diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 7d3d40b..23c6dfc 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -48,33 +48,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - # Self-checkout at github.workflow_sha keeps the composite version-coherent - # without a literal pin. GHA forbids expressions in `uses:` action refs. - - id: self-ref - shell: bash - env: - WORKFLOW_REF: ${{ github.workflow_ref }} - FALLBACK_REPOSITORY: ${{ github.repository }} - run: | - set -euo pipefail - REPO="" - if [[ -n "${WORKFLOW_REF}" && "${WORKFLOW_REF}" == */.github/* ]]; then - REPO="${WORKFLOW_REF%%/.github/*}" - fi - if [[ -z "${REPO}" ]]; then - REPO="${FALLBACK_REPOSITORY}" - fi - echo "repo=${REPO}" >> "$GITHUB_OUTPUT" - - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: ${{ steps.self-ref.outputs.repo }} - ref: ${{ github.workflow_sha }} - path: .pruner-action - persist-credentials: false - - id: scan - uses: ./.pruner-action + uses: ob-aion/pruner@0.2.14 with: fail-on: ${{ inputs.fail-on }} skill-pattern: ${{ inputs.skill-pattern }} diff --git a/.github/workflows/test-scan-yml.yml b/.github/workflows/test-scan-yml.yml deleted file mode 100644 index 401270a..0000000 --- a/.github/workflows/test-scan-yml.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: test-scan-yml -on: - pull_request: - -permissions: - contents: read - security-events: write - id-token: write - attestations: write - -# Exercises scan.yml end-to-end on every PR. self-scan.yml uses `./` directly and skips it. -jobs: - benign-target: - name: scan.yml against examples/benign-skill - uses: ./.github/workflows/scan.yml - with: - fail-on: critical - target-path: examples/benign-skill - skill-pattern: SKILL.md - report-output: ./.pruner-test diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d5cc79..cc09ea0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## v0.2.14 - 12/05/2026 + +Hotfix that reverts the 0.2.13 `scan.yml` structural fix. The new pattern parsed `github.workflow_ref` and `github.workflow_sha` to derive the Pruner repo + SHA, then `actions/checkout`'d that into `.pruner-action` and invoked the composite via `uses: ./.pruner-action`. The pattern passed Pruner's own PR-only `test-scan-yml.yml` validator because both context variables resolve to the workflow's hosting repo when the reusable workflow is called locally (`uses: ./.github/workflows/scan.yml`). It failed on the first real cross-repo consumer call (`coroboros/agent-skills@scan.yml@0.2.13`) because under remote invocation, **the entire `github.*` context refers to the caller's workflow, not the called reusable workflow** — `WORKFLOW_REF=coroboros/agent-skills/.github/workflows/ci.yml@refs/pull/29/merge`, `FALLBACK_REPOSITORY=coroboros/agent-skills`. The second checkout therefore cloned `agent-skills` (no `action.yml`) and `uses: ./.pruner-action` errored. GHA docs are explicit on this: *"The `github` context, with the exception of `github.token`, references the calling workflow."* No documented context exposes the called reusable workflow's own repo/ref/sha; expressions in `uses:` action refs are not supported (`actions/runner#1493`). The pattern is structurally unfixable. Scorecard documents the same chicken-and-egg in its `RELEASE.md` and lives with the manual two-step. Pruner does the same starting here. + +- **`.github/workflows/scan.yml` reverted.** `uses: ob-aion/pruner@0.2.14` literal restored at the composite-invocation step. The lockstep contract codified in 0.2.7 is back; one line bumps every release. +- **`.github/workflows/test-scan-yml.yml` deleted.** It validated a same-repo-local-call against the broken cross-repo-remote-call pattern — false confidence. `self-scan.yml` remains the load-bearing self-validation; it has the documented limitation of running against a target with zero `SKILL.md` files (the 0.2.8 blind spot). +- **`` placeholders survive.** `README.md`, `docs/consumer-integration.md` (three refs), `templates/workflow-{minimal,full}.yml` keep the placeholder + latest-release-URL pattern. That convention is independent of the `scan.yml` lockstep and was never the source of the cross-repo bug. + +Net effect against the pre-0.2.13 baseline: per-release file bumps drop from seven to two (`CHANGELOG.md` plus `scan.yml`'s one-line literal). Not the one-file shrink 0.2.13 promised, but a real five-file improvement. The post-mortem lesson: same-repo-local-call CI tests do not validate cross-repo behaviour of reusable workflows; a real consumer PR is the only honest validation surface. + ## v0.2.13 - 12/05/2026 Phase γ headline reposition plus a structural fix that retires the per-release manual version-pin bump. Pre-0.2.13, every release hand-edited seven files: one functional self-reference inside the reusable workflow plus six consumer-facing examples across `README.md`, `docs/consumer-integration.md`, and `templates/`. 0.2.7 codified the lockstep contract after a four-release skip bug. 0.2.11 codified the per-release example-pin sync. Both were workarounds for a manual process. Both retire here. Per-release file bumps shrink from seven to one. Phase β closed 2026-05-11 on `coroboros/agent-skills` 1.18.0 and 1.18.1, both `pruner / pruner` green. The README headline travels in link previews — load-bearing for Phase γ outreach on HackerNews, Lobste.rs, OpenSSF, and `coroboros.com`.