ci: repin x402 pins via a release-time PR, not a push to main#662
Open
bussyjd wants to merge 1 commit into
Open
ci: repin x402 pins via a release-time PR, not a push to main#662bussyjd wants to merge 1 commit into
bussyjd wants to merge 1 commit into
Conversation
The push-time repin-embedded-pins job in docker-publish-x402.yml committed the pin bump directly to protected main and was rejected on every run (BRANCH_PROTECTION_RULE_VIOLATION: changes must go through a PR + lint-test), so embedded pins drifted and releasing off latest main needed a manual repin. Replace it with release-prep.yml (workflow_dispatch): build the four x402 images for the release commit, then open an auto-merging, GitHub-verified repin PR (createCommitOnBranch onto a feature branch -> PR review, no ruleset bypass). An optional minimal no-bypass GitHub App (REPIN_APP_ID / REPIN_APP_PRIVATE_KEY) makes the PR's CI run so it auto-merges; without it a maintainer reopens the PR to fire CI. See docs/release-x402-pins.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replace the push-time
repin-embedded-pinsjob (removed fromdocker-publish-x402.yml) with a release-timerelease-prep.ymlthat opensan auto-merging, GitHub-verified repin PR.
Why
The old job committed the pin bump directly to protected
mainand wasrejected on every run:
So the embedded x402 pins drifted from
main, and releasing off latest mainrequired a manual repin (just hit while cutting v0.11.0 — see #661).
How
release-prep.yml(workflow_dispatch,ref= release commit):createCommitOnBranch(GitHub-verified) onto a feature branch → normalPR review. No ruleset bypass; no privileged push to
main.Repinning is a release-time concern (so is
release.yml'sverify-image-pinsgate), so it now runs at release time instead of fighting branch protection on
every push.
CI on the generated PR: GitHub doesn't trigger CI for
GITHUB_TOKEN-authoredPRs. Optional minimal, no-bypass GitHub App (
REPIN_APP_ID/REPIN_APP_PRIVATE_KEY;contents:write+pull-requests:write, never addedto a ruleset bypass list) makes the PR's checks run so it auto-merges after one
approval; without it a maintainer closes & reopens the PR to fire CI. Details in
docs/release-x402-pins.md.Security posture
No bypass of
main, commits stay verified, the pin bump still lands throughreview. Strictly safer than adding the github-actions bot (or the app) to the
ruleset bypass list, which would let any
contents:writeworkflow push tomain.