chore!: remove deprecated cooldown workflows (v2 → v3)#69
Merged
Conversation
The legacy workflow-owned cooldown/rescan model is superseded by Dependabot's native `cooldown.default-days` plus the deterministic verifier in dependency-safety.yml. Sibling repos (dep-rank, nexus-mcp, cross-agent-reviews) have migrated on default branches; precondition gate (11 assertions) confirmed external-consumer-free. BREAKING CHANGE: The legacy workflow paths j7an/shared-workflows/.github/workflows/dependency-cooldown.yml j7an/shared-workflows/.github/workflows/cooldown-rescan.yml are absent from v3. Consumers on these paths should remain on frozen @v2 (last cooldown-bearing release, no further updates) or migrate their callers to dependency-safety.yml before moving to @V3. See README.md "v2 → v3 migration" section for full caller changes. Refs #60.
Six INLINE_PAIRS entries for the now-deleted workflow are removed; the eight surviving pairs (dependency-safety.yml + tag-release.yml) continue to be verified. The residual-runtime-fetch safety-net loop needs no edit — it iterates `.github/workflows/*.yml` glob, so the deleted files naturally fall out of scope. Refs #60.
Removes the four `cooldown:` @tests from guard-runtime.bats and the two `dependency-cooldown.yml:` @tests from guard-shape.bats. The paired `safety:` and `dependency-safety.yml:` counterparts already cover all invariants for the surviving workflow. WORKFLOWS array collapses to a single entry; header comment singularized. Also scrubs a stale comment in tests/classify-touched-paths.bats. Refs #60.
…orkflow-specific) Three edits in workflow-specific areas (outside inline-script blocks): - line 70: env-name comment no longer mentions sharing with the deleted legacy workflow. - line 1235: user-visible scan-comment text `cooldown/safety gate` becomes `dependency-safety gate`. - lines 1659-1660: `cooldown-pending`-not-managed comment loses its legacy-workflow framing and Phase 2 reference. Paired script/inline-copy scrubs (lines 98, 213, 329) land in the next commit to keep inline-sync green per commit. Refs #60.
…opies Three script header comments and their three embedded copies in dependency-safety.yml are edited together so check-inline-sync.sh stays green per commit. Source files and inline locations: - scripts/diff-touches-lockfile.sh:4 ↔ dep-safety.yml:213 - scripts/extract-deps.sh:22 ↔ dep-safety.yml:98 - scripts/pyproject-bump-extract.sh:4 ↔ dep-safety.yml:329 No behavior change. All edits are header/inline comments that referenced the now-deleted dependency-cooldown.yml; references now point at the surviving dependency-safety.yml. Refs #60.
README.md: - Delete "Migration From Legacy Cooldown" and "Legacy Workflows" sections. - Add focused "v2 → v3 migration" section with 8-step caller migration guide. - Bump @v2 example pins to @V3 across quick-start and release- caller sections (8 occurrences). - Rewrite "On the @v2 pin" section as "On the @V3 pin" with a paragraph documenting v2's frozen-historical status. .github/workflows/README.md: - Bump 3 @v2 example pins to @V3. - Add frozen-v2 note explaining @v2 still works for surviving workflows but receives no further updates. .claude/CLAUDE.md: - Drop dependency-cooldown.yml from inline-script-sync list. - Remove legacy workflow bullets from consumer-facing reusable workflows enumeration. Refs #60.
Review caught three doc-sync misses from the previous commit: - .github/workflows/README.md:3 — intro generic pattern bumped @v2 → @V3 - .github/workflows/README.md:201 — PyPI trusted-publisher onboarding step bumped ref `v2` → `v3` (would have caused OIDC publish failures for consumers configuring trusted publishing against the example). - .claude/CLAUDE.md:7 — repo-overview generic pattern bumped @v2 → @V3. Also fixes a comment-block typo in tests/classify-touched-paths.bats ("The the dependency-safety workflow" → "The dependency-safety workflow") introduced when "dependency-cooldown/safety workflows" was singularized. Refs #60.
8 tasks
j7an
added a commit
to j7an/cross-agent-reviews
that referenced
this pull request
May 24, 2026
Picks up upstream fix for pyproject.toml parser support (j7an/shared-workflows#67), unblocking uv/poetry Dependabot PRs at the dependency-safety / gate. v3.0.0 migration checklist (j7an/shared-workflows#69 removed legacy cooldown.yml paths) — already satisfied here: - Native cooldown.default-days in .github/dependabot.yml: yes (5) - Caller uses dependency-safety.yml: yes - Input minimum_release_age_days: yes - No fail_on_cooldown / cooldown-rescan usage: confirmed - Required status check name dependency-safety / gate: unchanged Refs #38.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the deprecated
dependency-cooldown.ymlandcooldown-rescan.ymlworkflows as a
v3.0.0breaking release. Native Dependabotcooldown:plusdependency-safety.ymlfully supersede the legacy workflow-owned waiting model.All three sibling consumer repos (dep-rank, nexus-mcp, cross-agent-reviews)
already migrated on default branches; precondition gate (11 assertions)
confirmed external-consumer-free.
Breaking changes
The legacy workflow paths
j7an/shared-workflows/.github/workflows/dependency-cooldown.ymland.../cooldown-rescan.ymlare absent fromv3. Consumers still onthose paths should remain on frozen
@v2(last cooldown-bearing release,no further updates) or migrate their callers to
dependency-safety.ymlbefore moving to
@v3. To migrate fromv2tov3:.github/dependabot.yml:uses:line:cooldown_days→minimum_release_age_days.fail_on_cooldown; usefail_on_age_violationinstead.cooldown-rescan.yml— no rescan companion.dependency-cooldown / gate→dependency-safety / gate.cooldown-pendinglabels manually.See README "v2 → v3 migration" for full details.
Verification
Precondition gate output (all 11 assertions passed before deletion):
Test plan
bats tests/— passes (test count drops by 6: 4 cooldown @tests in guard-runtime + 2 in guard-shape; 210 → 204)./scripts/check-inline-sync.sh— passes (8 remaining pairs OK)./scripts/lint-workflow-call.sh— passesci-scripts.yml— greenci-safety.yml— green (non-Dependabot PR short-circuits at actor check)security.yml— greenv3.0.0tag created,v2SHA unchangedFixes #60.