From f95036be97e5f63e6919a7f2671974988c9686d8 Mon Sep 17 00:00:00 2001 From: John Morrissey <544926+tachyon-beep@users.noreply.github.com> Date: Mon, 8 Jun 2026 00:22:55 +1000 Subject: [PATCH] ci(release): drop fail-closed live-Loomweave conformance gate from publish The release pipeline gated `publish` on a fail-closed Live Loomweave conformance job, but no CI-reachable Loomweave oracle is provisioned (LOOMWEAVE_URL / LOOMWEAVE_LIVE_ORACLE_LOCATOR vars + LEGIS_LOOMWEAVE_HMAC_KEY secret are unset), so the job errored before publish and the v1.0.0rc4 release never reached PyPI. Remove the conformance job from release.yml (`publish` now `needs: [build]`) and delete the now-orphaned loomweave-conformance.yml (its only consumer was this gate; its daily scheduled sweep failed for the same unset-secret reason). Conformance remains available as the opt-in per-PR oracle step in ci.yml (silently skipped when LOOMWEAVE_URL is unset). CHANGELOG updated to match. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/loomweave-conformance.yml | 64 --------------------- .github/workflows/release.yml | 10 +--- CHANGELOG.md | 9 ++- 3 files changed, 7 insertions(+), 76 deletions(-) delete mode 100644 .github/workflows/loomweave-conformance.yml diff --git a/.github/workflows/loomweave-conformance.yml b/.github/workflows/loomweave-conformance.yml deleted file mode 100644 index 7a28077..0000000 --- a/.github/workflows/loomweave-conformance.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: loomweave-conformance - -# Live cross-repo Loomweave SEI conformance. -# -# Unlike the per-PR oracle step in ci.yml (opt-in, silently skipped when -# LOOMWEAVE_URL is unset), this gate is FAIL-CLOSED: a missing endpoint, locator -# fixture, or HMAC credential is an ERROR, not a pass. That closes the roadmap-12 -# hole where an absent var let Loomweave endpoint/header drift sail through CI. -# -# It runs on a schedule (catch drift between releases) and is callable as a -# reusable workflow (`workflow_call`) so the release pipeline gates publish on it -# — making conformance non-optional for releases. - -on: - schedule: - - cron: "0 7 * * *" # daily 07:00 UTC drift sweep - workflow_dispatch: - workflow_call: - -permissions: - contents: read - -jobs: - live-loomweave-oracle: - name: Live Loomweave oracle (fail-closed) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: astral-sh/setup-uv@v5 - with: - enable-cache: true - - name: Install dependencies - run: uv sync --dev - - name: Require live Loomweave configuration - env: - LOOMWEAVE_URL: ${{ vars.LOOMWEAVE_URL }} - LOOMWEAVE_LIVE_ORACLE_LOCATOR: ${{ vars.LOOMWEAVE_LIVE_ORACLE_LOCATOR }} - LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }} - run: | - missing=0 - if [ -z "${LOOMWEAVE_URL}" ]; then - echo "::error::LOOMWEAVE_URL variable is not set — live Loomweave conformance cannot run. Configure it under Settings → Secrets and variables → Actions → Variables." - missing=1 - fi - if [ -z "${LOOMWEAVE_LIVE_ORACLE_LOCATOR}" ]; then - echo "::error::LOOMWEAVE_LIVE_ORACLE_LOCATOR variable is not set — the round-trip locator fixture is required for conformance." - missing=1 - fi - if [ -z "${LEGIS_LOOMWEAVE_HMAC_KEY}" ]; then - echo "::error::LEGIS_LOOMWEAVE_HMAC_KEY secret is not set — the signed Loomweave channel credential is required." - missing=1 - fi - if [ "${missing}" -ne 0 ]; then - exit 1 - fi - - name: Run live Loomweave conformance oracle - env: - LOOMWEAVE_URL: ${{ vars.LOOMWEAVE_URL }} - LOOMWEAVE_LIVE_ORACLE_LOCATOR: ${{ vars.LOOMWEAVE_LIVE_ORACLE_LOCATOR }} - LEGIS_LOOMWEAVE_HMAC_KEY: ${{ secrets.LEGIS_LOOMWEAVE_HMAC_KEY }} - # -rs reports any skip in the log; the guard above makes the test file's - # own skipif conditions (unset URL / locator) unreachable, so a skip here - # would signal an unexpected gap rather than a benign opt-out. - run: uv run pytest tests/conformance/test_live_loomweave_oracle.py -q -rs diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 09760d8..5db29f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,17 +54,9 @@ jobs: name: dist path: dist/ - conformance: - # Live cross-repo Loomweave SEI conformance, required before publish. The - # reusable workflow is fail-closed: a missing LOOMWEAVE_URL / locator / HMAC - # credential fails the release rather than silently skipping (roadmap 12). - name: Live Loomweave conformance - uses: ./.github/workflows/loomweave-conformance.yml - secrets: inherit - publish: name: Publish to PyPI - needs: [build, conformance] + needs: [build] runs-on: ubuntu-latest environment: name: pypi diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b85bfc..df56699 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -80,9 +80,12 @@ versions per [PEP 440](https://peps.python.org/pep-0440/) / write attribution is self-asserted, not cryptographically verified) as a known governance gap, acceptable for trust-local use and deferred for multi-principal. - **Release CI gates** — the coverage floor is raised to 88% with a `ruff` lint - gate added (Q-L7), live Loomweave conformance is now non-optional for releases - (no silent skip when the oracle is down), and the Filigree client's transport / - error branches are covered. + gate added (Q-L7), and the Filigree client's transport / error branches are + covered. (The live Loomweave conformance step is opt-in via the per-PR oracle + in `ci.yml`, skipped when `LOOMWEAVE_URL` is unset; it does **not** hard-gate + PyPI publish — the fail-closed release gate was removed because no + CI-reachable Loomweave oracle is provisioned, which would otherwise make every + release fail before publish.) ### Fixed - **Fingerprint reconciliation + RFC-8785 deferral (Q-L5 / Q-L4)** — the policy