From b1ec42ff566216b657465678fe48b673b3a90976 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Thu, 7 May 2026 23:55:31 -0500 Subject: [PATCH] chore: tighten CI token scope and tidy conformance docs - Use workflow permissions contents: read; root conformance commits use the cert app token. - Single job env gates mint/publish steps instead of duplicating long if expressions. - Shorten push trigger and dependency-submission (Java) comments; keep paths lists aligned. - README: correct spec-repo wording (drop Vitest mislabel on Python/Java), shorter repo-root cert bullet. Co-authored-by: Cursor --- .github/workflows/ci.yml | 12 ++++++------ README.md | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9204e60..8386dd3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,8 +3,7 @@ name: CI on: push: branches: [main, master] - # Cert-bot follow-up commits only touch these files; skip full CI so `main` does not - # churn behind open PRs (and avoid re-entering publish when actor guards drift). + # Skip when only repo-root conformance JSON changes (artifact refresh commits). paths-ignore: - "conformance-certificate.json" - "conformance-report.json" @@ -15,7 +14,7 @@ concurrency: cancel-in-progress: true permissions: - contents: write + contents: read jobs: no-handwritten-model-types: @@ -87,6 +86,8 @@ jobs: intentproof-spec: runs-on: ubuntu-latest timeout-minutes: 15 + env: + PUBLISH_CONFORMANCE_ROOT: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master') && github.actor != 'github-actions[bot]' && github.actor != 'intentproof-cert-bot[bot]' }} steps: - uses: actions/checkout@v6 with: @@ -144,15 +145,14 @@ jobs: - name: Mint cert-bot installation token id: cert_bot_token - # Skip when the cert bot pushed: its commit would re-run conformance and loop (new issuedAt/generatedAt each run). - if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master') && github.actor != 'github-actions[bot]' && github.actor != 'intentproof-cert-bot[bot]' }} + if: ${{ env.PUBLISH_CONFORMANCE_ROOT == 'true' }} uses: actions/create-github-app-token@v1 with: app-id: ${{ vars.INTENTPROOF_CERT_BOT_ID }} private-key: ${{ secrets.INTENTPROOF_CERT_BOT_PRIVATE_KEY }} - name: Publish conformance certificate and report at repo root - if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master') && github.actor != 'github-actions[bot]' && github.actor != 'intentproof-cert-bot[bot]' }} + if: ${{ env.PUBLISH_CONFORMANCE_ROOT == 'true' }} env: INTENTPROOF_CERT_BOT_TOKEN: ${{ steps.cert_bot_token.outputs.token }} run: | diff --git a/README.md b/README.md index 496c2a4..11e29b9 100644 --- a/README.md +++ b/README.md @@ -343,12 +343,12 @@ Custom **`body`** serializers: if **`body(event)`** raises, **`HttpExporter`** n **Shared pins and terminology** (`INTENTPROOF_SPEC_ROOT`, **`spec-commit`**, script names) are documented in the **`intentproof-spec`** repository (`CONTRIBUTING.md`, Terminology). -Schemas, golden oracles, and the **Vitest conformance oracle** live in the **`intentproof-spec`** repository. +**`intentproof-spec`** holds normative schemas, golden **`execution_event_cases.jsonl`**, and the canonical **`spec-conformance.sh`** toolchain. - **Version pin:** **`[tool.intentproof].spec-version`** and **`spec-commit`** in **`pyproject.toml`** match **`spec.json`** and the spec **`HEAD`** checkout; **`scripts/check-sdk-spec-pin.sh`** enforces this before conformance. - **CI:** every push/PR checks out this SDK plus **`intentproof-spec`** and runs **`scripts/spec-conformance.sh`** (pin check + full oracle; see `.github/workflows/ci.yml`). The **`spec-golden-parity`** job runs **`tests/unit/test_spec_golden_conformance.py`** against the same **`golden/execution_event_cases.jsonl`** using **`jsonschema`** + semantics mirrored from the spec (`tests/spec_semantics.py`). -- **Conformance certificate and report:** CI uploads workflow artifacts for each run and, on trusted pushes to the default branch, commits **`conformance-certificate.json`** and **`conformance-report.json`** at this repository root so they stay inspectable on every revision (including before and after spec adoption bumps). +- **Repo-root certificates:** each run uploads **`conformance-report.json`** and **`conformance-certificate.json`** as workflow artifacts; after a green default-branch push, the conformance GitHub App commits the same files at the repo root when they differ from **`main`**. - **Local:** clone `intentproof-spec` **next to** this repository (`../intentproof-spec`), then: ```bash