<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-documentation.git/.github/workflows, branch current</title>
<subtitle>VyOS readthedocs (mirror of https://github.com/vyos/vyos-documentation.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-documentation.git/atom?h=current</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-documentation.git/atom?h=current'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/'/>
<updated>2026-05-30T13:05:48+00:00</updated>
<entry>
<title>ci: T8943: sweep HIGH-producer pins to renamed branches (rollout 1c) (#2071)</title>
<updated>2026-05-30T13:05:48+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-30T13:05:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1d27b404815049815b0e9327e7ec3482ec2ecbfa'/>
<id>urn:sha1:1d27b404815049815b0e9327e7ec3482ec2ecbfa</id>
<content type='text'>
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github,
vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their
old default branch to the new production compat branch staged in Task 1.
No functional change; pin-ref rewrite only.

Tracking: T8943</content>
</entry>
<entry>
<title>chore: T8937: retire Mergify-replaceable GHA caller workflows</title>
<updated>2026-05-30T07:44:58+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-30T07:44:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=38a1a0b9db56be8c251ea07764385c376fd899a7'/>
<id>urn:sha1:38a1a0b9db56be8c251ea07764385c376fd899a7</id>
<content type='text'>
Replaces 5 caller workflows now superseded by central Mergify rules.
See https://vyos.dev/T8937 for the design + spec + plan.

Advances: T8937

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(ai-validation): allow Pass 2 review on external-contributor PRs</title>
<updated>2026-05-29T09:15:36+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-29T09:15:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1fa39bd7ac64898f7a21922bc0f195d115d3cdeb'/>
<id>urn:sha1:1fa39bd7ac64898f7a21922bc0f195d115d3cdeb</id>
<content type='text'>
The upstream `anthropics/claude-code-action` performs a write-permission
check on `github.actor` before our skip logic runs. On `pull_request_target`
the actor is the PR author; external contributors resolve to `read` and the
action exits 1 with `Actor does not have write permissions to the repository`.

Net effect: AI validation has been failing on every external-contributor PR
(LiudmylaNad, teslazonda, scottlaird in the last 4 weeks) while succeeding
on maintainer PRs. Failure reproduced on run 26541079685 (PR #2061).

Fix: set `allowed_non_write_users: '*'` on the Pass 2 step. The action
bypasses the actor check when this input is set and `github_token` is
provided (already the case). The action also auto-scrubs Anthropic / cloud
/ GHA secrets from subprocess envs when this input is set.

Safe in THIS workflow because the existing defense-in-depth bounds what
Pass 2 can do with untrusted PR content:
- `allowedTools` restricted to inline-comment + read-only surfaces
- `github_token` is the PR-scoped default (not the broader VYOS_APP_ID)
- prompt marks PR content as untrusted via `&lt;UNTRUSTED-PR-CONTENT&gt;`
- workspace-wipe removes `CLAUDE.md` / `.claude/` before Pass 2
- prepare bundles MD via `git show HEAD:&lt;path&gt;` (blob, not `cp`)

Full rationale inlined as a comment block above the new input.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci: remove PR mirror workflow</title>
<updated>2026-05-28T23:10:58+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-28T23:10:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=8ae90cd77e60e3863e044de16a1ca8fa2355922e'/>
<id>urn:sha1:8ae90cd77e60e3863e044de16a1ca8fa2355922e</id>
<content type='text'>
The mirror caller has been disabled and the target mirror repo at
VyOS-Networks/vyos-documentation has been removed. Drop the workflow
file so the repo state reflects "this repo does not mirror" without
relying on a dangling disabled workflow.
</content>
</entry>
<entry>
<title>ci(ai-validation): skip prepare on Mergify-authored PRs</title>
<updated>2026-05-14T06:27:19+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-14T06:27:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=7d94d6116be1a4776b7317cb5190a83dd065e571'/>
<id>urn:sha1:7d94d6116be1a4776b7317cb5190a83dd065e571</id>
<content type='text'>
Lifts the existing Mergify-author short-circuit (today inside validate's
`secrets-check` step) to a job-level `if:` on `prepare`, so the whole
pipeline skips for backport/queue PRs.

Why now: every Mergify backport whose merge ref shares no shallow
ancestor with the (advanced) base branch fails the prepare step at

  git diff "$BASE...HEAD" --name-only ...
  fatal: FETCH_HEAD...HEAD: no merge base

(because base is `git fetch --no-tags --depth=1` and the merge ref is
`fetch-depth: 2`). Proximate symptom: run 25842928620 on PR #2042
(sagitta backport of #2023). AI Validation isn't a required check so
the queue isn't blocked, but every Mergify backport is left with a red
"prepare" check that adds noise to PR review.

The validate-level skip in commit 0e8a2956 was correct for the
"claude-code-action rejects bot-initiated runs" failure mode but
fires too late — prepare has already run and crashed before validate's
`if: needs.prepare.outputs.has_md_changes == 'true'` even evaluates.

