Skip to content

πŸ”§ chore(ci): publish L6 + L5+L6 workflow files to main#115

Merged
ZaxShen merged 1 commit into
mainfrom
chore/publish-test-workflows-to-main
Apr 26, 2026
Merged

πŸ”§ chore(ci): publish L6 + L5+L6 workflow files to main#115
ZaxShen merged 1 commit into
mainfrom
chore/publish-test-workflows-to-main

Conversation

@ZaxShen
Copy link
Copy Markdown
Contributor

@ZaxShen ZaxShen commented Apr 26, 2026

Summary

Cherry-picks two workflow YAML files only from dev to main. The actual test infrastructure (Dockerfile, runner, fixtures, scorers, MCP server changes) lives on dev and is NOT in this PR.

Why target main directly (not dev)

GitHub's gh workflow run requires the workflow YAML file to exist on the default branch (main) to be triggerable from any other branch. New workflows added on feature branches can't be triggered until the YAML lands on main. Standard GitHub gotcha.

After this lands:

gh workflow run l6-dogfood.yml --ref dev          # light L6 (~$0.20, ~3 min)
gh workflow run l5-l6-combined.yml --ref dev      # heavy L5+L6 (~$1-3, ~10 min)

Per the lightest-to-heaviest doctrine.

Security audit (pr-reviewer ran 2026-04-26)

Verdict: APPROVE. Specifically verified:

  1. No workflow injection: only ${{ ... }} expansions are repo secrets routed via env:, the trusted github.event.label.name used in an if: comparison, and steps.version.outputs.version derived from in-repo .claude-plugin/plugin.json via jq.

  2. OAuth token security: CLAUDE_CODE_OAUTH_TOKEN delivered to Docker via BuildKit --secret rather than ARG/ENV β€” won't end up in image layers (l5-l6-combined.yml lines 60-61).

  3. Trigger surface respects cost policy:

    • l5-l6-combined.yml: dispatch + tag only (no PR runs)
    • l6-dogfood.yml: requires explicit L6 label gating on PRs

  4. Soft-fail on missing secret:

    • l6-dogfood.yml exits 0 cleanly when secret absent (line 41) β†’ forks won't break red
    • l5-l6-combined.yml only warns; Dockerfile on dev handles the actual skip

  5. Diff scope: exactly the two YAML files, no stray changes.

Test plan

  • CI on this PR (lint should pass; doesn't touch any tested surface)
  • After merge: gh workflow run l6-dogfood.yml --ref dev (light L6)
  • If green: gh workflow run l5-l6-combined.yml --ref dev (heavy L5+L6)

Why this PR exists at all

The system permission layer correctly defended against pushing to a feature branch targeting main without explicit doctrine cover. We have the cover now (pr-reviewer audit attached above), so the push went through.

πŸ€– Generated with Claude Code

@ZaxShen ZaxShen merged commit f7020a2 into main Apr 26, 2026
2 checks passed
@ZaxShen ZaxShen deleted the chore/publish-test-workflows-to-main branch April 26, 2026 18:28
This was referenced Apr 26, 2026
Closed
Merged
ZaxShen added a commit that referenced this pull request Apr 27, 2026
@ZaxShen
πŸ”§ chore(ci): publish L6 + L5+L6 workflow files to main (#115) (#145)
5029615 
Co-authored-by: Zax Shen <ZaxShen@users.noreply.github.com>
@ZaxShen ZaxShen mentioned this pull request Apr 27, 2026
Merged
ZaxShen added a commit that referenced this pull request May 20, 2026
@ZaxShen
πŸ› οΈ feat(scripts): glab-retry-merge.sh β€” retry-on-405 wrapper for glab…
a5246ba 
… mr merge (#115)
ZaxShen added a commit that referenced this pull request May 20, 2026
@ZaxShen
Merge branch 'fix/115-glab-retry-merge-on-405' into 'dev'
cee9a36 
πŸ› οΈ feat(scripts): glab-retry-merge.sh β€” retry-on-405 wrapper for glab mr merge (#115)

See merge request trustmybot/plugin!28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZaxShen