<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-documentation.git/.github/workflows, branch rolling</title>
<subtitle>VyOS readthedocs (mirror of https://github.com/vyos/vyos-documentation.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-documentation.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-documentation.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/'/>
<updated>2026-06-13T04:05:27+00:00</updated>
<entry>
<title>chore: T8937: move conflict labeling+comment from eps1lon GHA to Mergify (#2103)</title>
<updated>2026-06-13T04:05:27+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-13T04:05:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=03abd003d2f9456c450c5e0068efeaf130b89f33'/>
<id>urn:sha1:03abd003d2f9456c450c5e0068efeaf130b89f33</id>
<content type='text'>
Removes the eps1lon `check-open-prs-conflict.yml` caller (which ran
`eps1lon/actions-label-merge-conflict` on push to base branches to label
conflicting PRs + comment) and replaces it with Mergify:

- Conflict LABEL (`conflicts`): already handled by the inherited central
  `Label conflicting pull requests` rule (predicate `conflict`, toggle).
  Mergify re-evaluates continuously, so the GHA's push-triggered re-scan
  is covered natively — no local rule needed for the label.
- Conflict COMMENT: a local additive rule `Comment on conflicting pull
  requests` (distinct name → does not replace the inherited label rule)
  posts the contributor-facing "please resolve" notice once when a PR
  enters conflict (Mergify dedupes the comment per rule+message).

The GHA's clean-side "conflicts resolved" comment is intentionally NOT
replicated — Mergify has no "was-conflicting-now-clean" predicate, and
keying on `-conflict` would match every non-conflicting PR.

This is the final piece of the T8937 Mergify-GHA retirement (the central
`check-pr-conflict.yml` reusable was preserved pending this consumer; it
is deleted in a follow-up vyos/.github PR once this merges).

Advances: T8937

🤖 Generated by [robots](https://vyos.io)</content>
</entry>
<entry>
<title>T8960: ai-validation — mint vyos-bot token via get-token@production</title>
<updated>2026-06-03T00:32:24+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-06-03T00:32:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=459109f13adf026d012c4e803f4a86a8f84e6ce3'/>
<id>urn:sha1:459109f13adf026d012c4e803f4a86a8f84e6ce3</id>
<content type='text'>
Swap the cross-repo-checkout token from the dedicated vyos-docs-reviewer
App (VYOS_APP_ID/_PRIVATE_KEY) to the shared vyos-bot App via the fleet
get-token composite, scoped contents:read. Skip-check now gates on
APP_CLIENT_ID + APP_PRIVATE_KEY + ANTHROPIC_API_KEY (org-level vyos-bot
creds); reword the stale token comment. PR-comment posting still uses
the default GITHUB_TOKEN. Byte-identical to the paired reference copy in
VyOS-Networks/vyos-docs-opus-reviewer (scripts/ai-validation.yml).

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci: T8943: sweep HIGH-producer pins to renamed branches (rollout 1c) (#2071)</title>
<updated>2026-05-30T13:05:48+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-30T13:05:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1d27b404815049815b0e9327e7ec3482ec2ecbfa'/>
<id>urn:sha1:1d27b404815049815b0e9327e7ec3482ec2ecbfa</id>
<content type='text'>
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github,
vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their
old default branch to the new production compat branch staged in Task 1.
No functional change; pin-ref rewrite only.

Tracking: T8943</content>
</entry>
<entry>
<title>chore: T8937: retire Mergify-replaceable GHA caller workflows</title>
<updated>2026-05-30T07:44:58+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-30T07:44:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=38a1a0b9db56be8c251ea07764385c376fd899a7'/>
<id>urn:sha1:38a1a0b9db56be8c251ea07764385c376fd899a7</id>
<content type='text'>
Replaces 5 caller workflows now superseded by central Mergify rules.
See https://vyos.dev/T8937 for the design + spec + plan.

Advances: T8937

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(ai-validation): allow Pass 2 review on external-contributor PRs</title>
<updated>2026-05-29T09:15:36+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-29T09:15:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1fa39bd7ac64898f7a21922bc0f195d115d3cdeb'/>
<id>urn:sha1:1fa39bd7ac64898f7a21922bc0f195d115d3cdeb</id>
<content type='text'>
The upstream `anthropics/claude-code-action` performs a write-permission
check on `github.actor` before our skip logic runs. On `pull_request_target`
the actor is the PR author; external contributors resolve to `read` and the
action exits 1 with `Actor does not have write permissions to the repository`.

Net effect: AI validation has been failing on every external-contributor PR
(LiudmylaNad, teslazonda, scottlaird in the last 4 weeks) while succeeding
on maintainer PRs. Failure reproduced on run 26541079685 (PR #2061).

Fix: set `allowed_non_write_users: '*'` on the Pass 2 step. The action
bypasses the actor check when this input is set and `github_token` is
provided (already the case). The action also auto-scrubs Anthropic / cloud
/ GHA secrets from subprocess envs when this input is set.

