fix(ci): ceo-audit.yml — set CEO_AUDIT_OUTPUT to workspace path#26
Merged
Conversation
3 consecutive workflow failures on Bundle: 'Path does not exist:
/home/runner/work/.../ceo-audit-output/report.sarif'.
audit.sh defaulted to $HOME/ceo-audits/<repo>-ceo-audit-<id>/, but
workflow expected ./ceo-audit-output/. Fix: override CEO_AUDIT_OUTPUT
env var in the env block to ${{ github.workspace }}/ceo-audit-output
so all output lands in one predictable place.
After this PR, ceo-audit.yml should:
- Write score.json to ceo-audit-output/score.json
- Write report.sarif to ceo-audit-output/report.sarif
- Upload SARIF successfully to Code Scanning
- Post sticky PR comment with grade A+
Also updates the App commenter step to use SIN_GITHUB_INSTALLATION_TOKEN
(org secret, public repos only) — gracefully falls back to Action
comment if not set.
🏆 CEO Audit — A+ (100.0/100)
📥 Download full report (Markdown)
|
added 6 commits
June 4, 2026 13:16
pip install 'sin-code-bundle[ceo-audit,dev]' fails on Bundle runs because the bundle has not been published to PyPI. Falls back to installing from GitHub at the v0.4.4 tag (the last 100.0/100 A+ release). After publishing to PyPI, this can be simplified back to a single pip install command.
\#egg=sin-code-bundle[ceo-audit,dev] is invalid egg syntax (brackets not allowed in egg fragment). Newer pip uses 'pkg[extras] @ URL' form which supports extras with git URLs. Reference: https://pip.pypa.io/en/stable/topics/vcs-support/
The skill is shipped via pip, but the workflow assumed ~/.config/opencode/skills/ceo-audit/scripts/audit.sh — which doesn't exist on GitHub-hosted runners. Fix: locate audit.sh in either the pip site-packages (preferred) or the opencode skill dir (fallback). After this, audit.sh should run, score.json should be written to ceo-audit-output/, and the PR comment should post.
sin-code-bundle[ceo-audit] extra does not yet package the skill scripts (only python lib). Clone the SSOT directly to get audit.sh + axis scripts. After bundle v0.5.0 ships the scripts as a package_data resource, this step can be removed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
3 consecutive ceo-audit.yml failures on SIN-Code-Bundle (2026-06-03, runs 26908050630 + 26911171755):
Root Cause
Workflow created
ceo-audit-output/andfindd score.json there, butaudit.shdefaulted to$HOME/ceo-audits/<repo>-ceo-audit-<id>/. Two different output dirs → score.json never found → SARIF upload fails.Fix
Override
CEO_AUDIT_OUTPUT=${{ github.workspace }}/ceo-audit-outputin env block so output lands where the workflow expects it.Verification
After merge, the next push to main should:
ceo-audit-output/score.json