feat(ci): reusable nox-remediate workflow (kills per-repo version churn)#29
Merged
Conversation
Centralizes the per-repo nox-remediate.yml (previously duplicated byte-for-byte across every repo) into one reusable workflow, mirroring go-ci.yml/js-ci.yml. Callers become a ~15-line stub; the pinned nox version + sha256 live here, so a nox release is a one-file bump instead of 39. Defaults to nox 1.4.1 (SHA-pins mutable action tag refs). Adds a starter template + properties. Claude-Session: https://claude.ai/code/session_01Cr6YdzphmFF3NJqm7kSJom
There was a problem hiding this comment.
Pull request overview
This PR centralizes the org’s previously duplicated nox-remediate.yml into a reusable GitHub Actions workflow and provides a workflow-template “thin caller” stub so individual repositories can call the shared implementation and avoid per-repo version churn.
Changes:
- Adds a reusable workflow (
workflow_call) that installs a pinnednoxbinary and runs scan/fix remediation, then opens an auto-merge PR when changes are made. - Adds a workflow template stub (
workflow-templates/nox-remediate.yml) and template metadata (.properties.json) for easy rollout to other repos. - Exposes inputs for
nox-version,nox-sha256, andinclude-major, and supports an optionalNOX_TOKENsecret for workflow-file remediation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
workflow-templates/nox-remediate.yml |
Adds a thin scheduled/manual caller that invokes the reusable remediation workflow. |
workflow-templates/nox-remediate.properties.json |
Adds template metadata (name/description/icon/categories) for GitHub workflow templates. |
.github/workflows/nox-remediate.yml |
Introduces the reusable workflow implementing scan/fix + PR creation/auto-merge behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+103
to
+106
| if git diff --quiet && git diff --cached --quiet; then | ||
| echo "nox: nothing to remediate." | ||
| exit 0 | ||
| fi |
Comment on lines
+110
to
+112
| git switch -c "$branch" | ||
| git commit -am "chore(security): nox remediation (deps + actions)" | ||
| git push -u origin "$branch" |
Comment on lines
+113
to
+116
| url="$(gh pr create \ | ||
| --title "chore(security): nox remediation" \ | ||
| --body "Automated remediation by \`nox fix --actions\`: OSV-vulnerable dependency upgrades plus outdated and mutable GitHub Actions pins bumped to their SHA-pinned latest release. Replaces dependabot." \ | ||
| --label dependencies)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
nox-remediate.ymlthat replaced dependabot was rolled out as a byte-identical copy in every repo. That means every nox release requires editing ~39 files. This centralizes it into a reusable workflow — same pattern asgo-ci.yml/js-ci.yml.What
.github/workflows/nox-remediate.yml— reusable (workflow_call); pins nox 1.4.1 + sha256, inputs fornox-version/nox-sha256/include-major,NOX_TOKENsecret.workflow-templates/nox-remediate.yml(+ properties) — thin caller stub repos drop in.Why 1.4.1
nox 1.4.1 makes
nox fix --actionsSHA-pin mutable tag refs (@v7->@<sha> # v7), not just outdated ones — so remediation PRs stop tripping 'still using a mutable tag' review comments that were blocking auto-merge under required conversation resolution.Rollout after merge
Each repo's
nox-remediate.ymlbecomes the caller stub. Future nox bumps = one edit here.https://claude.ai/code/session_01Cr6YdzphmFF3NJqm7kSJom