Implementation: single job-level `if:` on prepare. validate's
`needs: [prepare]` cascades the skip naturally (skipped needs make
the dependent's expression-based `if:` evaluate against empty outputs).
The in-step author check in validate stays as defense-in-depth.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Merge pull request #2023 from vyos/yuriy/doc-linter-cleanup-followups</title>
<updated>2026-05-14T05:06:07+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-14T05:06:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1e42eb369e0663e2b68c934a76c9e4716d9ff280'/>
<id>urn:sha1:1e42eb369e0663e2b68c934a76c9e4716d9ff280</id>
<content type='text'>
ci(doc-linter): fix 12 accumulated bugs flagged across PR #2014/#2019/#2020 reviews</content>
</entry>
<entry>
<title>ci(ai-validation): skip validation on Mergify-authored PRs</title>
<updated>2026-05-13T22:16:59+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T22:16:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=d75de0c24b971a2d87e817ac3cb8e09cb816aac0'/>
<id>urn:sha1:d75de0c24b971a2d87e817ac3cb8e09cb816aac0</id>
<content type='text'>
The upstream anthropics/claude-code-action rejects bot-initiated
workflow runs with:

  Workflow initiated by non-human actor: mergify (type: Bot).
  Add bot to allowed_bots list or use '*' to allow all bots.

This leaves a failing required check on every Mergify backport PR
(#2025 today is the proximate symptom — circinus backport of #2016 is
blocked from auto-merging by this).

Per org policy, Mergify-authored PRs skip the bot-review flow entirely:
the underlying change was already reviewed on the source PR. Re-running
validation on the backport would also post duplicate findings.

Fix: extend the existing `secrets-check` step (kept the id for backwards
compat with the cascade of `if: steps.secrets-check.outputs.skip != 'true'`
gates) to also short-circuit when `github.event.pull_request.user.login`
equals `mergify[bot]`. Add a `skip_reason` output so the notify-on-PR
step can distinguish bot-skip (silent) from missing-secrets (post a
notice comment).

Implementation notes:
- PR author is bound through env: PR_AUTHOR (same pattern as secret
  bindings) so the template-expansion happens before bash sees the
  value as an already-quoted env variable.
- Uses `printf '...%s\n' "$PR_AUTHOR"` for the notice line so the
  shell — not the YAML template engine — interpolates the author into
  the workflow log output.
- Renamed step name to "Decide whether to skip validation" to reflect
  the broader scope; step id stays `secrets-check`.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(lint-doc): pin all GitHub Actions to commit SHAs</title>
<updated>2026-05-13T21:50:16+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:50:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=e99182b911dbe9d3a3f02e000426f7075cadc608'/>
<id>urn:sha1:e99182b911dbe9d3a3f02e000426f7075cadc608</id>
<content type='text'>
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.

Resolved each action's tag to its commit SHA via `gh api
/repos/&lt;repo&gt;/git/refs/tags/&lt;tag&gt;` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/&lt;repo&gt;/git/commits/&lt;sha&gt;`:

- actions/checkout v6 -&gt; de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -&gt; 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -&gt; a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -&gt; a309ff8b426b58ec0e2a45f0f869d46889d02405

This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.

Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(doc-linter): lint added + renamed files, not only modified</title>
<updated>2026-05-13T21:49:50+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1ef5684729646ca3a24aff83ab8edd0aa57914c7'/>
<id>urn:sha1:1ef5684729646ca3a24aff83ab8edd0aa57914c7</id>
<content type='text'>
Previous workflow:

    env:
      FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }}
    run: python scripts/doc-linter.py "$FILES_MODIFIED"

`trilom/file-changes-action`'s `files_modified` output is
modifications-only. A PR adding a new `.md`/`.rst` doc page passed
`files_added`, never `files_modified`, so a brand-new page with long
lines or real public IPs slipped past the linter entirely.

Workflow: also pass `files_added` and `files_renamed` as separate
positional args. Each output is a JSON array (action v1.2.4) and is
passed via env to avoid shell-quoting issues.

Linter: `main()` now accepts one OR multiple positional argv entries,
each a JSON array of paths. Arrays are merged and deduplicated before
linting. Single-arg invocations remain backward-compatible. Switched
from `ast.literal_eval` to `json.loads` — the action's outputs are
JSON, and `json.loads` is the right tool (and dodges
literal_eval-via-`eval`-substring linter warnings).

Test coverage:
- Two JSON arrays merge -&gt; single linter run on union.
- Empty-string argv entry skipped (no `files_renamed` in many PRs).
- Malformed JSON -&gt; falls back to walking DOCS_ROOT.
- No argv -&gt; walks DOCS_ROOT.
- Single-arg invocation -&gt; backward-compat preserved.

Tracked as item 7 of the rolling-side cleanup backlog from PR #2014 /
#2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(ai-validation): stop retargeting origin to fork URL</title>
<updated>2026-05-12T06:20:17+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-12T06:20:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=68f87deca228ad2b6b07c4eb64f201c0838e494f'/>
<id>urn:sha1:68f87deca228ad2b6b07c4eb64f201c0838e494f</id>
<content type='text'>
The previous CR-driven fix (7a7a8002) re-pointed origin to the PR's HEAD
fork on the assumption that claude-code-action calls
`git fetch origin &lt;head-branch&gt;`. That assumption is wrong for fork PRs:
the action detects a fork PR and fetches `pull/&lt;n&gt;/head` instead, and
those refs only exist on the base repo. Retargeting origin to the fork
therefore breaks the fork-PR fetch path with:

  PR #&lt;n&gt; is from a fork, fetching via refs/pull/&lt;n&gt;/head...
  fatal: couldn't find remote ref pull/&lt;n&gt;/head

Observed on run 25689321499 (PR #1891 from natali-rs1985/vyos-documentation).

Leave origin pointed at vyos/vyos-documentation (the base repo) — that's
where actions/checkout left it after the merge-ref checkout, and where
`pull/&lt;n&gt;/head` resolves. Replace the step with an explanatory comment.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
</feed>
