[TEST — DO NOT MERGE] Demo for #932 secret-coherence pipeline#935
Closed
jottakka wants to merge 1 commit intofeat/toolkit-docs-secret-coherencefrom
Closed
[TEST — DO NOT MERGE] Demo for #932 secret-coherence pipeline#935jottakka wants to merge 1 commit intofeat/toolkit-docs-secret-coherencefrom
jottakka wants to merge 1 commit intofeat/toolkit-docs-secret-coherencefrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
jottakka
added a commit
that referenced
this pull request
Apr 18, 2026
… runs Two workflow additions driven by PR #936 feedback: 1. Job-level `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"` opts all JavaScript actions into Node 24 ahead of the 2026-06-02 deprecation. actions/checkout@v4, actions/setup-node@v4, peter-evans/create-pull-request@v7, and pnpm/action-setup@v4 all trigger the "Node.js 20 actions are deprecated" annotation today; the opt-in silences it and matches the runtime we'll be forced onto anyway. 2. New `workflow_dispatch` input `providers`. When set to a comma-separated provider list (e.g. "Github"), the run uses `--providers "$providers"` AND drops `--skip-unchanged` so the secret-coherence scan actually re-evaluates those toolkits — even when the Engine API reports no version change. Scheduled and porter_deploy_succeeded runs keep the previous `--all --skip-unchanged` behavior. This is what lets the #935 demo PR actually exercise the pipeline end-to-end: trigger the workflow with `providers=Github` and the phantom secret gets surfaced + cleaned. Tests added: workflow assertions for the new env var and the providers input fallback structure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jottakka
force-pushed
the
test/secret-coherence-demo
branch
from
5638ef3 to
ac00598
Compare
jottakka
added a commit
that referenced
this pull request
Apr 18, 2026
The stale-secret scanner, coverage-gap detector, and summary-generation failures all push warnings onto `result.warnings`. Per-provider mode already echoes those to stdout (line 848 of cli/index.ts). The --all and regenerate-all paths did not — they only appended to the run log file on disk, which GitHub Actions runs don't expose. Result: on the #935 demo, the workflow ran, the phantom secret was removed from the tool's .secrets array, but no cleanup was applied to the stale doc chunk that still referenced it AND there was no signal in the CI log explaining why. The warnings that would have explained "stale secret detected but edit failed" or "stale secret detected but no editor configured" were present in memory but discarded. This commit prints every non-empty `mergeResult.warnings` to stdout right after `mergeAllToolkits()` returns, in both the `generate --all` and `regenerate --all` paths. Format matches existing spinner output: ⚠ Github: 2 warning(s) - Stale secret reference in toolkit_chunk #4: GITHUB_CLASSIC_... - Secret cleanup edit failed for Github (documentation_chunk): ... 551 tests pass, type-check clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jottakka
added a commit
that referenced
this pull request
Apr 18, 2026
The stale-secret scanner, coverage-gap detector, and summary-generation failures all push warnings onto `result.warnings`. Per-provider mode already echoes those to stdout (line 848 of cli/index.ts). The --all and regenerate-all paths did not — they only appended to the run log file on disk, which GitHub Actions runs don't expose. Result: on the #935 demo, the workflow ran, the phantom secret was removed from the tool's .secrets array, but no cleanup was applied to the stale doc chunk that still referenced it AND there was no signal in the CI log explaining why. The warnings that would have explained "stale secret detected but edit failed" or "stale secret detected but no editor configured" were present in memory but discarded. This commit prints every non-empty `mergeResult.warnings` to stdout right after `mergeAllToolkits()` returns, in both the `generate --all` and `regenerate --all` paths. Format matches existing spinner output: ⚠ Github: 2 warning(s) - Stale secret reference in toolkit_chunk #4: GITHUB_CLASSIC_... - Secret cleanup edit failed for Github (documentation_chunk): ... 551 tests pass, type-check clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…erence Seeds a phantom secret (GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN) into Github.AssignPullRequestUser's secrets and secretsInfo so that a fresh workflow run against the live Engine API identifies the secret as "removed" when it compares the committed toolkit against the generator output. The existing documentation chunk in github.json still references this same secret name (real-world residue from when the notification tools were dropped in #922), so the secret-coherence step from #932 should: 1. Detect `GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN` as removed on the `Github.AssignPullRequestUser` tool. 2. Scan chunks and find the matching text in the `custom_section` chunk. 3. Call the Claude Sonnet 4.6 editor to minimally edit that chunk — deleting the table row and note lines that reference the removed secret while preserving the rest of the setup documentation. To test: trigger `Generate toolkit docs` workflow via workflow_dispatch on this branch. Confirm the resulting AUTO PR's diff on github.json: - Removes the phantom secret from the tool's .secrets / .secretsInfo. - Rewrites the Secrets Setup chunk to drop the stale rows. - Leaves unrelated chunk content intact (no re-summarization). Do not merge this commit. The phantom secret must not land on main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jottakka
force-pushed
the
test/secret-coherence-demo
branch
from
ad7b8c8 to
c58424f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Base branch is #932, not
main. Close this PR after testing; the phantom secret must not land on main.What changed compared to the first test run
The first trigger on this branch (#936) produced no cleanup because
--skip-unchangedshort-circuits beforeenforceSecretCoherenceruns when the Engine API's summary endpoint reports no version change forgithub. The phantom secret diff was never evaluated.#932 now has a
workflow_dispatch.inputs.providersinput that bypasses--skip-unchangedand--allfor manual runs. This branch is rebased on that change.How to run it (updated)
ANTHROPIC_API_KEYis set as a repo secret. Without it the scanner runs but the LLM edit is skipped.test/secret-coherence-demo.providersinput, enter:Github.The run now uses
--providers Githubwithout--skip-unchanged, so the generator processesGithubend-to-end — the scanner diffs the committed JSON (with the phantom) against fresh Engine API data (without it), identifiesGITHUB_CLASSIC_PERSONAL_ACCESS_TOKENas removed, scans chunks, and (if the Anthropic key is present) drives Sonnet 4.6 to minimally edit the stale references out.What you should see in the AUTO PR
In the resulting
[AUTO]PR's diff ontoolkit-docs-generator/data/toolkits/github.json:Github.AssignPullRequestUser.secrets/.secretsInfo(that happens automatically because Engine API doesn't return it).custom_sectionchunk (the Secrets Setup section) drops the row / note lines that referenceGITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN, leaving theGITHUB_SERVER_URLrow intact.Stale secret reference in toolkit_chunk #N: GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN.When done
Close this PR without merging. Delete the branch.
Refs #932