build: add artifact upload to github pages deploy#2
Merged
dslovinsky merged 1 commit intomainfrom Jan 1, 2025
Merged
Conversation
SahilAujla
added a commit
that referenced
this pull request
Apr 25, 2026
…n approvals on day one
Three bugs caught before any workflow run hit production. Two flagged
by codex review (P1 #3141497645, P1 #3141497647); the third I caught
during local end-to-end testing of the fixes.
1. gh api needs --method GET (codex #3141497645)
`gh api -F per_page=100 ...` defaults to POST per the gh manual
("If the request is not GET, automatically uses POST when -f/-F
are given"). The pull-request commits endpoint is GET-only; the
POST request hit a non-existent endpoint and returned 404,
sending every approval through the fail-closed dismissal path.
Net effect would have been: every approval on every docs-agent PR
silently dismissed, blocking all merges.
Fix: explicit --method GET.
2. VALIDSIG fingerprint match was on signing subkey, not primary
(codex #3141497647)
GPG's status-line format:
[GNUPG:] VALIDSIG <signing_key_fpr> <date> ... <primary_key_fpr>
When a key has signing subkeys (the default for keys generated
with `gpg --full-generate-key`), the FIRST fingerprint after
VALIDSIG is the signing subkey and the LAST field is the primary
key. Our pinned EXPECTED_FPR is the primary fingerprint, so
matching against the first field never matched. Every signed
commit was filtered out as untrusted; ALL_REQUESTED_BY ended
up empty; missing-attribution path fired on every PR; rule
never enforced.
Fix: extract the LAST field of the VALIDSIG line via awk and
compare against EXPECTED_FPR.
3. Payload needed trailing newline before gpg verification (caught
in local testing — not flagged by codex)
Git signs the commit object as raw bytes with a trailing \n.
GitHub's verification.payload preserves those bytes, but jq -r
decodes them as a string, and writing back via printf '%s' drops
the trailing newline. Without it, gpg outputs BADSIG on every
commit. Same downstream effect as #2.
Fix: write payload with printf '%s\n'.
End-to-end tested locally against PR #1263's docs-agent commit:
fetch returns the commit, gpg verifies, primary fpr matches
expected. Trailer extraction would proceed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes: