Skip to content

ci: report blocked QPK pin PR creation#166

Merged
Pigbibi merged 1 commit into
mainfrom
codex/fix-qpk-pin-pr-policy-20260702-0136
Jul 1, 2026
Merged

ci: report blocked QPK pin PR creation#166
Pigbibi merged 1 commit into
mainfrom
codex/fix-qpk-pin-pr-policy-20260702-0136

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Keeps update-qpk-pin from falling back to PAT-based PR creation.
  • Allows the workflow to complete when repository policy blocks GITHUB_TOKEN from creating PRs.
  • Emits a clear warning and step summary with manual follow-up options.

Problems found

  • Main Update QPK Pin passed verification after PR ci: fix QPK pin downstream ref check #165, but failed at PR creation because repository policy disallows GitHub Actions from creating pull requests.
  • Restoring PAT fallback would bypass that policy, so this PR keeps the secure behavior and reports the blocked automation instead.

Fixes applied

  • Adds id and continue-on-error: true to the peter-evans/create-pull-request step.
  • Adds a follow-up reporting step when PR creation is blocked.

Security impact

  • Avoids PAT fallback/bypass.
  • No secrets or permissions changed.

Architecture impact

  • CI-only behavior change; no runtime impact.

Tests run

  • actionlint .github/workflows/update-qpk-pin.yml — passed
  • git diff --check — passed

Failed or skipped checks with reasons

  • End-to-end PR creation from Actions remains blocked by repository settings and must be enabled explicitly or performed manually.

Deployment notes

  • No deployment.

Rollback plan

  • Revert this PR to restore failing-fast behavior when Actions PR creation is blocked.

Manual follow-up checklist

  • Decide whether to enable GitHub Actions PR creation for this repository.
  • If not enabled, run the generated QPK pin update manually from a reviewed maintainer branch when needed.

@Pigbibi Pigbibi added codex AI Codex operations automated-audit Automated audit change ci CI/CD change tests Test coverage or verification labels Jul 1, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8824933922

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- name: Create PR for pin update
id: create_pin_pr
if: steps.update.outputs.changed == 'true'
continue-on-error: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not mask non-policy PR creation failures

In runs where the verified pin update exists but peter-evans/create-pull-request fails for a transient GitHub/API issue, branch conflict, or action regression rather than the known repository-policy denial, this unconditional continue-on-error still makes the job pass and the follow-up step reports the failure as policy-blocked. That can leave QPK_PIN/constraints.txt stale without a failing check; only tolerate the specific permission-denied case or re-fail other PR creation errors.

Useful? React with 👍 / 👎.

@Pigbibi Pigbibi merged commit 5573d40 into main Jul 1, 2026
4 of 5 checks passed
@Pigbibi Pigbibi deleted the codex/fix-qpk-pin-pr-policy-20260702-0136 branch July 1, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated-audit Automated audit change ci CI/CD change codex AI Codex operations tests Test coverage or verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant