Skip to content

feat(ci): reusable nox-remediate workflow (kills per-repo version churn)#29

Merged
felixgeelhaar merged 1 commit into
mainfrom
feat/nox-remediate-reusable
Jul 3, 2026
Merged

feat(ci): reusable nox-remediate workflow (kills per-repo version churn)#29
felixgeelhaar merged 1 commit into
mainfrom
feat/nox-remediate-reusable

Conversation

@felixgeelhaar

Copy link
Copy Markdown
Contributor

The nox-remediate.yml that replaced dependabot was rolled out as a byte-identical copy in every repo. That means every nox release requires editing ~39 files. This centralizes it into a reusable workflow — same pattern as go-ci.yml/js-ci.yml.

What

  • .github/workflows/nox-remediate.yml — reusable (workflow_call); pins nox 1.4.1 + sha256, inputs for nox-version/nox-sha256/include-major, NOX_TOKEN secret.
  • workflow-templates/nox-remediate.yml (+ properties) — thin caller stub repos drop in.

Why 1.4.1

nox 1.4.1 makes nox fix --actions SHA-pin mutable tag refs (@v7 -> @<sha> # v7), not just outdated ones — so remediation PRs stop tripping 'still using a mutable tag' review comments that were blocking auto-merge under required conversation resolution.

Rollout after merge

Each repo's nox-remediate.yml becomes the caller stub. Future nox bumps = one edit here.

https://claude.ai/code/session_01Cr6YdzphmFF3NJqm7kSJom

Centralizes the per-repo nox-remediate.yml (previously duplicated byte-for-byte
across every repo) into one reusable workflow, mirroring go-ci.yml/js-ci.yml.
Callers become a ~15-line stub; the pinned nox version + sha256 live here, so a
nox release is a one-file bump instead of 39. Defaults to nox 1.4.1 (SHA-pins
mutable action tag refs). Adds a starter template + properties.

Claude-Session: https://claude.ai/code/session_01Cr6YdzphmFF3NJqm7kSJom
Copilot AI review requested due to automatic review settings July 3, 2026 13:24

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR centralizes the org’s previously duplicated nox-remediate.yml into a reusable GitHub Actions workflow and provides a workflow-template “thin caller” stub so individual repositories can call the shared implementation and avoid per-repo version churn.

Changes:

  • Adds a reusable workflow (workflow_call) that installs a pinned nox binary and runs scan/fix remediation, then opens an auto-merge PR when changes are made.
  • Adds a workflow template stub (workflow-templates/nox-remediate.yml) and template metadata (.properties.json) for easy rollout to other repos.
  • Exposes inputs for nox-version, nox-sha256, and include-major, and supports an optional NOX_TOKEN secret for workflow-file remediation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
workflow-templates/nox-remediate.yml Adds a thin scheduled/manual caller that invokes the reusable remediation workflow.
workflow-templates/nox-remediate.properties.json Adds template metadata (name/description/icon/categories) for GitHub workflow templates.
.github/workflows/nox-remediate.yml Introduces the reusable workflow implementing scan/fix + PR creation/auto-merge behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +103 to +106
if git diff --quiet && git diff --cached --quiet; then
echo "nox: nothing to remediate."
exit 0
fi
Comment on lines +110 to +112
git switch -c "$branch"
git commit -am "chore(security): nox remediation (deps + actions)"
git push -u origin "$branch"
Comment on lines +113 to +116
url="$(gh pr create \
--title "chore(security): nox remediation" \
--body "Automated remediation by \`nox fix --actions\`: OSV-vulnerable dependency upgrades plus outdated and mutable GitHub Actions pins bumped to their SHA-pinned latest release. Replaces dependabot." \
--label dependencies)"
@felixgeelhaar felixgeelhaar merged commit 1862e2b into main Jul 3, 2026
1 check passed
@felixgeelhaar felixgeelhaar deleted the feat/nox-remediate-reusable branch July 3, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants