ci: report blocked QPK pin PR creation#166
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8824933922
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Create PR for pin update | ||
| id: create_pin_pr | ||
| if: steps.update.outputs.changed == 'true' | ||
| continue-on-error: true |
There was a problem hiding this comment.
Do not mask non-policy PR creation failures
In runs where the verified pin update exists but peter-evans/create-pull-request fails for a transient GitHub/API issue, branch conflict, or action regression rather than the known repository-policy denial, this unconditional continue-on-error still makes the job pass and the follow-up step reports the failure as policy-blocked. That can leave QPK_PIN/constraints.txt stale without a failing check; only tolerate the specific permission-denied case or re-fail other PR creation errors.
Useful? React with 👍 / 👎.
Summary
update-qpk-pinfrom falling back to PAT-based PR creation.GITHUB_TOKENfrom creating PRs.Problems found
Update QPK Pinpassed verification after PR ci: fix QPK pin downstream ref check #165, but failed at PR creation because repository policy disallows GitHub Actions from creating pull requests.Fixes applied
idandcontinue-on-error: trueto thepeter-evans/create-pull-requeststep.Security impact
Architecture impact
Tests run
actionlint .github/workflows/update-qpk-pin.yml— passedgit diff --check— passedFailed or skipped checks with reasons
Deployment notes
Rollback plan
Manual follow-up checklist