docs(routine): add weekly action-SHA bump prompt#142
Conversation
Luis85
force-pushed
the
docs/actions-bump-bot
branch
from
61c5bfc to
4aeca01
Compare
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4aeca01b31
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| EXISTING="$(gh pr list \ | ||
| --base develop \ | ||
| --state open \ | ||
| --search "author:${ROUTINE_GH_LOGIN} chore/actions-bump in:title created:>=${WEEK_START}" \ |
There was a problem hiding this comment.
The idempotency check searches for chore/actions-bump in:title, but this prompt creates PRs titled chore: bump pinned action SHAs (...), so the searched token is in the branch name, not the title. GitHub issue/PR search treats in:title as title-only (branch filters use head:), so weekly reruns can miss an already-open bump PR and open duplicates instead of exiting cleanly.
Useful? React with 👍 / 👎.
| - the script's own `tagToCommitSha` helper (load the module and | ||
| call it directly), or |
There was a problem hiding this comment.
This instruction says the routine can load scripts/bump-actions.mjs and call tagToCommitSha directly, but that file is a CLI script with no exports and a top-level process.exit(...). If the routine follows this path, importing/calling the helper is not actually possible and can terminate execution before bumps are applied. The prompt should only point to a callable helper path (or require exporting the function first).
Useful? React with 👍 / 👎.
…ort path Codex P1: idempotency search used 'chore/actions-bump in:title' but PR titles are 'chore: bump pinned action SHAs (...)'. Switch to headRefName-startswith jq filter so the branch-prefix identifier is matched, not the title text. Codex P2: scripts/bump-actions.mjs is a CLI entry with no exports and a top-level process.exit(...). Drop the 'load module and call tagToCommitSha directly' bullet — that path would terminate execution before any bump is applied. Point at the umbrella's resolve_action_sha Bash helper as the single supported callable, with a note that scripted access must shell out to the script and parse stdout. Refs Codex review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bec480c49b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 6. **Push and open one PR per run** with every applied bump in a | ||
| single diff: | ||
|
|
||
| ```bash | ||
| git push -u origin "chore/actions-bump-$(date -u +%F)" |
There was a problem hiding this comment.
In docs/actions-bump-bot/PROMPT.md the run flow jumps from editing workflow files to git push without any git add/git commit step. Following this prompt literally can push a branch with no bump commit, which then makes gh pr create fail with no diff (or open an empty PR) instead of publishing the intended SHA updates.
Useful? React with 👍 / 👎.
| gh pr create --base develop \ | ||
| --title "chore: bump pinned action SHAs ($(date -u +%F))" \ | ||
| --body-file .actions-bump-cache/pr-body-$(date -u +%F).md |
There was a problem hiding this comment.
The command uses --body-file .actions-bump-cache/pr-body-$(date -u +%F).md, but no prior step instructs creating that file. On a clean run this path will not exist, so gh pr create fails before opening the weekly bump PR.
Useful? React with 👍 / 👎.
Codex P1 #1 (line 160): the run flow jumped from edit-workflow-files (step 3) → actionlint (4) → verify (5) → push (was 6). No git add / git commit between them. Following literally would push the bump branch with no commit, and 'gh pr create' would fail with no diff. Insert an explicit step 6 'commit every applied bump in a single commit' between verify and push. Codex P1 #2 (line 163): step 6 used '--body-file .actions-bump-cache/pr-body-$(date).md' but no prior step wrote that file. Add a step 7 that materialises the in-memory ${BODY} into ${BODY_FILE} via 'mkdir -p .actions-bump-cache && printf' before push. The cache file doubles as the re-submit-by-hand artifact already referenced in Failure handling. Push + PR-open is now step 8 (renumbered). Refs Codex re-review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3ff22f8528
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - **Title:** `Action SHA bumps YYYY-MM-DD — <sha7>` | ||
| where `<sha7>` is the seven-char prefix of the bump branch's | ||
| HEAD SHA (the commit that contained the bump edits, even though | ||
| it never reached `develop`). |
There was a problem hiding this comment.
<sha7> requirement for failure issues
The failure-issue spec requires <sha7> from “the commit that contained the bump edits,” but this prompt runs actionlint/npm run verify before any bump commit is created, so on verify/actionlint failure there is no such commit to reference. That makes the required title/body field impossible to populate consistently and can break the failure-report path; either move commit creation before verification or define the identifier from an always-available value (for example branch date or pre-bump HEAD).
Useful? React with 👍 / 👎.
| `Action SHA bumps YYYY-MM-DD — script error` with the script's | ||
| full stderr in the body, and exit 1. The owner triages the |
There was a problem hiding this comment.
ERROR issue diagnostics
This section says to file script-error issues with the script’s stderr, but scripts/bump-actions.mjs reports per-action ERROR diagnostics in its stdout status table and can emit empty stderr for these cases. Following this instruction can produce near-empty failure issues that omit the actionable error messages; the prompt should require capturing stdout (or merged stdout/stderr) from the bump-script run.