Safe in THIS workflow because the existing defense-in-depth bounds what
Pass 2 can do with untrusted PR content:
- `allowedTools` restricted to inline-comment + read-only surfaces
- `github_token` is the PR-scoped default (not the broader VYOS_APP_ID)
- prompt marks PR content as untrusted via `&lt;UNTRUSTED-PR-CONTENT&gt;`
- workspace-wipe removes `CLAUDE.md` / `.claude/` before Pass 2
- prepare bundles MD via `git show HEAD:&lt;path&gt;` (blob, not `cp`)

Full rationale inlined as a comment block above the new input.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci: remove PR mirror workflow</title>
<updated>2026-05-28T23:10:58+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-28T23:10:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=8ae90cd77e60e3863e044de16a1ca8fa2355922e'/>
<id>urn:sha1:8ae90cd77e60e3863e044de16a1ca8fa2355922e</id>
<content type='text'>
The mirror caller has been disabled and the target mirror repo at
VyOS-Networks/vyos-documentation has been removed. Drop the workflow
file so the repo state reflects "this repo does not mirror" without
relying on a dangling disabled workflow.
</content>
</entry>
<entry>
<title>ci(ai-validation): skip prepare on Mergify-authored PRs</title>
<updated>2026-05-14T06:27:19+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-14T06:27:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=7d94d6116be1a4776b7317cb5190a83dd065e571'/>
<id>urn:sha1:7d94d6116be1a4776b7317cb5190a83dd065e571</id>
<content type='text'>
Lifts the existing Mergify-author short-circuit (today inside validate's
`secrets-check` step) to a job-level `if:` on `prepare`, so the whole
pipeline skips for backport/queue PRs.

Why now: every Mergify backport whose merge ref shares no shallow
ancestor with the (advanced) base branch fails the prepare step at

  git diff "$BASE...HEAD" --name-only ...
  fatal: FETCH_HEAD...HEAD: no merge base

(because base is `git fetch --no-tags --depth=1` and the merge ref is
`fetch-depth: 2`). Proximate symptom: run 25842928620 on PR #2042
(sagitta backport of #2023). AI Validation isn't a required check so
the queue isn't blocked, but every Mergify backport is left with a red
"prepare" check that adds noise to PR review.

The validate-level skip in commit 0e8a2956 was correct for the
"claude-code-action rejects bot-initiated runs" failure mode but
fires too late — prepare has already run and crashed before validate's
`if: needs.prepare.outputs.has_md_changes == 'true'` even evaluates.

Implementation: single job-level `if:` on prepare. validate's
`needs: [prepare]` cascades the skip naturally (skipped needs make
the dependent's expression-based `if:` evaluate against empty outputs).
The in-step author check in validate stays as defense-in-depth.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Merge pull request #2023 from vyos/yuriy/doc-linter-cleanup-followups</title>
<updated>2026-05-14T05:06:07+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-14T05:06:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1e42eb369e0663e2b68c934a76c9e4716d9ff280'/>
<id>urn:sha1:1e42eb369e0663e2b68c934a76c9e4716d9ff280</id>
<content type='text'>
ci(doc-linter): fix 12 accumulated bugs flagged across PR #2014/#2019/#2020 reviews</content>
</entry>
<entry>
<title>ci(ai-validation): skip validation on Mergify-authored PRs</title>
<updated>2026-05-13T22:16:59+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T22:16:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=d75de0c24b971a2d87e817ac3cb8e09cb816aac0'/>
<id>urn:sha1:d75de0c24b971a2d87e817ac3cb8e09cb816aac0</id>
<content type='text'>
The upstream anthropics/claude-code-action rejects bot-initiated
workflow runs with:

  Workflow initiated by non-human actor: mergify (type: Bot).
  Add bot to allowed_bots list or use '*' to allow all bots.

This leaves a failing required check on every Mergify backport PR
(#2025 today is the proximate symptom — circinus backport of #2016 is
blocked from auto-merging by this).

Per org policy, Mergify-authored PRs skip the bot-review flow entirely:
the underlying change was already reviewed on the source PR. Re-running
validation on the backport would also post duplicate findings.

Fix: extend the existing `secrets-check` step (kept the id for backwards
compat with the cascade of `if: steps.secrets-check.outputs.skip != 'true'`
gates) to also short-circuit when `github.event.pull_request.user.login`
equals `mergify[bot]`. Add a `skip_reason` output so the notify-on-PR
step can distinguish bot-skip (silent) from missing-secrets (post a
notice comment).

Implementation notes:
- PR author is bound through env: PR_AUTHOR (same pattern as secret
  bindings) so the template-expansion happens before bash sees the
  value as an already-quoted env variable.
- Uses `printf '...%s\n' "$PR_AUTHOR"` for the notice line so the
  shell — not the YAML template engine — interpolates the author into
  the workflow log output.
- Renamed step name to "Decide whether to skip validation" to reflect
  the broader scope; step id stays `secrets-check`.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(lint-doc): pin all GitHub Actions to commit SHAs</title>
<updated>2026-05-13T21:50:16+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:50:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=e99182b911dbe9d3a3f02e000426f7075cadc608'/>
<id>urn:sha1:e99182b911dbe9d3a3f02e000426f7075cadc608</id>
<content type='text'>
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.

Resolved each action's tag to its commit SHA via `gh api
/repos/&lt;repo&gt;/git/refs/tags/&lt;tag&gt;` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/&lt;repo&gt;/git/commits/&lt;sha&gt;`:

- actions/checkout v6 -&gt; de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -&gt; 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -&gt; a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -&gt; a309ff8b426b58ec0e2a45f0f869d46889d02405

This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.

Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
</feed>
