[docs-agent] Rename Alchemy Rollups overview page title to "Alchemy Rollups"#1263
Closed
JackReacher0807 wants to merge 1 commit intomainfrom
Closed
[docs-agent] Rename Alchemy Rollups overview page title to "Alchemy Rollups"#1263JackReacher0807 wants to merge 1 commit intomainfrom
JackReacher0807 wants to merge 1 commit intomainfrom
Conversation
Drop trailing 'Overview' from the rollups landing page (/docs/rollups) title so it reads simply 'Alchemy Rollups'. Frontmatter only; no slug, description, or body changes.
🔗 Preview Mode
|
🔍 Link CheckStatus: ❌ Failed Summary
Broken links (20) — click to expandErrors per inputErrors in ./content/wallets/wallet-integrations/privy/react-migration.mdx
Errors in ./content/wallets/wallet-integrations/privy/jwt-auth-migration.mdx
Errors in ./content/wallets/wallet-integrations/privy/signer-migration-overview.mdx
Errors in ./content/api-reference/arbitrum-nova/arbitrum-nova-deprecation-notice.mdx
|
Collaborator
|
closing as it was a test! |
SahilAujla
added a commit
that referenced
this pull request
Apr 25, 2026
…n approvals on day one
Three bugs caught before any workflow run hit production. Two flagged
by codex review (P1 #3141497645, P1 #3141497647); the third I caught
during local end-to-end testing of the fixes.
1. gh api needs --method GET (codex #3141497645)
`gh api -F per_page=100 ...` defaults to POST per the gh manual
("If the request is not GET, automatically uses POST when -f/-F
are given"). The pull-request commits endpoint is GET-only; the
POST request hit a non-existent endpoint and returned 404,
sending every approval through the fail-closed dismissal path.
Net effect would have been: every approval on every docs-agent PR
silently dismissed, blocking all merges.
Fix: explicit --method GET.
2. VALIDSIG fingerprint match was on signing subkey, not primary
(codex #3141497647)
GPG's status-line format:
[GNUPG:] VALIDSIG <signing_key_fpr> <date> ... <primary_key_fpr>
When a key has signing subkeys (the default for keys generated
with `gpg --full-generate-key`), the FIRST fingerprint after
VALIDSIG is the signing subkey and the LAST field is the primary
key. Our pinned EXPECTED_FPR is the primary fingerprint, so
matching against the first field never matched. Every signed
commit was filtered out as untrusted; ALL_REQUESTED_BY ended
up empty; missing-attribution path fired on every PR; rule
never enforced.
Fix: extract the LAST field of the VALIDSIG line via awk and
compare against EXPECTED_FPR.
3. Payload needed trailing newline before gpg verification (caught
in local testing — not flagged by codex)
Git signs the commit object as raw bytes with a trailing \n.
GitHub's verification.payload preserves those bytes, but jq -r
decodes them as a string, and writing back via printf '%s' drops
the trailing newline. Without it, gpg outputs BADSIG on every
commit. Same downstream effect as #2.
Fix: write payload with printf '%s\n'.
End-to-end tested locally against PR #1263's docs-agent commit:
fetch returns the commit, gpg verifies, primary fpr matches
expected. Trailer extraction would proceed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SahilAujla
added a commit
that referenced
this pull request
Apr 25, 2026
Codex P1 (id 3141513483) plus three additional gaps caught in a full audit before pushing this commit. End-to-end tested locally against PRs #1261 (no trailer), #1263 (no trailer), and #1264 (trailer present) across 6 cases: originator dismissal (canonical + case-variant), non-originator allow, missing-attribution warn for various approvers. All 6 cases produce the expected outcome. 1. Add `contents: read` permission (codex P1) Setting `permissions:` explicitly removes any unlisted permission (sets to `none`). Without `contents: read`, `actions/checkout` fails on private/internal repos before the dismissal logic runs, so the self-approval rule is never enforced. Adds the read-only permission needed for sparse checkout of the pubkey file. 2. Verify pubkey loaded after gpg --import (audit gap) If the pubkey import silently succeeded-but-loaded-no-keys (corrupted file, empty file, etc.), every commit's signature verification would fail the trust filter, ALL_REQUESTED_BY would end up empty, and the workflow would silently degrade to the missing-attribution warn-only path on EVERY PR — never enforcing. Now: `gpg --list-keys $EXPECTED_FPR` after import; if absent, dismiss the approval and exit 1. 3. Paginate the comments-list call used for duplicate-warning suppression (audit gap) PRs that accumulate >30 comments (over weeks) could push the existing warning comment off the first page; without pagination the duplicate-suppression check would miss it and post a duplicate every approval. Adds `--paginate -F per_page=100` + `jq -s 'add'`. 4. Explicit `event=DISMISS` on dismissals API calls (audit gap) The PUT /dismissals endpoint defaults `event` per most-recent docs but historical behavior has varied. Setting it explicitly avoids relying on an undocumented default for a security-critical call. Test matrix run locally before this commit: PR #1264 approver=SahilAujla expected=dismiss actual=dismiss OK PR #1264 approver=danielcoyle expected=allow actual=allow OK PR #1264 approver=SAHILAUJLA expected=dismiss actual=dismiss OK PR #1263 approver=SahilAujla expected=warn actual=warn OK PR #1263 approver=anyone expected=warn actual=warn OK PR #1261 approver=SahilAujla expected=warn actual=warn OK Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SahilAujla
added a commit
that referenced
this pull request
Apr 25, 2026
Codex flagged a P1 where `gpg --verify` returning non-zero (BADSIG on a tampered payload, NO_PUBKEY for an unrelated signer, malformed signature data) would abort the step under `set -euo pipefail` before the else branch could run — turning "skip an untrusted commit" into a hard workflow failure that prevented the dismissal logic from running for legitimately verified commits later in the loop. Wrap the verify in `if gpg_status="$(...)"; then ...` so a non-zero exit just falls through to the SKIP path with primary_fpr="". Pre-push audit also caught four init-path gaps where a transient or silent failure could have left an approval intact: 1. gpg --import itself can fail (corrupted .asc, wrong format) — now wrapped in `if !` and fail-closed. 2. .github/workflows/docs-agent-pubkey.asc could be deleted from main — added existence check before --import, fail-closed if missing. 3. Dismissal API calls were single-attempt — added dismiss_with_retry() with 3 attempts and exponential backoff; used everywhere we dismiss. 4. Originator-match dismissal previously appended `|| true` — now exit 1 if all 3 retries fail, so a transient API hiccup surfaces instead of silently leaving the approval intact. Local test matrix (PR #1264 with Requested-by: @SahilAujla, PR #1263 with no trailer, PR #1261 likewise, plus PR #1262 which has only human-authored commits): all 7 cases produce the expected outcome (dismiss / allow / warn-only). Tampered-payload BADSIG test confirms the step survives instead of aborting. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Renames the rollups landing page title from
Alchemy Rollups OverviewtoAlchemy Rollups.content/api-reference/alchemy-rollups/rollups-quickstart.mdxRequested by
@SahilAujla (via Slack thread)
Linear
DOCS-65 — https://linear.app/alchemyapi/issue/DOCS-65/rename-alchemy-rollups-overview-page-title-to-alchemy-rollups