feat(staged): add daily scheduled workflow to bump ACP tool pins#878
Conversation
Add .github/workflows/staged-bump-acp-tools.yml, a daily (06:30 UTC, plus workflow_dispatch) job that regenerates apps/staged/acp-tools.lock.json via 'just bump-acp-tools' and manages a PR with the result: - resets the bot-owned automation/update-acp-pins branch from main each run, so it stays single-commit and never diverges - exits successfully when the lockfile diff is clean (no upstream releases) - smoke-checks new pins with scripts/ensure-acp-tools.sh before pushing, since PR CI does not consume the lockfile - force-pushes the branch and creates a PR only when none is already open (refresh-in-place, no duplicates) - sets npm_config_registry to Block Artifactory so tarball URLs match dev-machine runs instead of churning to registry.npmjs.org Matches house workflow style: SHA-pinned actions, cashapp/activate-hermit for node/just, least-privilege permissions (contents + pull-requests write), and a concurrency group to prevent overlapping runs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Matt Toohey <contact@matttoohey.com>
…kflow The workflow pinned npm_config_registry to Block Artifactory so the regenerated lockfile would keep the same tarball URLs as dev-machine runs. But GitHub-hosted runners have no Artifactory credentials, so both the bump (npm view) and the smoke check (npm install) would fail against that registry. Remove the override and let CI use the default registry; the first scheduled run will rewrite the lockfile tarball URLs to registry.npmjs.org once and they stay stable after that. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Matt Toohey <contact@matttoohey.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bffb97d5d0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # this job otherwise does not use. | ||
| - name: Smoke-check new pins | ||
| if: steps.bump.outputs.changed == 'true' | ||
| run: apps/staged/scripts/ensure-acp-tools.sh --target x86_64-unknown-linux-gnu |
There was a problem hiding this comment.
Smoke-check the target used by release
For this scheduled PR workflow, the smoke check only installs the x86_64-unknown-linux-gnu entries, but the Staged release workflow bundles ACP tools for aarch64-apple-darwin (TAURI_TARGET is set to that value and passed to prepare-acp-tools-resource.sh). Since update-acp-tools-lock.mjs writes target-specific native package, executable, and integrity fields, a bad macOS arm64 pin can still be opened and merged by this automation and then fail only during the release build; please validate the release target as well before pushing the PR branch.
Useful? React with 👍 / 👎.
GitHub Advanced Security (zizmor) flagged the actions/checkout and cashapp/activate-hermit pins because their '# v6' / '# v1' comments reference floating major tags that upstream has since moved past the pinned SHAs. The pins themselves were valid release commits (v6.0.2 and v01.1.2), just stale. Bump both pins to the current releases across all seven workflows: - actions/checkout df4cb1c0 (v6.0.3, verified against upstream tags) - cashapp/activate-hermit cea9af79 (v1.1.5, verified against upstream) Comments now name the exact release (# v6.0.3, # v1.1.5) instead of a floating major, so they stay accurate to the pinned SHA and the zizmor check stays green across future upstream patch releases. No generator or template produces these workflows — the stale pins spread by copy-paste — so editing the seven YAML files is the complete change. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Matt Toohey <contact@matttoohey.com>
The bump workflow smoke-checked only x86_64-unknown-linux-gnu — the runner's native triple and arguably the least-consumed target: releases build for aarch64-apple-darwin, and dev machines install the darwin and linux entries via `just dev`/`just install`. Since PR CI does not consume the lockfile, a target-specific bad pin (partial publish, darwin-only packaging change, broken tarball) would merge unattended and surface only at release time or on a dev's next `just dev`. Install the new pins for every target in the lockfile instead. The target list is derived from acp-tools.lock.json rather than hardcoded, so it cannot drift when targets are added or removed, and every derived target is guaranteed to have lock entries. ensure-acp-tools.sh already passes --os/--cpu/--libc to npm on every install and never executes the tools, so the Linux runner validates the darwin entries the same way (verified: all four targets install and pass integrity/executable validation cross-platform). Prompted by a Codex review comment asking to smoke-check the release target; extended to all four targets since dev machines consume the rest. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Matt Toohey <contact@matttoohey.com>
Adds
.github/workflows/staged-bump-acp-tools.yml, a scheduled workflow (daily at 06:30 UTC, plus manualworkflow_dispatch) that keeps the bundled ACP bridge tool pins inapps/staged/acp-tools.lock.jsonup to date:automation/update-acp-pinsbranch frommainon every run so it never diverges.just -f apps/staged/justfile bump-acp-toolsand exits early when the lockfile is unchanged.apps/staged/scripts/ensure-acp-tools.sh(with integrity validation) before pushing, since PR CI does not consume the lockfile.chore(staged)PR when none is open; while one is open, each run refreshes it in place.Follows up on #876, which bundled the ACP bridge tools.