Surfaced by
Core-dump C-1 staging-PG cutover (PR #190 incoming). TC1.5 cascade dry-run against the wfctl-conformance@ DO account was blocked because the secret is not yet provisioned anywhere visible.
Behavior
`conformance-budget-check.yml` (W-7 of 12, merged in PR #535) detects an unset `DO_CONFORMANCE_API_TOKEN` and emits a notice + skips the balance check. The downstream smoke gate has `needs: [budget-check]` so it cascades to a no-op too. From the W-7 commit:
On PRs from forks (and on the W-7 PR itself, before operators provision the wfctl-conformance@ token), the secret is unset. Treat that as "kill-switch not yet armed" and emit a notice instead of curl-401 failing the job.
Effect
- W-7 conformance smoke gate is currently a no-op on every PR (silent kill-switch).
- Ad-hoc cascade dry-runs (e.g. C-1 TC1.5) cannot run locally either — operator has no way to source the token.
- Downstream production-touch PRs (C-1 TC2) are pushed to skip TC1.5 and go straight to live cutover, losing the defence-in-depth dry-run.
Expected
- Operator (jon@langevin.me) provisions the wfctl-conformance@gocodealone.dev DO account token per docs/conformance-runbook.md § "Token rotation".
- Token added as a repository secret on:
- `GoCodeAlone/workflow` (so W-7 smoke gates fire on every PR)
- `GoCodeAlone/workflow-plugin-{aws,gcp,azure,digitalocean,tofu,ci-generator}` (per-plugin smoke gates)
- Optionally: `GoCodeAlone/core-dump` and other downstream consumers that may want to dry-run cascade replaces (TC1.5 pattern).
- Document the local-operator workflow for retrieving the token (1Password? Bitwarden? team-lead-issued?) so future ad-hoc dry-runs can run.
Workaround for now
Skip TC1.5 dry-runs; rely on TC2's W-6 `--allow-replace=` semantics + post-cutover `/healthz` verification + git-revertible `infra.yaml`. Inferior to a real dry-run but it's what's available pre-token-provisioning.
References
Surfaced by
Core-dump C-1 staging-PG cutover (PR #190 incoming). TC1.5 cascade dry-run against the wfctl-conformance@ DO account was blocked because the secret is not yet provisioned anywhere visible.
Behavior
`conformance-budget-check.yml` (W-7 of 12, merged in PR #535) detects an unset `DO_CONFORMANCE_API_TOKEN` and emits a notice + skips the balance check. The downstream smoke gate has `needs: [budget-check]` so it cascades to a no-op too. From the W-7 commit:
Effect
Expected
Workaround for now
Skip TC1.5 dry-runs; rely on TC2's W-6 `--allow-replace=` semantics + post-cutover `/healthz` verification + git-revertible `infra.yaml`. Inferior to a real dry-run but it's what's available pre-token-provisioning.
References