Useful? React with 👍 / 👎.
| mkdir -p .actions-bump-cache | ||
| BODY_FILE=".actions-bump-cache/pr-body-$(date -u +%F).md" | ||
| printf '%s\n' "${BODY}" > "${BODY_FILE}" |
There was a problem hiding this comment.
DRY_RUN is enabled
Step 7 unconditionally writes .actions-bump-cache/pr-body-<date>.md, but the Dry-run contract later requires zero filesystem side effects and explicitly forbids cache-file writes. If the routine follows the process steps as written, dry runs still modify the working tree, violating the documented behavior and making dry-run output non-idempotent.
Useful? React with 👍 / 👎.
…A for failure issues Codex P1 (line 450): the failure-issue title required <sha7> from 'the commit that contained the bump edits' but actionlint/verify run BEFORE the bump commit (step 6 was committed after step 4 actionlint + step 5 verify). On verify failure no bump commit existed — making <sha7> unattainable. Capture BASE_SHA at branch-cut (step 2) — the develop-tip SHA when the branch was created. Always available, distinguishes runs. Update failure-issue spec + body template to reference BASE_SHA. Codex P2 (line 406): script-error issues were spec'd with the bump script's stderr in the body, but scripts/bump-actions.mjs reports per-action ERROR rows in its stdout status table; stderr can be empty. Switch to merged stdout + stderr (capture via 2>&1) so the actionable diagnostics aren't lost. Codex P2 (line 177): step 7 unconditionally wrote .actions-bump-cache/pr-body-<date>.md but the dry-run contract requires zero filesystem side effects from cache writes. Gate step 7 behind DRY_RUN — print '[DRY_RUN] would write ...' instead of actually writing. Same gate added to step 8 (push + gh pr create) so dry runs never trigger remote artifact creation. Both match the dep-triage-bot / plan-recon-bot dry-run pattern. Refs Codex round-2 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ffacb50cc3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| git add .github/workflows/*.yml | ||
| git commit -m "chore: bump pinned action SHAs ($(date -u +%F))" |
There was a problem hiding this comment.
The flow always executes git add .github/workflows/*.yml and git commit even when every PENDING row was skipped by policy (for example, all pending updates are majors that must be escalated via issue only). In that case there is no workflow diff, so this step fails (pathspec/nothing to commit) and the run errors instead of exiting cleanly after opening the required major-bump issue(s). Add an explicit "no applied bumps" branch before commit/push/PR creation.
Useful? React with 👍 / 👎.
| EXISTING="$(gh pr list \ | ||
| --base develop \ | ||
| --state open \ | ||
| --search "author:${ROUTINE_GH_LOGIN} created:>=${WEEK_START}" \ |
There was a problem hiding this comment.
The idempotency query restricts candidates to created:>=${WEEK_START}, so an older still-open chore/actions-bump-* PR is ignored and a new bump PR can be opened on top of it. That conflicts with the prompt’s own requirement to skip when a previous week’s bump PR is still open, and can create multiple concurrent bump PRs for the same backlog.
Useful? React with 👍 / 👎.
…ncy check Codex P1 (#142 round 4 line 168): step 6 always ran 'git add ...workflows/*.yml && git commit' even when every PENDING row was skipped by policy (e.g. all updates are majors that escalate via the actions-bump-bot label). With no workflow diff the step errors out on 'pathspec'/'nothing to commit', polluting the run after major-bump issues already opened. Add an explicit guard: 'git diff --quiet -- .github/workflows/' → exit 0 cleanly if nothing changed. Major-bump issues become the run's only artifact in that case, which is correct. Codex P2 (#142 round 4 line 332): the idempotency PR-search filter included 'created:>=${WEEK_START}'. An older still-open chore/actions-bump-* PR (e.g. owner hasn't merged last week's queue yet) was IGNORED, so a new bump PR could land on top of it and stack duplicates. Drop the week filter — the routine now blocks on ANY open chore/actions-bump-* PR by ROUTINE_GH_LOGIN. The owner merges the queued PR first; the next run picks up whatever's still pending. Refs Codex round-4 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e1390b0010
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| re-create idempotently if missing — `gh label create` no-ops on | ||
| conflict). |
There was a problem hiding this comment.
This instruction says gh label create is a no-op on conflicts, but GitHub CLI only updates an existing label when --force is passed (otherwise it returns an error). In the normal steady state where actions-bump-bot already exists, following this guidance in the failure-issue path can cause the run to fail before creating the issue, which drops the intended failure artifact. Please either gate creation behind an existence check or include --force in the idempotent-create guidance.
Useful? React with 👍 / 👎.
