Keep audit-only Agent Law provisioner runs green#48
Conversation
Constraint: Scheduled Agent Law provisioner runs without AGENT_LAW_ADMIN_TOKEN intentionally run audit-only with the repo-scoped token.\nRejected: Treat expected missing admin scope as a hard failure in audit-only mode | it creates noisy default-branch failures while no write was attempted.\nConfidence: high\nScope-risk: narrow\nDirective: Continue treating admin-scope failures as blocking when --apply is used; audit-only should report skipped scope, not fail.\nTested: python3 -m py_compile scripts/provision-agent-law.py; git diff --check; python3 scripts/provision-agent-law.py --owner KyaniteLabs --ensure-org-ruleset --ensure-repo-rulesets --repair-files exited 0\nNot-tested: Scheduled GitHub Actions run after merge.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cc56ce0935
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if not apply: | ||
| return "skipped:admin-org-scope-required" |
There was a problem hiding this comment.
In scripts/provision-agent-law.py (checked alongside .github/workflows/agent-law-provisioner.yml), this dry-run branch now converts any gh api failure into skipped:admin-org-scope-required; because main() only exits non-zero for blocked:* statuses, transient API/network/auth failures in scheduled audits will be silently reported as success instead of surfacing a broken audit. This should only downgrade known permission-denied cases (and keep other non-zero outcomes blocked), and the same broad downgrade pattern appears in ensure_repo_ruleset as well.
Useful? React with 👍 / 👎.
1 participant
Summary
Fix the Agent Law provisioner so scheduled audit-only runs report missing admin-org scope as
skipped:*instead of failing the default branch.Why
The workflow already downgrades to audit-only when
AGENT_LAW_ADMIN_TOKENis absent. The script still returned exit 2 for the expected org-ruleset admin-scope check, creating noisy default-branch failures even though no write operation was attempted.Verification
python3 -m py_compile scripts/provision-agent-law.pygit diff --checkpython3 scripts/provision-agent-law.py --owner KyaniteLabs --ensure-org-ruleset --ensure-repo-rulesets --repair-filesexited 0 and reportedKyaniteLabs org-ruleset skipped:admin-org-scope-requiredConstraint: scheduled audit-only runs use a repo-scoped token when AGENT_LAW_ADMIN_TOKEN is not configured.
Rejected: keep failing audit-only runs for expected missing admin scope | it burns attention without representing a failed write.
Confidence: high
Scope-risk: narrow
Directive: admin-scope failures must remain blocking when --apply is used.
Tested: py_compile; git diff --check; exact audit-only provisioner command exited 0.
Not-tested: scheduled GitHub Actions run after merge.
Need help on this PR? Tag
@codesmithwith what you need. Autofix is disabled.