From 5a88a306205140752b6c6725083530c449f5601d Mon Sep 17 00:00:00 2001
From: heznpc <heznpc@gmail.com>
Date: Fri, 29 May 2026 08:15:50 +0900
Subject: [PATCH] =?UTF-8?q?chore(eddy):=20fix=20code-review=20findings=20?=
 =?UTF-8?q?=E2=80=94=20workflow=20split,=20et=20al.=20truncation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses all 8 findings from /code-review on PR #2.

[CONFIRMED, HIGH]
1. build-pdf.yml: drop pull_request paths filter so the required status
   check fires on every PR (not only paper/** PRs). Avoids future
   non-paper PRs being blocked by missing required check.

2. paper/main.bib: replace full author lists in faraone2021 and
   cortese2025 with `and others` (BibTeX `et al.` idiom honored by
   ACM-Reference-Format). Restores the truncation the original inline
   thebibliography had, prevents 8-page sigconf limit overrun for
   ASSETS 2026.

[PLAUSIBLE]
3. UTF-8 / LaTeX-escape mix in main.bib resolved as side effect of
   fix #2 — the only previous UTF-8 entries (Bölte, Søren, César,
   Døpfner, etc.) lived inside faraone2021's expanded author list,
   which is now `and others`. Remaining diacritic `Dah{\`o}` is the
   sole LaTeX-escape entry; consistent.

4. build-pdf.yml: split into two jobs. `build` (contents:read +
   attestations:write + id-token:write) runs on all triggers. New
   `publish-pdf` job (needs: build, contents:write) gated to push to
   main does the auto-commit. SLSA attestation stays in `build`.
   contents:write no longer leaks into compile/attest/upload steps.

5. .zenodo.json: verified against current Zenodo InvenioRDM vocabulary
   (https://zenodo.org/api/vocabularies/resourcetypes). Legacy field
   `publication_type: workingpaper` maps to canonical
   `publication-workingpaper`. No code change required — finding
   downgraded to verified-correct.

6. gitleaks.yml: add `branches: [main]` to the pull_request trigger so
   it is symmetric with the push trigger. Prevents double-scanning if
   feature branches with their own PR cycles appear later.

7. CITATION.cff: change preferred-citation.type from `article` to
   `preprint`; add `repository` and `institution.name: Zenodo`.
   Citation managers (Zotero/Mendeley) now classify correctly.

8. .gitignore: add `*.bcf` and `*.run.xml` for biber/biblatex
   artifacts. Covers a future migration without leaking aux files.

Branch-protection note: required check context renamed from
`Compile and (on main push) publish PDF` → `build` (updated via
gh api before this PR was opened).
---
 .github/workflows/build-pdf.yml | 38 +++++++++++++++++++++++++--------
 .github/workflows/gitleaks.yml  |  1 +
 .gitignore                      |  3 +++
 CITATION.cff                    |  6 +++++-
 paper/main.bib                  |  4 ++--
 5 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build-pdf.yml b/.github/workflows/build-pdf.yml
index bdd4148..c50f1aa 100644
--- a/.github/workflows/build-pdf.yml
+++ b/.github/workflows/build-pdf.yml
@@ -1,29 +1,31 @@
 name: Build LaTeX PDF
 
 on:
+  # Build on every PR so the required status check always reports, even when
+  # a PR touches only governance files (README, SECURITY.md, dependabot.yml).
+  # Build is ~1m30s; cheap enough to run as a universal merge gate.
   push:
     branches: [main]
     paths:
       - 'paper/**'
       - '.github/workflows/build-pdf.yml'
   pull_request:
-    paths:
-      - 'paper/**'
-      - '.github/workflows/build-pdf.yml'
   workflow_dispatch:
 
-# Workflow-level default is read-only; jobs/steps opt-in to writes explicitly.
+# Workflow-level default is read-only; jobs opt-in to writes explicitly.
 permissions:
   contents: read
 
 jobs:
   build:
-    name: Compile and (on main push) publish PDF
+    name: build
     runs-on: ubuntu-latest
+    # Build/upload/attest do NOT need contents:write. The auto-commit lives in
+    # a separate downstream job with its own narrowed write scope.
     permissions:
-      contents: write           # required only for the auto-commit step below
-      attestations: write       # required for SLSA build provenance
-      id-token: write           # required for attestation OIDC signing
+      contents: read
+      attestations: write       # SLSA build provenance
+      id-token: write           # OIDC signing for attestations
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -47,8 +49,26 @@ jobs:
         with:
           subject-path: paper/main.pdf
 
+  publish-pdf:
+    name: publish-pdf
+    needs: build
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    # contents:write scoped to this job alone — the only step that uses it
+    # is the git commit/push at the bottom.
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Download built PDF
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: eddy-paper
+          path: paper
+
       - name: Commit PDF
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index d172a4f..0bf9602 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    branches: [main]
   workflow_dispatch:
   schedule:
     # Sunday 04:17 UTC weekly sweep — catches secrets that slipped past push-time scanning.
diff --git a/.gitignore b/.gitignore
index c4f6a90..175dbc4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,9 @@ TODO.md
 *.fls
 *.fdb_latexmk
 *.synctex.gz
+# biber / biblatex (in case of future migration from BibTeX)
+*.bcf
+*.run.xml
 
 # Local acmart class (fetched for local builds)
 **/acmart.cls
diff --git a/CITATION.cff b/CITATION.cff
index b243b7f..a66844f 100644
--- a/CITATION.cff
+++ b/CITATION.cff
@@ -29,7 +29,8 @@ identifiers:
     value: "10.5281/zenodo.19074337"
     description: "Zenodo concept DOI (resolves to the latest version)"
 preferred-citation:
-  type: article
+  # type "preprint" matches the actual venue (Zenodo deposit), not a peer-reviewed journal article.
+  type: preprint
   title: "Position: Eddy --- ADHD as Competitive Advantage in AI-Augmented Multi-Project Orchestration"
   authors:
     - family-names: "Yoon"
@@ -38,3 +39,6 @@ preferred-citation:
   year: 2026
   doi: "10.5281/zenodo.19074337"
   url: "https://doi.org/10.5281/zenodo.19074337"
+  repository: "https://zenodo.org/records/19074337"
+  institution:
+    name: "Zenodo"
diff --git a/paper/main.bib b/paper/main.bib
index f06f18a..ee545f4 100644
--- a/paper/main.bib
+++ b/paper/main.bib
@@ -197,7 +197,7 @@ @article{macdonald2024
 }
 
 @article{faraone2021,
-  author  = {Faraone, Stephen V. and Banaschewski, Tobias and Coghill, David and Zheng, Yi and Biederman, Joseph and Bellgrove, Mark A. and Newcorn, Jeffrey H. and Gignac, Martin and Al Saud, Nouf M. and Manor, Iris and Rohde, Luis Augusto and Yang, Li and Cortese, Samuele and Almagor, Doron and Stein, Mark A. and Albatti, Turki H. and Aljoudi, Haya F. and Alqahtani, Mohammed M. J. and Asherson, Philip and Atwoli, Lukoye and Bölte, Sven and Buitelaar, Jan K. and Crunelle, Cleo L. and Daley, David and Dalsgaard, Søren and Döpfner, Manfred and Espinet, Stacey and Fitzgerald, Michael and Franke, Barbara and Gerlach, Manfred and Haavik, Jan and Hartman, Catharina A. and Hartung, Cynthia M. and Hinshaw, Stephen P. and Hoekstra, Pieter J. and Hollis, Chris and Kollins, Scott H. and Sandra Kooij, J. J. and Kuntsi, Jonna and Larsson, Henrik and Li, Tingyu and Liu, Jing and Merzon, Eugene and Mattingly, Gregory and Mattos, Paulo and McCarthy, Suzanne and Mikami, Amori Yee and Molina, Brooke S. G. and Nigg, Joel T. and Purper-Ouakil, Diane and Omigbodun, Olayinka O. and Polanczyk, Guilherme V. and Pollak, Yehuda and Poulton, Alison S. and Rajkumar, Ravi P. and Reding, Andrew and Reif, Andreas and Rubia, Katya and Rucklidge, Julia and Romanos, Marcel and Ramos-Quiroga, J. Antoni and Schellekens, Arnt and Scheres, Anouk and Schoeman, Renata and Schweitzer, Julie B. and Shah, Henal and Solanto, Mary V. and Sonuga-Barke, Edmund and Soutullo, César and Steinhausen, Hans-Christoph and Swanson, James M. and Thapar, Anita and Tripp, Gail and van de Glind, Geurt and van den Brink, Wim and Van der Oord, Saskia and Venter, Andre and Vitiello, Benedetto and Walitza, Susanne and Wang, Yufeng},
+  author  = {Faraone, Stephen V. and others},
   title   = {The World Federation of {ADHD} International Consensus Statement: 208 Evidence-Based Conclusions About the Disorder},
   journal = {Neuroscience and Biobehavioral Reviews},
   volume  = {128},
@@ -307,7 +307,7 @@ @misc{wolf2025
 }
 
 @article{cortese2025,
-  author  = {Cortese, Samuele and Song, Mengshi and Farhat, Luis C. and Yon, David K. and Lee, Seung Won and Kim, Min Seo and Park, Sunyoung and Oh, Jae Won and Lee, Sangil and Cheon, Keun-Ah and Smith, Lee and Gosling, Corentin J. and Polanczyk, Guilherme V. and Larsson, Henrik and Rohde, Luis A. and Faraone, Stephen V. and Koyanagi, Ai and Dragioti, Elena and Radua, Joaquim and Carvalho, Andre F. and Il Shin, Jae and Solmi, Marco},
+  author  = {Cortese, Samuele and others},
   title   = {Attention-Deficit/Hyperactivity Disorder ({ADHD}) in Adults: Evidence Base, Uncertainties and Controversies},
   journal = {World Psychiatry},
   volume  = {24},