ci: harden OfficeCLI bump PR creation

[Astro-Han]

Summary

• Route the OfficeCLI bump branch and PR write path through a dedicated OFFICECLI_BUMP_TOKEN secret instead of github.token.
• Reduce the workflow GITHUB_TOKEN permissions to read-only.
• Make the bump PR path idempotent by updating an existing bump branch and editing an existing open PR instead of creating duplicates.

Why

The scheduled OfficeCLI bump run could verify assets and push ci/officecli-bump-v1.0.93, but failed at PR creation with GitHub Actions is not permitted to create or approve pull requests. This keeps repository-wide Actions PR creation disabled while giving this one maintenance workflow a scoped bot-token path.

Related Issue

No separate issue. Follow-up to #730 and the OfficeCLI automation from #330.

Human Review Status

Pending. A human should make the final merge decision after reviewing the final diff and verification evidence.

Review Focus

• Confirm OFFICECLI_BUMP_TOKEN is the right repository secret name and will be provisioned after merge.
• Confirm the workflow token boundary is narrow: default GITHUB_TOKEN is read-only, and write operations export the dedicated secret as GH_TOKEN only after dry-run exits.
• Confirm the ci/officecli-bump-* branch update behavior is acceptable: existing bump branches are updated with --force-with-lease, then existing PRs are edited instead of duplicated.

Risk Notes

• The next non-dry OfficeCLI bump requires repository secret OFFICECLI_BUMP_TOKEN; without it, the workflow now fails early with a clear error before pushing a branch.
• The workflow can update only the generated ci/officecli-bump-* branch path it creates for a target OfficeCLI version.
• No product runtime code changed.

How To Verify

Workflow test: bun --cwd packages/opencode test test/github/officecli-bump-workflow.test.ts test/github/pr-routing-triage.test.ts
Result: 10 pass, 0 fail

actionlint: actionlint .github/workflows/officecli-bump.yml
Result: passed

Diff check: git diff --check
Result: passed

Screenshots or Recordings

Not needed. This is a CI workflow change with no visible UI change.

Checklist

• Human review status is stated above as pending, approved, or not required
• I linked the related issue, or stated why there is no issue
• This PR has exactly one type label (bug, enhancement, task, or documentation), at least one primary routing label (app, ui, platform, harness, or ci), and exactly one priority label (P0 to P3), or I requested maintainer labeling
• I described the review focus and any meaningful risks
• I listed the relevant verification steps and the key result for each
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope
• I manually checked visible UI or copy changes when needed, with screenshots or recordings
• I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes
• I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant
• I reviewed the final diff for unrelated changes and suspicious dependency changes
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English

Summary by CodeRabbit

• Chores

  • Tightened GitHub Actions workflow permissions to reduce write scope, added fail-fast behavior when the bump token is missing, improved token-based authentication for bump PR creation, updated branch push behavior to force-update or create the target branch, and changed bump PR wording to "Follow-up to #330." Duplicate bump handling now updates existing PRs (title/body/labels) instead of skipping.

• Tests

  • Strengthened workflow tests to assert stricter step behavior, token usage, permissions, git/gh commands, and updated PR phrasing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9afc27b4-cee8-4140-a7a7-1ec9b5dfec03

📥 Commits

Reviewing files that changed from the base of the PR and between 0cacabb and 18fb2f5.

📒 Files selected for processing (2)

• .github/workflows/officecli-bump.yml
• packages/opencode/test/github/officecli-bump-workflow.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/opencode/test/github/officecli-bump-workflow.test.ts

---

📝 Walkthrough

Walkthrough

The officecli-bump workflow and its test are updated to require and validate OFFICECLI_BUMP_TOKEN, restrict contents permission to read, authenticate git/gh operations with the provided token (exported as GH_TOKEN at runtime), force-update existing bump branches or push new ones, edit existing bump PRs instead of exiting, and adjust test assertions and PR body wording.

