From 2c5f9da6c6065ee7db035dc644f9676128ea7fcd Mon Sep 17 00:00:00 2001 From: sebzhao Date: Thu, 28 May 2026 17:26:48 -0700 Subject: [PATCH 1/3] fix: bump arch docs --- architecture-docs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/architecture-docs b/architecture-docs index 6275a56..92c03f8 160000 --- a/architecture-docs +++ b/architecture-docs @@ -1 +1 @@ -Subproject commit 6275a56af588fd9c73c8657edafeae51ac7ace4a +Subproject commit 92c03f8a0c337679d5bf8aaf354b0cccbacb3a09 From 4fe540597e79f812dba986309225936bea37832b Mon Sep 17 00:00:00 2001 From: sebzhao Date: Thu, 28 May 2026 17:28:10 -0700 Subject: [PATCH 2/3] fix: freshness properly fails if stale --- .../workflows/architecture-docs-freshness.yml | 74 ++++--------------- 1 file changed, 13 insertions(+), 61 deletions(-) diff --git a/.github/workflows/architecture-docs-freshness.yml b/.github/workflows/architecture-docs-freshness.yml index f2d4e89..541eb79 100644 --- a/.github/workflows/architecture-docs-freshness.yml +++ b/.github/workflows/architecture-docs-freshness.yml @@ -20,34 +20,13 @@ jobs: - name: Compare pinned submodule SHA against architecture-docs/main env: GH_TOKEN: ${{ secrets.ARCHITECTURE_DOCS_READ_PAT || secrets.ALL_REPO_CHECKOUT_TOKEN }} - EVENT_NAME: ${{ github.event_name }} - ACTOR: ${{ github.actor }} - REPOSITORY: ${{ github.repository }} - PR_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} - BASE_SHA: ${{ github.event.pull_request.base.sha }} run: | set -euo pipefail - SKIP_REASON="" - PR_HEAD_REPOSITORY="${PR_HEAD_REPOSITORY:-$REPOSITORY}" - - if [ "$EVENT_NAME" = "pull_request" ]; then - if [ "$PR_HEAD_REPOSITORY" != "$REPOSITORY" ]; then - SKIP_REASON="fork pull_request runs do not receive repository secrets" - elif [ "$ACTOR" = "dependabot[bot]" ]; then - SKIP_REASON="Dependabot pull_request runs do not receive normal Actions secrets" - else - SKIP_REASON="ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN is not configured for this repository yet" - fi - else - SKIP_REASON="ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN is not configured for this repository yet" - fi - if [ -z "${GH_TOKEN:-}" ]; then - echo "::warning::Skipping architecture-docs freshness check: $SKIP_REASON." - echo "This workflow enforces freshness only in runs that receive ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN." - echo "Configure one of those tokens with read access to NaradaAI/architecture-docs to enable enforcement." - exit 0 + echo "::error::Missing ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN." + echo "Cannot verify architecture-docs freshness without read access to NaradaAI/architecture-docs." + exit 1 fi PINNED=$(git ls-tree HEAD architecture-docs | awk '{print $3}') @@ -59,48 +38,21 @@ jobs: REMOTE=$(gh api repos/NaradaAI/architecture-docs/git/refs/heads/main --jq '.object.sha' 2>/dev/null || true) if [ -z "$REMOTE" ]; then echo "::error::Failed to read architecture-docs/main with the configured token." - echo "Check that ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN has read access to NaradaAI/architecture-docs." exit 1 fi echo "Pinned: $PINNED" echo "Latest: $REMOTE" - POINTER_CHANGED=false - if [ "$EVENT_NAME" = "pull_request" ]; then - if [ -n "${BASE_SHA:-}" ]; then - if git cat-file -e "$BASE_SHA^{commit}" 2>/dev/null || git fetch --no-tags --depth=1 origin "$BASE_SHA"; then - BASE_PINNED=$(git ls-tree "$BASE_SHA" architecture-docs | awk '{print $3}') - echo "Base: ${BASE_PINNED:-none}" - if [ "$PINNED" != "$BASE_PINNED" ]; then - POINTER_CHANGED=true - fi - else - echo "::warning::Unable to fetch pull request base commit; treating the architecture-docs pointer as changed." - POINTER_CHANGED=true - fi - else - echo "::warning::Unable to determine pull request base SHA; treating the architecture-docs pointer as changed." - POINTER_CHANGED=true - fi - fi - - if [ "$PINNED" = "$REMOTE" ]; then - echo "architecture-docs submodule is at main HEAD." - exit 0 - fi - - if [ "$EVENT_NAME" = "pull_request" ] && [ "$POINTER_CHANGED" = "false" ]; then - echo "::warning::architecture-docs submodule is stale, but this pull request does not change the pointer." - echo "Freshness is enforced when a pull request changes architecture-docs and on pushes to main." - exit 0 + if [ "$PINNED" != "$REMOTE" ]; then + echo "::error::architecture-docs submodule is stale." + echo "" + echo "To bump the pointer:" + echo " git submodule update --remote architecture-docs" + echo " git add architecture-docs" + echo " git commit -m 'Bump architecture-docs'" + echo " git push" + exit 1 fi - echo "::error::architecture-docs submodule is stale." - echo "" - echo "To bump the pointer:" - echo " git submodule update --remote architecture-docs" - echo " git add architecture-docs" - echo " git commit -m 'Bump architecture-docs'" - echo " git push" - exit 1 + echo "architecture-docs submodule is at main HEAD." \ No newline at end of file From 6962279a10c43790f6ca1c3c40c33d8ea254c0bc Mon Sep 17 00:00:00 2001 From: sebzhao Date: Thu, 28 May 2026 17:34:55 -0700 Subject: [PATCH 3/3] fix: comments --- .github/workflows/architecture-docs-freshness.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/architecture-docs-freshness.yml b/.github/workflows/architecture-docs-freshness.yml index 541eb79..17bdd49 100644 --- a/.github/workflows/architecture-docs-freshness.yml +++ b/.github/workflows/architecture-docs-freshness.yml @@ -20,10 +20,16 @@ jobs: - name: Compare pinned submodule SHA against architecture-docs/main env: GH_TOKEN: ${{ secrets.ARCHITECTURE_DOCS_READ_PAT || secrets.ALL_REPO_CHECKOUT_TOKEN }} + IS_UNTRUSTED_PR: ${{ github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository) }} run: | set -euo pipefail if [ -z "${GH_TOKEN:-}" ]; then + if [ "${IS_UNTRUSTED_PR:-false}" = "true" ]; then + echo "::notice::Skipping architecture-docs freshness check because this pull_request run cannot access repository secrets." + exit 0 + fi + echo "::error::Missing ARCHITECTURE_DOCS_READ_PAT or ALL_REPO_CHECKOUT_TOKEN." echo "Cannot verify architecture-docs freshness without read access to NaradaAI/architecture-docs." exit 1 @@ -55,4 +61,4 @@ jobs: exit 1 fi - echo "architecture-docs submodule is at main HEAD." \ No newline at end of file + echo "architecture-docs submodule is at main HEAD."