Run Strix from central workflow source#82
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Strix required workflow so that the Strix gate and self-test scripts are executed from a centrally checked-out ContextualWisdomLab/.github source, while the target repository is fetched separately into a runner temp workspace and passed to the gate via STRIX_REPO_ROOT.
Changes:
- Add a dedicated checkout of
ContextualWisdomLab/.github(trusted Strix source) and execute gate/self-test/install steps from that checkout. - Materialize the target repository into
${{ runner.temp }}/trusted-workspaceas scan data and pass it throughSTRIX_REPO_ROOT. - Update the Strix gate self-test assertions to reflect the new “central scripts, target as data” invariant.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
scripts/ci/test_strix_quick_gate.sh |
Updates workflow invariant assertions to validate central Strix checkout and target workspace separation. |
scripts/ci/strix_quick_gate.sh |
Adds STRIX_REPO_ROOT override support for running the gate against a materialized target workspace. |
.github/workflows/strix.yml |
Checks out central Strix source and wires STRIX_REPO_ROOT so scans operate on the target repo data rather than repo-local scripts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head bounded evidence and found no blocking issues. FindingsNo blocking findings. SummaryInspected the PR changes and found no actionable blockers. Verification posture: Linter/static: Not applicable (no source code changes), TDD/regression: Not applicable (no test changes), Coverage: Not applicable, Docstring coverage: Not applicable, DAG: Not applicable, PoC/execution: Not applicable, DDD/domain: Not applicable, CDD/context: Not applicable, Similar issues: Not applicable, Claim/concept check: Not applicable, Standards search: Not applicable, Compatibility/convention: Not applicable, Breaking-change/backcompat: Not applicable, Performance: Not applicable, Developer experience: Helps maintainers with CI scripts, User experience: No impact, Security/privacy: Not applicable. Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/strix.yml, scripts/ci/strix_quick_gate.sh, scripts/ci/test_strix_quick_gate.sh.
Change Flow DAGflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: strix.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: strix.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["CI script (2 files)"]
S2 --> I2["review and security gate shell path"]
I2 --> R2["Review risk: CI script (2 files)"]
R2 --> V2["bash -n plus Strix self-test"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Inspected the PR changes and found no actionable blockers. Verification posture: Linter/static: Not applicable (no source code changes), TDD/regression: Not applicable (no test changes), Coverage: Not applicable, Docstring coverage: Not applicable, DAG: Not applicable, PoC/execution: Not applicable, DDD/domain: Not applicable, CDD/context: Not applicable, Similar issues: Not applicable, Claim/concept check: Not applicable, Standards search: Not applicable, Compatibility/convention: Not applicable, Breaking-change/backcompat: Not applicable, Performance: Not applicable, Developer experience: Helps maintainers with CI scripts, User experience: No impact, Security/privacy: Not applicable.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/strix.yml, scripts/ci/strix_quick_gate.sh, scripts/ci/test_strix_quick_gate.sh.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence proves 100% test coverage.
Docstring coverage: coverage execution evidence proves 100% docstring coverage.
DAG: Change Flow DAG maps .github/workflows/strix.yml through bounded evidence, review risk, and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, and current-head workflow evidence were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions and compatibility surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: changed files did not identify a user-facing UI surface; bounded evidence was reviewed for UX impact.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: No blockers found in the PR changes.
- Head SHA:
4872a88b4f9d51208dde91032de3d5a0f230889e - Workflow run: 28230653364
- Workflow attempt: 1
Summary
ContextualWisdomLab/.githubinstead of the target repository checkout.$RUNNER_TEMP/trusted-workspaceand passing that path throughSTRIX_REPO_ROOT..githubcheckout is allowed, target repository checkout throughactions/checkoutis not.Why
The organization ruleset now requires Strix centrally, but the previous workflow still executed
scripts/ci/strix_quick_gate.shfrom the target repository's trusted workspace. That means repositories could not safely remove repo-local Strix helper copies. This PR makes Strix a real central execution contract and unblocks later cleanup PRs such asappguardrailremoving local Strix/OpenCode/scheduler copies.Verification
bash -n scripts/ci/strix_quick_gate.sh scripts/ci/test_strix_quick_gate.shgit diff --checkactionlint -shellcheck= .github/workflows/strix.yml .github/workflows/opencode-review.yml .github/workflows/pr-review-merge-scheduler.ymlshellcheck -S warning scripts/ci/strix_quick_gate.sh scripts/ci/test_strix_quick_gate.shactions/checkout, target workspace separation,STRIX_REPO_ROOT, and gate override.Note: full
timeout 240 bash scripts/ci/test_strix_quick_gate.shtimed out in existing long-running Strix harness paths. The required workflow run on this PR should provide the stronger integrated evidence.