Changes

Workflow security hardening and duplicate PR handling

Layer / File(s)	Summary
Permission reduction and token validation .github/workflows/officecli-bump.yml, packages/opencode/test/github/officecli-bump-workflow.test.ts	Workflow contents permission changed to read. New validation step fails with an explicit ::error when OFFICECLI_BUMP_TOKEN is missing for non-dry runs. Tests assert reduced permissions and presence/behavior of the validation step.
Token-based authentication and force-push .github/workflows/officecli-bump.yml	OFFICECLI_BUMP_TOKEN is wired into the PR-creation runtime, exported as GH_TOKEN for gh/git authentication at runtime, and branch publishing now force-updates existing ci/officecli-bump-* branches (or pushes a new branch) before PR creation. Non-dry runs still enforce dev branch gating; dry-run exits before publishing.
Duplicate PR editing and description update .github/workflows/officecli-bump.yml	When an open bump PR exists for the branch, the workflow edits that PR's title/body and applies labels instead of creating a duplicate or exiting. The PR body "Related Issue" line changed to "Follow-up to #330." (removed "Closes #330").
Test validation of workflow changes packages/opencode/test/github/officecli-bump-workflow.test.ts	Tests add step lookups for new steps, validate if conditions and OFFICECLI_BUMP_TOKEN env wiring, expect contents: "read", check for added git/gh command fragments (e.g., gh auth setup-git, fetch/push patterns, PR lookup/edit), and assert updated PR text ("Follow-up to #330.").

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Astro-Han/pawwork#571: Introduced the officecli-bump workflow and its baseline tests, touching the same workflow and test areas updated here.

Suggested labels

github_actions, P2

Poem

🐰 A secret token snug and tight,
Permissions trimmed to keep it right,
When bumps collide,
We edit with pride —
No noisy exits in the night!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: harden OfficeCLI bump PR creation' is concise and clearly describes the main change: improving security and reliability of the OfficeCLI bump workflow's PR creation process.
Description check	✅ Passed	The PR description is comprehensive and follows the template well. It includes a clear summary of changes, explains the rationale, links related issues, describes review focus and risks, provides verification steps with results, and completes the required checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-officecli-bump-pr-token

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P3 (only low-risk paths changed (.github/workflows/officecli-bump.yml, packages/opencode/test/github/officecli-bump-workflow.test.ts)).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request updates the officecli-bump-workflow tests to include assertions for a new token validation step, specific environment variables, and refined git operations such as force-with-lease. It also restricts the workflow's default permissions to contents: read. A critical issue was identified regarding the use of the --label flag with the gh pr edit command; the reviewer noted that gh pr edit requires --add-label instead, suggesting a likely bug in the underlying workflow implementation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/officecli-bump.yml:
- Around line 260-272: The current code hides failures because `gh pr list` is
run inside an `if` assignment; instead run the command on its own line so `set
-euo pipefail` will cause the script to exit on transient failures: assign
existing_pr="$(gh pr list --state open --base dev --head "$branch" --json url
--jq '.[0].url // empty')" on its own line, then use if [ -n "$existing_pr" ] to
decide whether to call gh pr edit (the block that uses
--title/--body-file/--add-label and exits 0); do not rely on
command-substitution-in-if to suppress errors so gh pr create is not reached
when gh pr list fails.
- Around line 193-196: The fetch + push sequence can fail because git fetch
origin "$branch" doesn't create refs/remotes/origin/$branch under the repo's
custom fetch config, so --force-with-lease=refs/heads/"$branch" has no tracking
ref to compare; update the fetch step to fetch an explicit refspec for the
branch (e.g. fetch refs/heads/"$branch":refs/remotes/origin/"$branch") before
running git push --force-with-lease=refs/heads/"$branch" --set-upstream origin
"$branch" so the remote-tracking ref exists for the lease check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0fe1e065-8c96-43f0-a7ad-c4d2c3215256

📥 Commits

Reviewing files that changed from the base of the PR and between d96b73e and 0cacabb.

📒 Files selected for processing (2)

• .github/workflows/officecli-bump.yml
• packages/opencode/test/github/officecli-bump-workflow.test.ts

[Astro-Han]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.