fix(safety): make dependency-safety/gate status clickable via env vars#77
Merged
Conversation
Restore the clickable gate-status feature originally attempted in #71, this time using shell environment variables instead of GitHub Actions template-expression syntax. #71's form (now removed from history): -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" caused GitHub Actions' scheduler to abort caller invocations of this reusable workflow before any job launched — a 0-job startup_failure with no logs. The dogfood (ci-safety.yml → dependency-safety.yml) was silently broken for ~24 hours until the cause was localized to those three expressions. This commit uses the shell-env-var form instead: -f target_url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" Identical runtime values — GitHub Actions exports these as standard env vars to the runner — but GitHub's template-expression analyzer sees no ${{ }} substitution in the target_url area. Hypothesis: the scheduler's expression analyzer specifically tripped on the previous form; bypassing template substitution should sidestep it. If this PR's ci-safety dogfood produces a real `safety / scan` job AND the resulting `dependency-safety / gate` row in the PR check rollup becomes clickable, the workaround is confirmed. If the dogfood breaks again (0-job phantom), revert this PR; the bug is about target_url presence regardless of substitution form, and we live with an unclickable gate.
This was referenced May 28, 2026
j7an
added a commit
to j7an/cross-agent-reviews
that referenced
this pull request
May 28, 2026
Picks up the clickable-gate fix (j7an/shared-workflows#77): the dependency-safety/gate status row now sets target_url, so the row links to the safety/scan job page from the PR checks panel.
j7an
added a commit
to j7an/nexus-mcp
that referenced
this pull request
May 28, 2026
Crosses the v2 → v3 boundary. v3.0.0 was a breaking change that removed the deprecated dependency-cooldown.yml and cooldown-rescan.yml workflows; this repo's only consumer of shared-workflows is dependency-safety.yml (verified: no cooldown refs), so the migration is mechanical. Also picks up the clickable-gate fix (j7an/shared-workflows#77): the dependency-safety/gate status row now sets target_url and is clickable from the PR checks panel.
j7an
added a commit
to j7an/dep-rank
that referenced
this pull request
May 28, 2026
Crosses the v2 → v3 boundary. v3.0.0 was a breaking change that removed the deprecated dependency-cooldown.yml and cooldown-rescan.yml workflows; this repo's only consumer of shared-workflows is dependency-safety.yml (verified: no cooldown refs), so the migration is mechanical. Also picks up the clickable-gate fix (j7an/shared-workflows#77): the dependency-safety/gate status row now sets target_url and is clickable from the PR checks panel.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore the clickable PR-gate-status feature originally attempted in the now-removed PR #71, this time using shell environment variables (
${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) instead of GitHub Actions template-expression syntax (${{ github.server_url }}/...).Three
gh api .../statuses/${HEAD_SHA}calls independency-safety.ymlgain a-f target_url=...argument. Otherwise no behavior change.Why this form, not the previous one
The previous form (
${{ }}template expressions) caused GitHub Actions' scheduler to abortci-safety.yml'sworkflow_callinvocation ofdependency-safety.ymlbefore any job launched — a 0-job startup_failure with no logs. The dogfood was silently broken from 2026-05-28 05:21 until main was reset to pre-#71 state earlier today.After a chain of unsuccessful workarounds (renaming the dogfood workflow, API disable/enable, file-touch,
name:value change, file rename), a clean diagnostic (the reverted PR #76) localized the breakage to exactly those threetarget_urlexpressions. Reverting them restored the dogfood within minutes.Hypothesis under test in this PR: the scheduler's quirk is specifically about
${{ }}template substitution inrun:blocks, not about the presence oftarget_urlitself. GitHub Actions exportsGITHUB_SERVER_URL,GITHUB_REPOSITORY, andGITHUB_RUN_IDas standard environment variables — same values, but bypass the template-expression analyzer entirely. If the analyzer was the trip wire, the env-var form should be safe.Test plan
Dependency Safety(ci-safety.yml) check on this PR launches a realsafety / scanjob and reports success — NOT a 0-job phantom. (If it's a phantom, this PR must be reverted immediately and the env-var hypothesis is falsified.)dependency-safety / gaterow on this PR's check rollup has a non-empty target URL; clicking it lands on this PR'sDependency Safetyworkflow run page.pending→success/failure/errorstate transitions (the third call site).If the dogfood breaks
The diagnostic is binary. If
ci-safety.ymlon this PR phantom-fails again:target_urlpresence is the trip wire regardless of substitution form.target_urlto status API calls from aworkflow_callworkflow'srun:block.Refs
Investigation thread leading here: PRs #71 (target_url, broke dogfood), #72-#75 (failed workarounds), #76 (diagnostic revert, confirmed cause). All squashed out of main's history via the reset earlier today; PR records remain in GitHub UI as historical reference.