Codex P2 (#142 round 5 line 496): the failure-issue spec said 'gh label create no-ops on conflict' but bare 'gh label create' returns non-zero when the label already exists. --force would update (clobber description/color), which is not what we want for an idempotent 'create-only-if-missing' guard. In the steady state where actions-bump-bot already exists, following the prior guidance literally would fail the run before opening the failure issue, dropping the intended artifact. Replace with an explicit existence check via gh label list + jq + grep, run gh label create only if the label is absent. Same pattern the dep-triage-bot prompt should follow. Refs Codex round-5 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 83741dae96
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Run weekly. For each `PENDING` row in scope (skipping `DIVERGENT` and | ||
| `ERROR` per [Hard rules](#hard-rules)): |
There was a problem hiding this comment.
scripts/bump-actions reports ERROR rows
This step says to process each PENDING row while “skipping ... ERROR”, which conflicts with the later failure policy that any ERROR row must stop the run and open a failure issue. If the routine follows this section literally during a partial GitHub API/auth outage, it can open a PR with only a subset of bumps and hide the tooling failure signal that should block the run.
Useful? React with 👍 / 👎.
| echo "No bumps applied (all PENDING rows skipped by policy). Exiting cleanly." | ||
| exit 0 | ||
| fi | ||
| git add .github/workflows/*.yml |
There was a problem hiding this comment.
.yaml workflow edits in bump commit
The commit command only stages *.yml, but the bump scanner covers both *.yml and *.yaml workflow files. If any pending bump is in a .yaml workflow, the routine will edit it but not include it in the commit/PR, leaving an incomplete bump batch and a dirty worktree.
Useful? React with 👍 / 👎.
| > 3. After opening the bump PR (or recognizing a no-op run with | ||
| > zero `PENDING` rows from `scripts/bump-actions.mjs` and | ||
| > exiting cleanly without opening anything), exit cleanly. Do |
There was a problem hiding this comment.
PENDING rows”
The wrapper text defines no-op as “zero PENDING rows,” but the script also exits non-zero for DIVERGENT and ERROR states even when PENDING is zero. Following this wording can cause the routine to exit quietly instead of filing the required issue for divergent pins or script/tooling errors.
Useful? React with 👍 / 👎.
…0 is no-op Codex P1 (#142 round 5 line 99): step 'For each PENDING row in scope (skipping DIVERGENT and ERROR per Hard rules)' conflicted with the later failure policy that ERROR rows must abort the run. Following literally during a partial GitHub API/auth outage would open a PR with a subset of bumps and hide the tooling failure signal. Add an explicit pre-flight: ERROR rows abort + open failure issue; DIVERGENT rows file their own issue but processing of PENDING continues alongside. Codex P2 (#142 round 5 line 181): commit staged only .github/workflows/*.yml but the bump scanner covers both *.yml AND *.yaml. Any pending bump in a .yaml workflow would be edited but excluded from the commit, producing a partial bump PR + dirty worktree. Stage the whole .github/workflows/ directory so both extensions land in the commit. Codex P2 (#142 round 5 README line 146): wrapper described no-op as 'zero PENDING rows from the script', but the script also exits non-zero for DIVERGENT and ERROR even when PENDING is zero. Reword to 'when scripts/bump-actions.mjs exits 0' so DIVERGENT/ERROR still trigger the failure-issue path. Also update the 'edit nothing outside' clause to cover both *.yml and *.yaml. Refs Codex round-5 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 748b317d12
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| git switch develop | ||
| git pull --ff-only origin develop | ||
| git switch -c "chore/actions-bump-$(date -u +%F)" | ||
| BASE_SHA="$(git rev-parse HEAD)" |
There was a problem hiding this comment.
These commands unconditionally create and switch to chore/actions-bump-<date>, but later in the same prompt the dry-run contract says runs must have zero filesystem side effects and that git switch -c should be printed instead of executed. In a shared or persistent runner, a dry run following this snippet verbatim will still mutate local git state (new branch + HEAD move), which can contaminate subsequent runs and violates the documented dry-run guarantee.
Useful? React with 👍 / 👎.
| (The label was added in the same increment that landed this | ||
| routine; re-creating it is a safe no-op if it's already there.) |
There was a problem hiding this comment.
The parenthetical says rerunning gh label create is a safe no-op when the label already exists, but gh label create only updates existing labels when --force is supplied (per the GitHub CLI manual). This makes the checklist misleading: users rerunning setup can hit a non-zero failure even though the docs imply it is harmless.
Useful? React with 👍 / 👎.
