ob-aion · ob-aion · May 12, 2026 · May 12, 2026
@@ -48,33 +48,8 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
-      # Self-checkout at github.workflow_sha keeps the composite version-coherent
-      # without a literal pin. GHA forbids expressions in `uses:` action refs.
-      - id: self-ref
-        shell: bash
-        env:
-          WORKFLOW_REF: ${{ github.workflow_ref }}
-          FALLBACK_REPOSITORY: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-          REPO=""
-          if [[ -n "${WORKFLOW_REF}" && "${WORKFLOW_REF}" == */.github/* ]]; then
-            REPO="${WORKFLOW_REF%%/.github/*}"
-          fi
-          if [[ -z "${REPO}" ]]; then
-            REPO="${FALLBACK_REPOSITORY}"
-          fi
-          echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          repository: ${{ steps.self-ref.outputs.repo }}
-          ref: ${{ github.workflow_sha }}
-          path: .pruner-action
-          persist-credentials: false
-
       - id: scan
-        uses: ./.pruner-action
+        uses: ob-aion/pruner@0.2.14
         with:
           fail-on: ${{ inputs.fail-on }}
           skill-pattern: ${{ inputs.skill-pattern }}

@@ -1,5 +1,15 @@
 # Changelog
 
+## v0.2.14 - 12/05/2026
+
+Hotfix that reverts the 0.2.13 `scan.yml` structural fix. The new pattern parsed `github.workflow_ref` and `github.workflow_sha` to derive the Pruner repo + SHA, then `actions/checkout`'d that into `.pruner-action` and invoked the composite via `uses: ./.pruner-action`. The pattern passed Pruner's own PR-only `test-scan-yml.yml` validator because both context variables resolve to the workflow's hosting repo when the reusable workflow is called locally (`uses: ./.github/workflows/scan.yml`). It failed on the first real cross-repo consumer call (`coroboros/agent-skills@scan.yml@0.2.13`) because under remote invocation, **the entire `github.*` context refers to the caller's workflow, not the called reusable workflow** — `WORKFLOW_REF=coroboros/agent-skills/.github/workflows/ci.yml@refs/pull/29/merge`, `FALLBACK_REPOSITORY=coroboros/agent-skills`. The second checkout therefore cloned `agent-skills` (no `action.yml`) and `uses: ./.pruner-action` errored. GHA docs are explicit on this: *"The `github` context, with the exception of `github.token`, references the calling workflow."* No documented context exposes the called reusable workflow's own repo/ref/sha; expressions in `uses:` action refs are not supported (`actions/runner#1493`). The pattern is structurally unfixable. Scorecard documents the same chicken-and-egg in its `RELEASE.md` and lives with the manual two-step. Pruner does the same starting here.
+
+- **`.github/workflows/scan.yml` reverted.** `uses: ob-aion/pruner@0.2.14` literal restored at the composite-invocation step. The lockstep contract codified in 0.2.7 is back; one line bumps every release.
+- **`.github/workflows/test-scan-yml.yml` deleted.** It validated a same-repo-local-call against the broken cross-repo-remote-call pattern — false confidence. `self-scan.yml` remains the load-bearing self-validation; it has the documented limitation of running against a target with zero `SKILL.md` files (the 0.2.8 blind spot).
+- **`<VERSION>` placeholders survive.** `README.md`, `docs/consumer-integration.md` (three refs), `templates/workflow-{minimal,full}.yml` keep the placeholder + latest-release-URL pattern. That convention is independent of the `scan.yml` lockstep and was never the source of the cross-repo bug.
+
+Net effect against the pre-0.2.13 baseline: per-release file bumps drop from seven to two (`CHANGELOG.md` plus `scan.yml`'s one-line literal). Not the one-file shrink 0.2.13 promised, but a real five-file improvement. The post-mortem lesson: same-repo-local-call CI tests do not validate cross-repo behaviour of reusable workflows; a real consumer PR is the only honest validation surface.
+
 ## v0.2.13 - 12/05/2026
 
 Phase γ headline reposition plus a structural fix that retires the per-release manual version-pin bump. Pre-0.2.13, every release hand-edited seven files: one functional self-reference inside the reusable workflow plus six consumer-facing examples across `README.md`, `docs/consumer-integration.md`, and `templates/`. 0.2.7 codified the lockstep contract after a four-release skip bug. 0.2.11 codified the per-release example-pin sync. Both were workarounds for a manual process. Both retire here. Per-release file bumps shrink from seven to one. Phase β closed 2026-05-11 on `coroboros/agent-skills` 1.18.0 and 1.18.1, both `pruner / pruner` green. The README headline travels in link previews — load-bearing for Phase γ outreach on HackerNews, Lobste.rs, OpenSSF, and `coroboros.com`.