Skip to content

feat(staged): add daily scheduled workflow to bump ACP tool pins#878

Merged
matt2e merged 4 commits into
mainfrom
update-acps
Jul 14, 2026
Merged

feat(staged): add daily scheduled workflow to bump ACP tool pins#878
matt2e merged 4 commits into
mainfrom
update-acps

Conversation

@matt2e

@matt2e matt2e commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Adds .github/workflows/staged-bump-acp-tools.yml, a scheduled workflow (daily at 06:30 UTC, plus manual workflow_dispatch) that keeps the bundled ACP bridge tool pins in apps/staged/acp-tools.lock.json up to date:

  • Recreates the bot-owned automation/update-acp-pins branch from main on every run so it never diverges.
  • Runs just -f apps/staged/justfile bump-acp-tools and exits early when the lockfile is unchanged.
  • Smoke-checks new pins by installing them with apps/staged/scripts/ensure-acp-tools.sh (with integrity validation) before pushing, since PR CI does not consume the lockfile.
  • Force-pushes the branch and opens a chore(staged) PR when none is open; while one is open, each run refreshes it in place.

Follows up on #876, which bundled the ACP bridge tools.

Add .github/workflows/staged-bump-acp-tools.yml, a daily (06:30 UTC,
plus workflow_dispatch) job that regenerates apps/staged/acp-tools.lock.json
via 'just bump-acp-tools' and manages a PR with the result:

- resets the bot-owned automation/update-acp-pins branch from main each
  run, so it stays single-commit and never diverges
- exits successfully when the lockfile diff is clean (no upstream releases)
- smoke-checks new pins with scripts/ensure-acp-tools.sh before pushing,
  since PR CI does not consume the lockfile
- force-pushes the branch and creates a PR only when none is already open
  (refresh-in-place, no duplicates)
- sets npm_config_registry to Block Artifactory so tarball URLs match
  dev-machine runs instead of churning to registry.npmjs.org

Matches house workflow style: SHA-pinned actions, cashapp/activate-hermit
for node/just, least-privilege permissions (contents + pull-requests
write), and a concurrency group to prevent overlapping runs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Matt Toohey <contact@matttoohey.com>
Comment thread .github/workflows/staged-bump-acp-tools.yml Fixed
Comment thread .github/workflows/staged-bump-acp-tools.yml Fixed
…kflow

The workflow pinned npm_config_registry to Block Artifactory so the
regenerated lockfile would keep the same tarball URLs as dev-machine
runs. But GitHub-hosted runners have no Artifactory credentials, so
both the bump (npm view) and the smoke check (npm install) would fail
against that registry. Remove the override and let CI use the default
registry; the first scheduled run will rewrite the lockfile tarball
URLs to registry.npmjs.org once and they stay stable after that.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Matt Toohey <contact@matttoohey.com>
@matt2e matt2e marked this pull request as ready for review July 14, 2026 00:47
@matt2e matt2e requested review from baxen and wesbillman as code owners July 14, 2026 00:47

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bffb97d5d0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

# this job otherwise does not use.
- name: Smoke-check new pins
if: steps.bump.outputs.changed == 'true'
run: apps/staged/scripts/ensure-acp-tools.sh --target x86_64-unknown-linux-gnu

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Smoke-check the target used by release

For this scheduled PR workflow, the smoke check only installs the x86_64-unknown-linux-gnu entries, but the Staged release workflow bundles ACP tools for aarch64-apple-darwin (TAURI_TARGET is set to that value and passed to prepare-acp-tools-resource.sh). Since update-acp-tools-lock.mjs writes target-specific native package, executable, and integrity fields, a bad macOS arm64 pin can still be opened and merged by this automation and then fail only during the release build; please validate the release target as well before pushing the PR branch.

Useful? React with 👍 / 👎.

matt2e and others added 2 commits July 14, 2026 11:50
GitHub Advanced Security (zizmor) flagged the actions/checkout and
cashapp/activate-hermit pins because their '# v6' / '# v1' comments
reference floating major tags that upstream has since moved past the
pinned SHAs. The pins themselves were valid release commits (v6.0.2
and v01.1.2), just stale.

Bump both pins to the current releases across all seven workflows:

- actions/checkout df4cb1c0 (v6.0.3, verified against upstream tags)
- cashapp/activate-hermit cea9af79 (v1.1.5, verified against upstream)

Comments now name the exact release (# v6.0.3, # v1.1.5) instead of a
floating major, so they stay accurate to the pinned SHA and the zizmor
check stays green across future upstream patch releases.

No generator or template produces these workflows — the stale pins
spread by copy-paste — so editing the seven YAML files is the complete
change.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Matt Toohey <contact@matttoohey.com>
The bump workflow smoke-checked only x86_64-unknown-linux-gnu — the
runner's native triple and arguably the least-consumed target: releases
build for aarch64-apple-darwin, and dev machines install the darwin and
linux entries via `just dev`/`just install`. Since PR CI does not
consume the lockfile, a target-specific bad pin (partial publish,
darwin-only packaging change, broken tarball) would merge unattended
and surface only at release time or on a dev's next `just dev`.

Install the new pins for every target in the lockfile instead. The
target list is derived from acp-tools.lock.json rather than hardcoded,
so it cannot drift when targets are added or removed, and every derived
target is guaranteed to have lock entries. ensure-acp-tools.sh already
passes --os/--cpu/--libc to npm on every install and never executes the
tools, so the Linux runner validates the darwin entries the same way
(verified: all four targets install and pass integrity/executable
validation cross-platform).

Prompted by a Codex review comment asking to smoke-check the release
target; extended to all four targets since dev machines consume the
rest.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Matt Toohey <contact@matttoohey.com>
@matt2e matt2e merged commit 0533e31 into main Jul 14, 2026
7 checks passed
@matt2e matt2e deleted the update-acps branch July 14, 2026 02:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants