ci: automatic advisory Quality Keeper runs on same-repo PRs (#146)#127
Open
sophiecarreras wants to merge 2 commits into
Open
ci: automatic advisory Quality Keeper runs on same-repo PRs (#146)#127sophiecarreras wants to merge 2 commits into
sophiecarreras wants to merge 2 commits into
Conversation
…blocking) Enable the SDK pilot (#146): Quality Keeper now runs automatically when a same-repo pull request to main is opened/updated, staying advisory and non-blocking. Manual workflow_dispatch is retained for demo/debug. - Trigger: pull_request (NOT pull_request_target) on branches [main], types opened/synchronize/reopened/ready_for_review. - Same-repo only: both jobs carry an `if:` guard (event is workflow_dispatch, or head.repo.full_name == github.repository), so fork PRs skip entirely — untrusted fork code never runs in a job that can reach secrets or PR-write authority. - Two-job split preserved: quality-run (contents: read, runs target code, QK_INSTALL_TOKEN only, no App key) → comment (pull-requests: write + actions: read, runs no target code, mints App token downscoped to pull-requests: write). - Advisory/non-blocking: run-found-checks exits non-zero on a failing safe check; that exit code is captured as advisory evidence (execution.json is written first) so findings don't turn QK into a red/blocking check, while genuine QK errors (assess/post-execute) still fail. Not a required check. - Comment target derives from inputs.issue_url on manual runs and github.event.pull_request.html_url on auto runs; passed via env and quoted (no PR-controlled text expanded inline). --expect-repo + Repository Activation + idempotent one-comment upsert preserved. - Concurrency grouped per PR with cancel-in-progress so rapid pushes never stack or double-comment. All actions remain SHA-pinned with version comments. Verified: YAML valid; zizmor clean (regular + pedantic); no pull_request_target trigger; SHA pins intact. No seeds/branches/issues/PRs/auto-fixes. Refs backblaze-labs/quality-keeper#146 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Quality Keeper — Quality RunSource: Quality Keeper assessed the source, executed checks, and collected results. This is a read-only run overview; it changes no Evidence State, and seeded scaffolds are next actions, not evidence, until applied and re-evaluated. 10 of 14 expectations verified or exercised. Remaining outcomes are listed below — executed-but-not-exercised, pending, missing, and review are separate from verified/exercised and are not counted as passing.
Gaps and next actions
New to these terms? See the Quality Keeper glossary. |
Review follow-ups on PR #127: - Skip draft PRs: the same-repo guard now also requires `github.event.pull_request.draft == false`, so the advisory comment appears only once the author marks the PR ready (`ready_for_review` re-triggers with draft == false). Manual dispatch is unaffected. - Correct the inline rationale: check FINDINGS do not fail the job, but a genuine QK error (no execution.json written) still fails step 3 — replaces the inaccurate "execution.json is always written first" claim. - Note the concurrency trade-off: a superseded intermediate commit may not get its own comment (latest SHA wins) — intended for an advisory signal. - Kept the mirrored guard on the write-capable `comment` job deliberately (defense in depth), with a comment explaining why it is not removed despite being redundant with `needs: quality-run` today. Verified: YAML valid; both job guards carry the same-repo + non-draft condition; zizmor clean (regular + pedantic). Refs backblaze-labs/quality-keeper#146 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
Review findings addressed (commit a9556c7)
Verified: YAML valid; both guards carry same-repo + non-draft; zizmor clean (regular + pedantic). This push re-triggers the advisory run on this (non-draft) PR, confirming the draft gate doesn't affect normal same-repo PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this changes
Implements the SDK pilot in backblaze-labs/quality-keeper#146: Quality Keeper now runs automatically on same-repo pull requests to
main, and stays advisory / non-blocking. Extends the existing.github/workflows/quality-run-demo.yml(no new file).pull_request(NOTpull_request_target) onbranches: [main], typesopened/synchronize/reopened/ready_for_review.workflow_dispatchretained for manual demo/debug.if: event == workflow_dispatch || head.repo.full_name == github.repository, so fork PRs skip entirely — untrusted fork code never runs in a job that can reach secrets or PR-write authority. (GitHub also withholds secrets / forces a read-only token on forkpull_requestruns — defense in depth.)quality-run(contents: read, runs the target's own code,QK_INSTALL_TOKENonly, no App key) →comment(pull-requests: write+actions: read, runs no target code, mints the App token downscoped topull-requests: write).run-found-checksexits non-zero when a safe check fails; that exit code is captured as advisory evidence (execution.json is written first), so a failing SDK check does not turn QK into a red/blocking check — while genuine QK errors (assess / post-execute) still fail. This workflow is not a required check and does not gate merge.inputs.issue_url(manual) orgithub.event.pull_request.html_url(auto), passed viaenv:and quoted — no PR-controlled text expanded inline.--expect-repo, and Repository Activation preserved. Per-PR concurrency withcancel-in-progress. All actions SHA-pinned with version comments.No seeds, branches, issues, PRs, or auto-fixes are created.
Security / verification
zizmorclean at regular and pedantic personas.pull_request+workflow_dispatch(nopull_request_target); alluses:SHA-pinned.security.yml→gha-security) runs on this PR and should pass.quality-keeper[bot]. The run + comment will be linked back to quality-keeper#146.Residual risk (documented, follow-up proposed)
QK_INSTALL_TOKENis reachable by same-repo (trusted-collaborator) PR code inquality-run, because quality-keeper is private and must be pip-installed there. It must remain a read-only, repo-scoped credential. Safer follow-up: eliminate the install secret from the code-running job by publishing quality-keeper to an internal registry / prebuilt image / making it public.Refs backblaze-labs/quality-keeper#146
🤖 Generated with Claude Code