Codex P2 (#142 round 6 line 142): step 2 unconditionally ran 'git switch -c chore/actions-bump-<date>'. The dry-run contract requires zero filesystem side effects, but on a shared / persistent runner this leaves a stray bump branch behind that contaminates subsequent runs. Gate the 'git switch -c' invocation behind DRY_RUN — print '[DRY_RUN] would call: git switch -c ...' instead. BASE_SHA still resolves to develop tip in both modes (HEAD stays on develop in dry-run; new branch was just cut from it in non-dry). Codex P3 (#142 round 6 README line 76): setup checklist said 're-creating the label is a safe no-op if it's already there', but bare 'gh label create' returns non-zero when the label exists (only --force updates, which would clobber description/color). Replace with the same existence-check pattern the prompt's failure-handling path uses: 'gh label list --search ... --jq | grep -q . || gh label create ...'. Setup users no longer hit a misleading non-zero on rerun. Refs Codex round-6 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 60899b8b8d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # extensions; staging only *.yml would leave .yaml edits in the | ||
| # worktree and produce a partial bump PR + dirty tree. | ||
| git add .github/workflows/ | ||
| git commit -m "chore: bump pinned action SHAs ($(date -u +%F))" |
There was a problem hiding this comment.
The process still calls git commit unconditionally even though dry-run mode explicitly skips branch creation earlier and promises zero filesystem side effects. In a DRY_RUN=1 execution, this can commit bump edits directly onto develop in the local clone (because no topic branch was created), contaminating subsequent runs and violating the dry-run contract.
Useful? React with 👍 / 👎.
| - **Never** edit anything outside `.github/workflows/*.yml` in the | ||
| bump PR. No README updates, no plan flips, no version bumps. Just |
There was a problem hiding this comment.
The hard rule restricts edits to .github/workflows/*.yml, but this prompt elsewhere says the scanner/staging logic handles both *.yml and *.yaml. If a workflow is stored as .yaml, the bot is simultaneously told to bump it and told that editing it is forbidden, which can cause skipped bumps and persistent PENDING rows.
Useful? React with 👍 / 👎.
| the body, and exit 0 (or proceed with the non-divergent `PENDING` | ||
| rows in the same run — the divergent issue is filed regardless). |
There was a problem hiding this comment.
This instruction says to open a divergent issue and then "exit 0 (or proceed with non-divergent PENDING rows)", which conflicts with the earlier process section that says DIVERGENT does not abort pending bumps. Because the routine is LLM-driven, this ambiguity can cause full-run exits that skip valid non-divergent updates whenever both states appear.
Useful? React with 👍 / 👎.
…ERGENT control flow Codex P1 (#142 round 7 line 212): step 6 commit step ran 'git add' + 'git commit' unconditionally even though step 2 had skipped 'git switch -c' under DRY_RUN. In dry-run mode HEAD is still on develop, so the unconditional commit would land bump edits directly on the local develop clone — contaminating subsequent runs and violating the zero-side-effects contract. Gate the commit behind DRY_RUN — print '[DRY_RUN] would call: git add ...' / 'git commit -m ...' instead. Codex P2 (#142 round 7 line 319): hard rule restricted bump edits to '.github/workflows/*.yml' but the bump scanner accepts both *.yml AND *.yaml. A workflow stored as .yaml would be told to bump (by the process) AND told that editing it is forbidden (by the hard rule), producing skipped bumps + persistent PENDING rows. Broaden hard rule to '.github/workflows/' covering both extensions. Same fix on the 'never weaken workflows' bullet. Codex P2 (#142 round 7 line 484): failure-handling DIVERGENT path said 'exit 0 (or proceed with non-divergent PENDING rows)'. The 'exit 0' OR conflicts with the new pre-flight in Process which says only ERROR aborts; DIVERGENT continues alongside PENDING. Tighten the language: DIVERGENT files its own issue, run continues processing PENDING — no early exit. The divergent issue is filed regardless of whether the run also opens a bump PR. Refs Codex round-7 review on #142.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 61ad07079b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - Any `git commit` / `git switch -c` that mutates branch state — in | ||
| dry-run mode, prepare the diff in-tree but do NOT commit; print | ||
| the would-be commit message and the `git diff --stat` output |
There was a problem hiding this comment.
The dry-run section says to "prepare the diff in-tree" while skipping branch creation/commit, but it never instructs a final cleanup. In DRY_RUN, step 2 keeps HEAD on develop, so applying bumps leaves tracked workflow files modified locally; exiting without git restore violates the stated zero-side-effects contract and can contaminate later runs on shared/persistent runners. Add an explicit restore/reset of .github/workflows/ before dry-run exit.
Useful? React with 👍 / 👎.
| bump PR. | ||
| - Open a PR for `DIVERGENT` rows. Divergent pins are a consistency | ||
| fixup, not a routine bump. | ||
| - Edit any file outside `.github/workflows/*.yml` in the bump PR. |
There was a problem hiding this comment.
.yaml files in the final file-scope rule
This Do NOT bullet limits allowed edits to .github/workflows/*.yml, but the same prompt and scripts/bump-actions.mjs handle both *.yml and *.yaml. That contradiction can cause the routine to skip legitimate .yaml bump targets and leave pending updates unresolved. Update this rule to match the rest of the document’s scope (.github/workflows/ or both extensions).
Useful? React with 👍 / 👎.
- DRY_RUN restores .github/workflows/ after diff-stat dump so the
zero-filesystem-side-effects contract holds when the dry-run
branches through the commit step.
- Top-of-doc + Do NOT scope refs say *.{yml,yaml} to match the
hard-rule scope and bump-actions.mjs which already handles both
extensions.
|
@codex review |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f25d238b1b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| git push -u origin "chore/actions-bump-$(date -u +%F)" | ||
| gh pr create --base develop \ | ||
| --title "chore: bump pinned action SHAs ($(date -u +%F))" \ |
There was a problem hiding this comment.
The branch name is captured once in step 2 (BRANCH="chore/actions-bump-$(date -u +%F)"), but step 8 recomputes $(date -u +%F) for git push and the PR title. If the run crosses UTC midnight (for example during npm ci && npm run verify), the push targets a different branch name than the one created, so git push can fail and the run aborts. Use a single captured run-date/branch variable throughout branch creation, push, and PR metadata.
Useful? React with 👍 / 👎.
| **Failure issue, secondary sink (only on verify / actionlint | ||
| failure):** if applying the bumps surfaces a verify failure, the |
There was a problem hiding this comment.
This README section says failure issues are created only for verify/actionlint failures, but the same routine docs require issues for scripts/bump-actions.mjs ERROR rows and DIVERGENT rows as well. That mismatch can cause operators to treat non-verify failures as expected no-issue cases, which weakens the documented observability contract for the actions-bump-bot label.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f25d238b1b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 4. **Exit code.** `0` if every pin is `up-to-date`. `1` if any | ||
| `PENDING` / `DIVERGENT` / `ERROR` row exists. The exit code is the | ||
| no-op signal: exit 0 from the script means there is nothing to do | ||
| this run. |
There was a problem hiding this comment.
The prompt currently defines exit code 0 from scripts/bump-actions.mjs as “every pin is up-to-date” and uses that as the no-op gate, but the script exits 0 whenever there are no PENDING, DIVERGENT, or ERROR rows—even if rows are no-releases or unresolved (scripts/bump-actions.mjs computes status separately and only gates on those three). This means the routine can silently skip runs where some actions cannot be resolved to a latest SHA, leaving actionable drift/triage hidden behind a false no-op. Please explicitly handle no-releases/unresolved rows before exiting cleanly.
Useful? React with 👍 / 👎.
Round-13 Codex finding: `scripts/bump-actions.mjs` exits 0 whenever no PENDING / DIVERGENT / ERROR rows exist — but the script also emits two other statuses, `no-releases` (action repo has no GitHub releases) and `unresolved` (latest tag couldn't be peeled to a SHA), and neither gates the exit code. The prompt previously trusted exit 0 alone as the no-op signal, so silent drift of those two states could hide actionable triage state behind a false quiet-run. Verified against scripts/bump-actions.mjs:280-374: - Status enum (line 286-289): up-to-date / PENDING / no-releases / unresolved (DIVERGENT and ERROR set elsewhere). - Per-status stdout sections (line 338-365): only pending, divergent, errored — no-releases and unresolved get NO dedicated section, only the column-6 entry in the status table. - Exit gate (line 374): zero unless PENDING / DIVERGENT / ERROR. Updates to PROMPT.md: 1. Output shape — note that `no-releases` / `unresolved` lack a per-status section; the routine must scan the status table's 6th column directly to detect them. 2. Exit code — clarify that exit 0 is *not* sufficient for no-op: `no-releases` / `unresolved` rows can coexist with exit 0. 3. No-op detection — replace the bare exit-code check with an awk-based scan of the status table; only treat the run as no-op when exit code is 0 AND no `no-releases` / `unresolved` row exists. 4. Failure handling — new bullet for the `Unresolved action pins YYYY-MM-DD` triage issue (same shape as the existing DIVERGENT bullet: file alongside any bump PR, do not abort the run). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0862526756
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| **No-op runs leave no trace.** If `scripts/bump-actions.mjs` exits 0, | ||
| exit cleanly without opening a PR or issue. An empty |
There was a problem hiding this comment.
This line makes scripts/bump-actions.mjs exit code 0 an unconditional no-op, but the script also returns 0 when rows are no-releases or unresolved (only PENDING/DIVERGENT/ERROR force non-zero). If the routine follows this instruction, it will skip the triage issue path and silently hide unresolved action pins (for example deleted/renamed repos or peel failures), which contradicts the earlier No-op detection/Failure handling rules and drops required backlog visibility.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0862526756
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| The local `npm ci && npm run verify` SHOULD still run in dry-run mode | ||
| so the run produces realistic verify-pass / verify-fail signals — but | ||
| under no circumstances trigger `git push`, `gh pr create`, or | ||
| `gh issue create` from that path. |
There was a problem hiding this comment.
