chore: update fullsend shim workflow

[fullsend-ai-fullsend]

This PR updates the fullsend shim workflow to match the current template in the .fullsend config repo.

The shim content has drifted from the template — this brings it back in sync.

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under the .github/ protected path. The PR has no linked issue providing authorization for changes to governance/infrastructure files. Human approval is required for all protected-path changes.
  Remediation: Link an authorizing issue that explains the need for this workflow change, or have a human reviewer approve directly.

Info

• [code-analysis] .github/workflows/fullsend.yaml:47 — The removal of secrets: {} from the dispatch job's reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both forward zero secrets to the called workflow. The workflow header comment confirms agents use OIDC tokens, not forwarded secrets. No correctness, security, or behavioral impact.

Previous run

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 1cfd588b, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's reusable workflow invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow header comment confirms: "No secrets are needed in the enrolled repo — agents fetch scoped tokens from the centralized token mint using GitHub OIDC."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — secrets: {} and omitting secrets both forward zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change; OIDC token flow unaffected
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR body or diff
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No in-repo docs reference the secrets key in the dispatch job

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (2)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at e096e666, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (3)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 8a0f1126, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (4)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at a7c40afd, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (5)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at 5b554814, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (6)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at c4135208, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (7)

Review — approve

Outcome: approve

Summary

Re-review of the same logical change (prior review at c4135208, provenance: app-verified). The PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run (8)

Review — approve

Outcome: approve

Summary

This PR removes the explicit secrets: {} line from the dispatch job's workflow_call invocation in .github/workflows/fullsend.yaml. In GitHub Actions, omitting the secrets key and passing an empty secrets: {} are functionally equivalent — both result in no secrets being forwarded to the called reusable workflow. The workflow's own header comment confirms "No secrets are needed in the enrolled repo."

The change is a 1-line deletion that syncs the shim with the upstream template. No behavioral change, no security impact, no documentation staleness.

Dimensions

Dimension	Result
Correctness	✅ No behavioral change — both forms pass zero secrets
Intent alignment	✅ Scoped to template sync as described
Platform security	✅ No secrets exposure change
Content security	✅ N/A — no user content handling
Injection defense	✅ No suspicious patterns in PR content
Style/conventions	✅ Consistent with workflow conventions
Documentation currency	✅ No docs reference this line

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[info] code-analysis

The removal of secrets: {} from the dispatch job reusable workflow invocation is a no-op change. In GitHub Actions, omitting the secrets key and passing secrets: {} are functionally equivalent. No correctness, security, or behavioral impact.