This repository was archived by the owner on May 12, 2026. It is now read-only.
fix: revert 0.2.13 scan.yml structural pattern (0.2.14)#27
Merged
Conversation
…ocation The 0.2.13 self-checkout pattern in `scan.yml` parsed `github.workflow_ref` and `github.workflow_sha` to derive the Pruner repo + SHA, then `actions/checkout`'d that into `.pruner-action` and invoked the composite via `uses: ./.pruner-action`. Pruner's own PR-only `test-scan-yml.yml` validated this pattern green — but it called `scan.yml` locally (`uses: ./.github/workflows/scan.yml`), in which case both context variables happen to point at the workflow's hosting repo. The first real cross-repo consumer call (`coroboros/agent-skills@scan.yml@0.2.13`) failed because under remote invocation **the entire `github.*` context refers to the caller's workflow, not the called reusable workflow**. Logged values from the failing run: `WORKFLOW_REF=coroboros/agent-skills/.github/workflows/ci.yml@refs/pull/29/merge`, `FALLBACK_REPOSITORY=coroboros/agent-skills`. The second checkout cloned `agent-skills` (which has no `action.yml`) and `uses: ./.pruner-action` errored. GHA docs are explicit: *"The `github` context, with the exception of `github.token`, references the calling workflow."* No documented context exposes the called reusable workflow's own repo/ref/sha; expressions in `uses:` action refs are not supported (`actions/runner#1493`). The pattern is structurally unfixable. `ossf/scorecard-action` documents the same chicken-and-egg in its `RELEASE.md` and lives with the manual two-step. Restores `uses: ob-aion/pruner@0.2.14` literal at `scan.yml:52`. Deletes `test-scan-yml.yml` — it tested a pattern that does not apply to the cross-repo case it was meant to protect; false confidence. `<VERSION>` placeholders in `README.md`, `docs/consumer-integration.md`, and `templates/workflow-{minimal,full}.yml` survive — that convention is independent of the lockstep. Net effect against the pre-0.2.13 baseline: per-release file bumps drop from seven to two (`CHANGELOG.md` plus `scan.yml`'s one-line literal). The five-file improvement on consumer-facing example pins is preserved; the structural shrink on `scan.yml` is not.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hotfix that reverts the 0.2.13
scan.ymlstructural pattern. It broke on the first real cross-repo consumer call.What broke
The 0.2.13 self-checkout pattern parsed
github.workflow_refandgithub.workflow_shato clone the Pruner repo into.pruner-actionand invoked the composite viauses: ./.pruner-action. Pruner's PR-onlytest-scan-yml.ymlvalidator passed the pattern. That test calledscan.ymllocally (uses: ./.github/workflows/scan.yml); under local invocation both context variables resolve to the workflow's hosting repo.The first remote invocation —
coroboros/agent-skills/.github/workflows/ci.ymlpinningob-aion/pruner/.github/workflows/scan.yml@0.2.13— failed. Logged values from the failing run:The second checkout cloned
agent-skills(noaction.ymlat root).uses: ./.pruner-actionerrored: "Can't find 'action.yml' under '.pruner-action'".Why the pattern is structurally unfixable
GHA docs: "The
githubcontext, with the exception ofgithub.token, references the calling workflow." No documented context exposes the called reusable workflow's own repo/ref/sha. Expressions inuses:action refs are not supported (actions/runner#1493, closed without implementation). The same chicken-and-egg is documented inossf/scorecard-action/RELEASE.md. They hand-edit the manual two-step.The
test-scan-yml.ymlvalidator carried a blind spot: same-repo-local-call does not validate cross-repo-remote-call behaviour. The consumer PR was the only real validation surface.Changes
.github/workflows/scan.yml—uses: ob-aion/pruner@0.2.14literal restored. The 0.2.7 lockstep contract is back; one line bumps every release..github/workflows/test-scan-yml.yml— deleted. Tested a pattern that does not apply to the cross-repo case it was meant to protect.<VERSION>placeholders inREADME.md,docs/consumer-integration.md(three refs),templates/workflow-{minimal,full}.yml— kept. Independent of thescan.ymllockstep. Never the source of the cross-repo bug.CHANGELOG.md— v0.2.14 entry with the post-mortem.Net effect against the pre-0.2.13 baseline
scan.yml:52Five-file improvement on example pins preserved. The structural shrink on
scan.ymlreverted.Test plan
0.2.14cut. Release published with the signed bundle.coroboros/agent-skillsPR #29 rebumped to@0.2.14. Merged as405bd0awithpruner / prunergreen.scripts/verify-action-pins.shto flagscan.yml's@X≠ tag-being-cut. Catches the lockstep-skip bug class pre-tag.