The dry-run contract here says runs must leave zero filesystem side effects, but this section still instructs running npm ci in dry runs; npm ci materially rewrites the workspace (for example node_modules/) on every run. On persistent runners this contaminates later jobs and violates the stated dry-run guarantee, so either gate npm ci behind non-dry mode or relax the contract wording.
Useful? React with 👍 / 👎.
| **No-op runs leave no trace.** If `scripts/bump-actions.mjs` exits 0, | ||
| exit cleanly without opening a PR or issue. An empty | ||
| `actions-bump-bot` label view AND no recent | ||
| `chore/actions-bump-<date>` PR mean nothing happened recently — |
There was a problem hiding this comment.
This rule says to exit cleanly without opening artifacts whenever scripts/bump-actions.mjs exits 0, but the same prompt now explicitly treats no-releases/unresolved rows (which also return exit 0) as triage-worthy and requires opening an issue. If the agent follows this section, unresolved drift can be silently skipped and never reach the actions-bump-bot backlog.
Useful? React with 👍 / 👎.
Round-14 Codex finding: the prompt's dry-run section asserted "zero filesystem side effects" but also told the routine to run `npm ci && npm run verify` for realistic verify signals. `npm ci` rewrites `node_modules/` and `npm run verify` populates `dist/` and `docs/api/` — gitignored build artifacts, but materially filesystem side effects under the literal wording. Resolution: keep `npm ci` + `npm run verify` (they are load-bearing for the dry-run's "would the bumps actually verify?" signal) and relax the contract wording to scope it to what actually matters: 1. No commits or branches left behind. 2. No remote-side writes (`git push`, `gh pr create`, `gh issue create`, `gh label create` all stay stubbed). 3. No `.actions-bump-cache/FAILED-*.md` cache files written. Gitignored workspace artifacts (`node_modules/`, `dist/`, `docs/api/`, vitest caches) are explicitly out of scope — any subsequent run re-derives them idempotently, so they don't contaminate later jobs the way a leftover branch or cache file would. The wrapped-writes list and the "Reads MAY still run" / "verify SHOULD still run" paragraphs unchanged. Added a new "Dry-run contract" subheading to spell out the exit invariants explicitly, and updated the cross-reference at the `git commit` / `git switch -c` bullet to point at it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bade72729
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| **No-op runs leave no trace.** If `scripts/bump-actions.mjs` exits 0, | ||
| exit cleanly without opening a PR or issue. An empty |
There was a problem hiding this comment.
This no-op instruction conflicts with the same prompt’s earlier No-op detection and Failure handling sections, which require filing a triage issue when scripts/bump-actions.mjs returns no-releases/unresolved rows (the script can still exit 0 in that case). If the agent follows this clause literally, it will suppress required issues and hide unresolved action pins as silent no-ops.
Useful? React with 👍 / 👎.
| > `scripts/bump-actions.mjs` exits 0 and exiting cleanly without | ||
| > opening anything), exit cleanly. The script's exit code — NOT | ||
| > "zero `PENDING` rows" — is the no-op signal: the script also |
There was a problem hiding this comment.
The wrapper says the script exit code alone is the no-op signal, but scripts/bump-actions.mjs exits 0 even when rows are no-releases/unresolved; those states still require a triage issue per the prompt. Using this wrapper as written can cause runs to report clean no-op behavior while unresolved pins are never surfaced.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bade72729
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| locally (`git switch develop && git branch -D | ||
| chore/actions-bump-<date>`), open a failure issue per the spec |
There was a problem hiding this comment.
In the PROMPT.md failure path for actionlint errors, this cleanup always runs git branch -D chore/actions-bump-<date>, but step 2 explicitly skips git switch -C when DRY_RUN is set. In a dry-run that hits actionlint/verify failure, the delete command can fail with "branch not found" and short-circuit the intended failure handling (issue/report path), so cleanup should be conditional on non-dry mode or on branch existence.
Useful? React with 👍 / 👎.
# Conflicts: # docs/plans/2026-04-26-quality-automation-routines.md
Round-16 fixes after a fresh review surfaced architectural gaps the prior 15 round-by-round Codex passes missed. - Process pre-flight now scans column 6 for `no-releases`/`unresolved` rows and files a triage issue before processing PENDING. Without this, mixed runs (PENDING + unresolved) opened the bump PR but silently swallowed the unresolved drift — the No-op detection branch only fires when SCRIPT_EXIT==0. - Output section enumerates the four distinct failure-issue title shapes (script-error, divergent, unresolved-triage, verify-fail) instead of the prior "secondary sink" prose that omitted the unresolved-triage path. README mirror updated. - Awk pipeline scoped to data rows only — start after the header match, stop at the first blank line — so per-status detail blocks cannot leak status-shaped tokens into `\$NF`. Header regex uses `[[:space:]]+` to handle the script's variable column padding. - "zero filesystem side effects" wording swept across PROMPT.md to "no commits, no remote-side writes, no cache files" — the Dry-run contract heading already used the new wording, but inline references kept the old phrasing and made the contract read like two different rules. - Divergent failure-handling bullet now spells out the per-action cardinality: three divergent actions in one scan = three issues, not a single combined one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review Round 16 amendments landed in 39ae626 — fresh review surfaced an architectural gap that 15 rounds of incremental review missed. Five fixes:
Verified the new awk against a real |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 39ae626ba0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 3. **Apply each bump.** For every pending row, edit the matching | ||
| workflow file: replace the 40-char SHA with the freshly-resolved | ||
| one and update the trailing `# vX.Y.Z` comment to match the new |
There was a problem hiding this comment.
