WIP Add after hooks step

[Resonance1584]

Summary by CodeRabbit

• Chores
  • Added optional encryption-key support for reusable workflow calls to secure pipeline artifacts.
  • Threaded the optional key through pipeline steps to enable encrypted plan handling.
  • Added authentication setup and post-execution hooks during pipeline validation to run additional checks.
  • Tightened pipeline success criteria so a run only passes when core validation and post-hook checks both succeed.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Two workflow files—pipelines-root.yml and pipelines.yml—add an optional PIPELINES_PLAN_ENCRYPTION_KEY, pass it into preflight and comment-update steps, install Mise and run code-auth, execute pipelines-hooks-after in status checks, capture AFTER_HOOKS_OUTCOME, and require both pipeline success and hooks non-failure for final pass.

Changes

After-Hooks and Encryption Key Integration

Layer / File(s)	Summary
Encryption Key Secret Interface .github/workflows/pipelines-root.yml, .github/workflows/pipelines.yml	Both workflows add PIPELINES_PLAN_ENCRYPTION_KEY as an optional secret in their workflow_call interface.
Secret Threading into Action Steps .github/workflows/pipelines-root.yml, .github/workflows/pipelines.yml	The encryption key secret is passed into pipelines-preflight-action and pipelines-comment-job-update steps in each workflow.
After-Hooks Execution and Status Gating .github/workflows/pipelines-root.yml, .github/workflows/pipelines.yml	Status check installs Mise, runs pipelines-code-auth, executes pipelines-hooks-after (with the key), captures its outcome to AFTER_HOOKS_OUTCOME, and updates the final success condition to require pipeline_status == "success" AND AFTER_HOOKS_OUTCOME != "failure".

Sequence Diagram

sequenceDiagram
  participant Caller as Workflow Caller
  participant Preflight as pipelines-preflight-action
  participant Pipeline as Pipeline Run
  participant Mise as Mise Installer
  participant CodeAuth as pipelines-code-auth
  participant Hooks as pipelines-hooks-after
  participant Status as pipelines_status_check

  Caller->>Preflight: provide PIPELINES_PLAN_ENCRYPTION_KEY
  Preflight-->>Caller: preflight complete
  Caller->>Pipeline: run pipeline
  Pipeline-->>Caller: pipeline_status (success/failure)
  Status->>Mise: install Mise
  Status->>CodeAuth: configure code auth
  Status->>Hooks: run pipelines-hooks-after (with key)
  Hooks-->>Status: outcome -> AFTER_HOOKS_OUTCOME
  Status-->>Caller: require pipeline_status=="success" AND AFTER_HOOKS_OUTCOME!="failure"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🔐 A secret slips into the workflow's hands,
Preflight waves it through the lands,
Mise wakes, the hooks reply,
Both must pass for checks to fly,
Merge the change — the CI expands. 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'WIP Add after hooks step' is partially related to the changeset but lacks specificity and uses WIP designation, which indicates incomplete work rather than describing the actual functional change being introduced.	Consider clarifying the title to describe what the after hooks step actually does (e.g., 'Add post-pipeline validation via after hooks step') and remove WIP if the PR is ready for review.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-05-07_after-hooks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pipelines.yml:
- Line 382: The workflow references steps.hooks_after.output_file (assigned to
AFTER_HOOKS_OUTPUT_FILE) but that output doesn't exist in the
pipelines-hooks-after action; inspect the action's action.yml
(pipelines-actions/.github/actions/pipelines-hooks-after) and either add an
outputs.output_file definition (and make the action set that output) or change
the workflow to use an existing output (e.g., steps.hooks_after.outcome) or
remove the env var if not needed; also verify the CLI supports
--after-hooks-output-file (search repo for the flag in Go files) and if it
doesn't, remove/replace the flag usage where AFTER_HOOKS_OUTPUT_FILE is consumed
so you don't pass an empty value to the CLI.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86df98ca-63c0-4381-9b44-1ff78ae192b7

📥 Commits

Reviewing files that changed from the base of the PR and between 5f0ccab and e9e8d19.

📒 Files selected for processing (1)

• .github/workflows/pipelines.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

The output_file property doesn't exist on the step outputs.

Static analysis flags that steps.hooks_after.output_file isn't defined in the action's outputs schema. Cross-checking with pipelines-root.yml, I notice it only references steps.hooks_after.outcome and never uses output_file. This discrepancy suggests either:

1. The action doesn't expose an output_file output
2. There's a missing output definition in the action's action.yml

If the property is undefined, AFTER_HOOKS_OUTPUT_FILE will be empty, and line 387 will pass a blank value to the CLI.

Run this script to check the action definition:

#!/bin/bash
# Check if pipelines-hooks-after action defines output_file output

fd -t f 'action.ya?ml' pipelines-actions/.github/actions/pipelines-hooks-after --exec cat {} \; | rg -A 5 '^outputs:'

Also verify the CLI accepts this flag:

#!/bin/bash
# Check if pipelines CLI supports --after-hooks-output-file flag

rg -n 'after-hooks-output-file' -g '*.go' -C 3

🧰 Tools

🪛 actionlint (1.7.12)

[error] 382-382: property "output_file" is not defined in object type {conclusion: string; outcome: string; outputs: {string => string}}

(expression)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pipelines.yml at line 382, The workflow references
steps.hooks_after.output_file (assigned to AFTER_HOOKS_OUTPUT_FILE) but that
output doesn't exist in the pipelines-hooks-after action; inspect the action's
action.yml (pipelines-actions/.github/actions/pipelines-hooks-after) and either
add an outputs.output_file definition (and make the action set that output) or
change the workflow to use an existing output (e.g., steps.hooks_after.outcome)
or remove the env var if not needed; also verify the CLI supports
--after-hooks-output-file (search repo for the flag in Go files) and if it
doesn't, remove/replace the flag usage where AFTER_HOOKS_OUTPUT_FILE is consumed
so you don't pass an empty value to the CLI.