Skip to content

feat(workflow): wire Grug TPM bot - DoR gate + weekly pulse #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
githumps merged 1 commit into from
May 2, 2026
Merged

feat(workflow): wire Grug TPM bot - DoR gate + weekly pulse #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/grug.pr-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Grug · PR DoR check

# Calls the reusable Grug workflow at githumps/grug (public). Static
# checks are advisory by default for fresh rollout (strict: false). Flip
# to strict: true once the repo's PR template aligns with DoR.

on:
pull_request:
types: [opened, edited, synchronize, ready_for_review]

permissions:
contents: read
pull-requests: write
issues: write

jobs:
grug:
name: Grug · DoR check
uses: githumps/grug/.github/workflows/_reusable.grug-pr-gate.yml@main
with:
strict: false
secrets:
poolside_api_key: ${{ secrets.POOLSIDE_API_KEY }}
Comment on lines +17 to +23
Copy link
Copy Markdown

@sentry sentry Bot May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The workflow is missing the environment: grug-bot declaration, causing the environment-scoped POOLSIDE_API_KEY secret to be an empty string and breaking API authentication.
Severity: HIGH

Suggested Fix

Add environment: grug-bot to the job definition within .github/workflows/grug.pr-gate.yml to grant it access to the environment-scoped POOLSIDE_API_KEY secret.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/grug.pr-gate.yml#L17-L23

Potential issue: The `grug.pr-gate.yml` workflow attempts to use
`secrets.POOLSIDE_API_KEY`, which is an environment-scoped secret tied to the `grug-bot`
environment. However, the workflow job fails to declare `environment: grug-bot`.
Consequently, `secrets.POOLSIDE_API_KEY` resolves to an empty string, which is then
passed to reusable workflows. This causes all API calls requiring this key to fail with
authentication errors, rendering the workflow's core functionality inoperative.

Also affects:

  • .github/workflows/grug.pulse.yml

Did we get this right? 👍 / 👎 to inform future reviews.

24 changes: 24 additions & 0 deletions .github/workflows/grug.pulse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Grug · weekly pulse

# Mondays 13:00 UTC — opens an issue summarizing iteration health.
# Filterable later via label `grug-pulse`.

on:
schedule:
- cron: '0 13 * * 1'
workflow_dispatch:

permissions:
contents: read
issues: write
pull-requests: read

jobs:
pulse:
name: Grug · pulse
uses: githumps/grug/.github/workflows/_reusable.grug-pulse.yml@main
with:
issue_label: "grug-pulse"
mode: "weekly"
secrets:
poolside_api_key: ${{ secrets.POOLSIDE_API_KEY }}
Loading