A PENDING row from scripts/bump-actions.mjs is keyed by action/version tuple, not by file, so the same row can represent multiple workflow files; however this step instructs editing a single "matching workflow file". In repos like this one where actions such as actions/checkout appear in many workflows, following this literally can update only one file, leave the rest stale, and create a self-inflicted DIVERGENT state on the next run that blocks normal bump flow.
Useful? React with 👍 / 👎.
| **No-op runs leave no trace.** If `scripts/bump-actions.mjs` exits 0, | ||
| exit cleanly without opening a PR or issue. An empty |
There was a problem hiding this comment.
This no-op rule conflicts with the prompt’s own output contract: scripts/bump-actions.mjs can exit 0 while still emitting no-releases/unresolved rows, which are supposed to trigger an Unresolved action pins YYYY-MM-DD issue. Keeping this unconditional exit 0 => no PR/issue guidance can cause unresolved drift to be silently dropped whenever there are no PENDING/DIVERGENT/ERROR rows.
Useful? React with 👍 / 👎.
Six P1/P2 findings from Codex review of 39ae626. Five real fixes, one false positive (gh pr list --limit 200 already present from round 11) noted in the PR comment thread. - F1 (P1): Output section's "No-op runs leave no trace" paragraph unconditionally said "exit 0 = no PR/issue", contradicting the Process pre-flight unresolved-triage path added in round 16. Reworded to require BOTH `SCRIPT_EXIT == 0` AND zero `no-releases`/`unresolved` rows. - F2 (P1): Step 3 said "edit the matching workflow file" (singular). The script aggregates same-action+SHA into one variant with `.sources = [file1, file2, …]` but its PENDING summary only prints `sources[0]` — following the printout literally would leave N-1 files stale and self-inflict a `DIVERGENT` row on the next run. Added a grep one-liner to find every matching workflow file. - F3 (P1): README wrapper said "exit code is the no-op signal" with the carve-out only for DIVERGENT/ERROR. Added the unresolved / no-releases case (script also exits 0 there but still requires a triage issue). - F6 (P2): `$(date -u +%F)` was recomputed in steps 6, 7, and 8 after step 2 captured `BRANCH`. A run crossing UTC midnight during `npm verify` would push to a different branch name than the one created. Capture `RUN_DATE` once at branch-cut and reuse for commit message, BODY_FILE, push, and PR title. - F7 (P2): Failure-handling `git branch -D chore/actions-bump-<date>` cleanups in the actionlint and verify-fail bullets weren't gated on non-DRY_RUN. In dry-run, step 2 skips the branch creation, so this delete errors out and short-circuits the rest of the failure path. Added the gate + explanation. - F4 (P2): Clarifying comment that the `git fetch / switch develop / pull --ff-only` preamble is intentionally NOT DRY_RUN-gated — none of those commands violate the dry-run contract (no commits, no remote-side writes, no cache files), they are idempotent setup. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review Round 17 — addressing the 10 findings from your review of 39ae626 in commit f6da3b9. Five real fixes, one false positive flagged: Fixed (5):
Clarified, no behavior change (1):
False positive — no change (1):
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f6da3b969c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| If a run finds no `PENDING` rows (`scripts/bump-actions.mjs` exits | ||
| 0), the routine does NOT open a PR or an issue. Quiet runs leave | ||
| no trace — same convention as the daily `review-bot` and the |
There was a problem hiding this comment.
This section says a run with no PENDING rows (scripts/bump-actions.mjs exit 0) should open neither PR nor issue, but the script also exits 0 when rows are no-releases/unresolved. The prompt now treats those statuses as triage-required and mandates opening Unresolved action pins YYYY-MM-DD; following this README text would suppress that issue path and hide unresolved drift.
Useful? React with 👍 / 👎.
