dispatch ran the trusted verifier from a clean checkout without its yaml dependency. The repository also had Issues disabled; Issues are now enabled so fail-closed remediation can be recorded.

Verification

  • actionlint
  • RC001-RC014 verifier
  • git diff --check
  • isolated install/copy/run acceptance sequence
  • adversarial review: zero issues

Note

Low Risk
Workflow-only hardening for verifier dependencies and Git credential timing; no application runtime or auth logic changes.

Overview
Upstream sync now runs the RC001–RC014 lifecycle verifier from a dedicated /tmp/upstream-verifier install that pins yaml@2.8.4 with npm install --ignore-scripts, instead of invoking node scripts/verify-resource-cleanup-contract.mjs directly on a checkout that may lack that dependency.

On discover, a new verify_contract helper wipes that temp dir, installs the parser, copies the verifier script, and runs it when fork main already matches upstream. Discover checkout sets persist-credentials: false, and gh auth setup-git runs only immediately before git push to the sync branch.

On validate, a new step installs the same isolated parser and copies the verifier from _policy (trusted main), then checks _candidate via node /tmp/upstream-verifier/verify.mjs so policy script and YAML parser are not taken from the untrusted candidate tree.

Reviewed by Cursor Bugbot for commit c5161b1. Bugbot is set up for automated code reviews on this repo. Configure here.

@wallstop

Copy link
Copy Markdown
Author

Cursor (@cursor) review exact commit c5161b1. Please report every issue, including minor findings, or explicitly state zero issues.

@wallstop

Copy link
Copy Markdown
Author

copilot-pull-request-reviewer review exact commit c5161b1. Please report every issue, including minor findings, or explicitly state zero issues.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the upstream-sync GitHub Actions workflow by provisioning a pinned YAML parser (yaml@2.8.4) into an isolated temp directory for lifecycle-contract verification, and by tightening when Git credentials are made available during the sync process.

Changes:

  • Switch discover checkout to persist-credentials: false and add an isolated /tmp/upstream-verifier install+copy+run flow for contract verification.
  • In validate, run the verifier script + pinned parser from /tmp/upstream-verifier, sourcing the verifier from trusted main (_policy) instead of the untrusted candidate tree.
  • Authenticate Git only immediately before pushing (via gh auth setup-git).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +245 to +249
- name: Install trusted verifier parser
run: |
mkdir -p /tmp/upstream-verifier
npm install --prefix /tmp/upstream-verifier --ignore-scripts --no-save --package-lock=false --no-audit --no-fund yaml@2.8.4
cp _policy/scripts/verify-resource-cleanup-contract.mjs /tmp/upstream-verifier/verify.mjs
Comment on lines 214 to 216
git commit -m "chore: record upstream ${upstream_sha:0:12}"
gh auth setup-git
git push --force-with-lease origin "$SYNC_BRANCH"

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit c5161b1. Configure here.

@wallstop Eli Pinkerton (wallstop) merged commit 222fe0a into main Jul 13, 2026
7 checks passed
@wallstop Eli Pinkerton (wallstop) deleted the dev/wallstop/upstream-sync-acceptance branch July 13, 2026 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants