fix(safety): rename dependency-safety.yml to dep-safety.yml#75
Merged
Conversation
Force a fresh GitHub Actions workflow registration to recover from the stuck path-as-name fallback that's been blocking ci-safety dogfood since 2026-05-28. PRs #72-#74 confirmed that GitHub's registry won't refresh the existing workflow's name field on any combination of file edit, API disable/enable, or `name:` value change. A new file path forces registration as a new workflow_id with fresh name resolution. Internal-only change. Public `@v3` consumers continue to pin to `uses: j7an/shared-workflows/.github/workflows/dependency-safety.yml@v3`, which resolves against the existing v3.x.y tag where the file still exists under the old name. No release is cut from this commit; main diverges from the v3 floating tag until/unless we decide to release. Files updated: - .github/workflows/dependency-safety.yml → dep-safety.yml (git mv) - .github/workflows/ci-safety.yml: local `uses:` path - scripts/check-inline-sync.sh: INLINE_PAIRS entries - .claude/CLAUDE.md: file-path references in repo docs Not touched (per scope discipline): - Status check context `dependency-safety / gate` - Label names `dependency-safety-error` - HTML scan-comment marker - Public README examples (still document v3 with old filename) - In-file prose comments inside the workflow Refs phantom runs: 26556546736, 26556959117, 26557110156, 26557123379, 26557302648, 26557436258, 26557436258. Verification post-merge: gh api repos/j7an/shared-workflows/actions/workflows --jq \ '.workflows[] | select(.path | endswith("dep-safety.yml")) | {id, name}'
j7an
force-pushed
the
feat/dep-safety-rename-file
branch
from
2966491 to
7fd0191
Compare
j7an
added a commit
that referenced
this pull request
May 28, 2026
…ger (#76) Background: ci-safety.yml's dogfood (`safety / scan` job) has been silently broken since 2026-05-28 05:21 — every PR produces a 0-job phantom startup_failure. The complete file-level diff between the last working state (HEAD a8655fe at 2026-05-26 06:19) and the first broken state (HEAD 01d9280 at 2026-05-28 05:21) is exactly these 9 lines: three `-f target_url=...` arguments added to three `gh api .../statuses/${HEAD_SHA}` calls inside dep-safety.yml's run-blocks. This PR reverts those 3 lines (plus the 3 backslash-continuation modifications they required on the preceding `-f description=` lines) to test whether they are causally involved in the phantom-failure behavior. Possible outcomes when this lands on a PR: 1. Phantom failures STOP and ci-safety's `safety / scan` job runs again → the target_url expressions are causally involved. We then need to either find another way to make the gate clickable or accept the unclickable status. 2. Phantoms persist → the target_url changes are NOT involved; the regression must be a coincident GitHub-side platform change. Support ticket is the only path remaining. Refs phantom runs: - 26556360487 (first phantom, our feature branch push 2026-05-28 05:21) - 26556546736 (PR #71 merge) - 26556922328 (PR #72 feature branch) - 26557123379 (PR #73 feature branch) - 26557436258 (PR #74 merge) - 26558104480 (PR #75 merge — new workflow_id 284671829, still broken) The diagnostic itself reverts to the working file-content state for just this file; everything else (file rename to dep-safety.yml, doc header from #73, name="Dependency Safety (reusable)" from #74) is left intact since we want to test the target_url-specific hypothesis in isolation.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rename
.github/workflows/dependency-safety.yml→.github/workflows/dep-safety.ymlto force a fresh GitHub Actions workflow registration. The file'sname:field staysDependency Safety (reusable)(from PR #74) — the rename is about getting a clean workflow_id, not about the display label.Internal-only change. No public-facing version bump. Consumers using
@v3continue to work because the v3 floating tag still points at a commit where the file exists under its original name. This PR does not trigger a release.Why
The existing workflow ID
281959865has a stale registered display name (".github/workflows/dependency-safety.yml", the file-path fallback set during the original collision withci-safety.yml). Four prior attempts to refresh it failed:ci-safety.ymlto break the original name collisionci-safety.yml's record, not this onedisable/enablecyclestateadvanced;namefield unchangedupdated_atadvanced;namefield unchangedname:value fromDependency Safety→Dependency Safety (reusable)updated_atadvanced;namefield STILL unchangedThis rules out file-touch, value-change, and admin-state-cycle as triggers. The conclusion is that GitHub's name resolver runs once at initial workflow registration and never re-evaluates the same workflow_id. The only path left is to register a NEW workflow_id by changing the file path.
What this PR changes
.github/workflows/dependency-safety.yml→dep-safety.ymlgit mv(rename detected by git).github/workflows/ci-safety.ymluses:path updated to new filenamescripts/check-inline-sync.shINLINE_PAIRSentries updated to new filename.claude/CLAUDE.mdWhat this PR does NOT change (scope discipline)
dependency-safety / gate— consumer branch-protection rules requiring this exact name keep working.dependency-safety-error(and thesecurity-review-needed/dependency-age-violationsiblings) — existing labels on consumer Dependabot PRs are not orphaned.<!-- dependency-safety-${PR_NUMBER} -->— existing scan comments on consumer PRs continue to be found and updated rather than duplicated.README.mdexamples — still showuses: j7an/shared-workflows/.github/workflows/dependency-safety.yml@v3since@v3is the current public release..github/workflows/README.mdhistorical v2 note — still accurate; v2 is frozen.Test plan
dep-safety.ymlwith a properly resolved name field:gh api repos/j7an/shared-workflows/actions/workflows --jq \ '.workflows[] | select(.path | endswith("dep-safety.yml")) | {id, name, path, state}'name: "Dependency Safety (reusable)", NEWid(not281959865).ci-safety.ymlactually launches itssafety / scanjob again — the dogfood that's been dead since 2026-05-28.dep-safety.yml.281959865registration may persist as a zombie. Decide later whether to leave it as-is (no-op since no file matches its path) or attempt API deletion.Release implications
This PR is not intended to ship as a release. If we cut a v3.x.y from this commit,
@v3would move to a tree wheredependency-safety.ymlno longer exists at the original path — breaking every consumer using the publicuses: j7an/shared-workflows/.github/workflows/dependency-safety.yml@v3line. Decision deferred until:Until then,
maindeliberately diverges from the@v3floating tag. The release-self.yml workflow is dispatch-only, so this divergence is naturally safe.