Two real fixes from Codex review of f6da3b9. Third finding (G1) is a misread — the branch creation IS dry-run-gated at lines 206-219; Codex anchored on the post-gate `BASE_SHA` line. Will dismiss in the PR comment. - G3 (P2, README): Round-17 fixed PROMPT.md's "No-op runs leave no trace" paragraph but missed the parallel paragraph in README. Now the README also requires both `SCRIPT_EXIT == 0` AND zero `no-releases`/`unresolved` rows before claiming a true no-op, with the unresolved-triage carve-out spelled out. - G2 (P2, PROMPT.md): Bumped `gh pr list --limit 200 → 1000` (gh's hard cap per page) plus a comment on why the limit is sufficient. The prior `200` was already enough in practice (the `--search "author:..."` clause scopes to one login's open PRs in this repo, in practice well below 200), but `1000` removes the defensive concern about high-volume accounts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review Round 18 (82838c2) addressing the 3 findings on f6da3b9. Fixed (2):
Misread — no change (1):
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 82838c2222
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| The routine no-ops cleanly when `scripts/bump-actions.mjs` exits 0: | ||
| no PR is opened, no issue is opened, no branch is pushed. If every |
There was a problem hiding this comment.
This statement says any scripts/bump-actions.mjs exit code 0 means “no PR, no issue,” but the script also exits 0 for no-releases/unresolved statuses, which still require filing an Unresolved action pins YYYY-MM-DD issue per the prompt. If an operator follows this cadence section literally (e.g., a run with only unresolved rows), the required triage issue will be skipped and drift will be silently hidden.
Useful? React with 👍 / 👎.
…ve-out Three findings on 82838c2. One real fix, two structural rewrites to defeat Codex's recurring misreads of the same code. - H3 (P2, README:211): Real fix. The README's Cadence section had a third stale "exit 0 = no-op" paragraph (line 210-214) that rounds 16-18 missed. Now requires both `SCRIPT_EXIT == 0` AND zero `no-releases`/`unresolved` rows, with the triage-issue carve-out spelled out. - H1 (P2, PROMPT.md:220): Restructure for visual clarity. Codex flagged the post-gate `BASE_SHA="$(git rev-parse HEAD)"` line as if branch creation were ungated (it's gated at lines 206-219). Moved BASE_SHA into both branches of the if/else: dry-run path uses `git rev-parse develop` (HEAD never moved), non-dry-run path uses `git rev-parse HEAD` (which equals develop's tip after the fresh `-C` from develop). Both yield the same SHA but the gating is now syntactically explicit per branch instead of relying on a read-after-fi. - H2 (P2, PROMPT.md:509): Codex re-flagged "without --limit" despite `--limit 1000` being three lines above. The continuation-line layout was visually splitting the limit from the search filter. Collapsed `--base / --state` onto one line and `--limit / --search` onto the next so the limit is visually adjacent to the filter that defines the candidate set. Comment moved above the call so the rationale leads. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review Round 19 (3c9c059) on the 3 findings from 82838c2. Real fix (1):
Structural rewrites to defeat recurring misreads (2):
If H1/H2 still flag in the next round, the underlying signal is your reviewer pattern-matching on visual structure rather than semantics — happy to discuss alternative layouts. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3c9c059bc2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| git fetch origin | ||
| git switch develop | ||
| git pull --ff-only origin develop |
There was a problem hiding this comment.
This preflight only refreshes refs (fetch/switch/pull) and does not clear tracked local edits from prior interrupted runs on a persistent runner. Later in step 6 the routine stages the entire workflows directory (git add .github/workflows/), so stale leftover edits can be silently committed into a new bump PR. Please add an explicit clean-tree check (and abort) or reset/clean before applying bumps to prevent cross-run contamination.
Useful? React with 👍 / 👎.
One P2 finding on 3c9c059. Real fix. I1 (P2, PROMPT.md:199): On a persistent runner, a prior interrupted run can leave tracked edits or untracked files under .github/workflows/. Step 6's `git add .github/workflows/` would silently stage those leftovers into the bump PR, polluting the diff with unrelated changes. Added a three-part cleanliness check right after `git pull --ff-only` — staged + unstaged tracked edits + untracked files in the workflows dir. Aborts loudly with a git-status pointer for the operator. Deliberately does NOT auto-clean (`git restore` / `git clean -f`) because the leftover edits might be intentional in-progress work the operator wants to preserve. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@codex review Round 20 (94fb361) on the 1 finding from 3c9c059. I1 (P2, PROMPT.md:199) — Real fix. Added a three-part worktree-cleanliness assertion immediately after
Any of the three present aborts the run with a |
Luis85
added
the
roadmap:quality-baseline
2 participants
Tracks: #130
Tracks: #131
Adds the weekly action-SHA-bump cloud-routine prompt + README scaffold
under docs/actions-bump-bot/. The routine wraps the existing
scripts/bump-actions.mjs (which already peels annotated tags via
tagToCommitSha) into a weekly PR-opening workflow. Failure issues land
under the actions-bump-bot label per the umbrella's cloud-routine
output convention.
Ticks row 3 of the umbrella tracker.