| Age | Commit message (Collapse) | Author |
|
vyos/vyos-github-actions and VyOS-Networks/vyos-github-actions are
independent sibling repos, not a mirror source/target pair. Removing the
mirror caller workflow stops this repo from participating in the
vyos -> VyOS-Networks PR-mirror pipeline. The consumers.yaml entry is
removed in a companion central-config PR.
Related: VD-4257
๐ค Generated by [robots](https://vyos.io)
|
|
wrapper (#17)
PR #16 (canonical stub) succeeded source-side but failed mirror auto-merge
with GraphQL: Pull Request has merge conflicts (mergePullRequest). Root
cause: source/target divergence from Rollout 1c โ vyos/vyos-github-actions
has commit cc9d5ac (1c rename), VyOS-Networks/vyos-github-actions has its
own commit cefaa8a (1c rename applied separately). When mirror tried to
create a mirror PR and auto-merge it on target, the divergent histories
produced a wrapper-file conflict.
Reverting to roll source-side back to the post-1b wrapper. vyos-github-actions
is excluded from the current canonical-stub rollout (Task 8 fan-out doesn't
include it โ it was the 2nd pilot only). A separate ticket will reconcile
the source/target divergence + retry the canonical-stub migration.
Plan reference: /Users/syncer/.claude/plans/2026-05-30-canonical-stub-permissions-fix.md
Task 7 failure handling (operator chose option A: revert + exclude).
๐ค Generated by [robots](https://vyos.io)
|
|
Second pilot of the canonical stub per the canonical-stub permissions
fix plan. This is the only consumer with sync_branches=[production]
(per consumers.yaml). Pre-checks per spec Sequencing ยง6 verified
before this PR opened.
๐ค Generated by [robots](https://vyos.io)
|
|
Tracking: T8943
|
|
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github,
vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their
old default branch to the new production compat branch staged in Task 1.
No functional change; pin-ref rewrite only.
Tracking: T8943
|
|
Replaces 5 caller workflows now superseded by central Mergify rules.
See https://vyos.dev/T8937 for the design + spec + plan.
Advances: T8937
๐ค Generated by [robots](https://vyos.io)
|
|
(#12)
Replaces PAT-based secrets passthrough with secrets:inherit and
MIRROR_ENABLED opt-out guard per rollout 1b uniform stub spec.
Plan: ~/.claude/plans/2026-05-26-mirror-rollout-1b-revised.md Task 5
๐ค Generated by [robots](https://vyos.io)
|
|
Addresses CodeRabbit finding on PR #10 (merged) โ pin all three
movable refs in the pull_request_target workflow to immutable commit
SHAs. Defense in depth: the assign_reviewer job mints a vyos-bot[bot]
App-installation token from secrets.APP_PRIVATE_KEY; movable refs in a
secrets-handling pull_request_target workflow are an RCE vector if any
of the referenced repos (or any user with push access to them) is
compromised.
Pinned refs:
- toshimaru/auto-author-assign@2daaeb2 (was @v1.6.2)
- vyos/.github/.github/actions/get-token@8a437c7 (was @current โ vyos
org-local but elevated trust workflow, so pin even our own action;
trade-off: must manually bump SHA on central-action updates)
- shufo/auto-assign-reviewer-by-files@f5f3db9 (was @v1.1.4)
CR thread: https://github.com/vyos/vyos-github-actions/pull/10#discussion_r3316105021
Phase 0 CR: 0 finding(s).
Refs: T8615 follow-up (the original CI-fix PR #10 was out-of-T8615-
scope but landed in the same sweep)
Generated by robots https://vyos.io
|
|
* T8615: add Mergify config (extends: mergify central template)
Adds the org-local central-config inheritance file per the T8615 sweep
(re-scoped 2026-05-28). 4-line minimum: extends: mergify resolves to
vyos/mergify which provides commands_restrictions (9 slash commands x
4-sender allowlist), conflict labeler, PR-title T-ID format check,
opt-in auto-update, and the backport-conflict merge protection.
merge_protections_settings: reporting_method: check-runs declared
explicitly per-repo because only defaults and commands_restrictions are
documented as merging across extends: -- pin to current behavior pre
the 2026-07-31 default flip per data/github.md Mergify gotchas table.
Phase 0 CR: 0 finding(s). Known false positive: CR flags
extends: mergify as 'not a documented built-in preset' but Mergify
documents the org-local form at https://docs.mergify.com/configuration/sharing/.
Refs: T8615 (re-scoped 2026-05-28), IS-421
Generated by robots https://vyos.io
* T8615: switch yaml-language-server schema URL to JSON-schema
Replaces the human-docs file-format URL (which serves HTML and cannot
drive editor validation) with the machine-readable JSON-schema URL
that yaml-language-server actually resolves for autocomplete and
schema validation.
Old: https://docs.mergify.com/configuration/file-format/
New: https://docs.mergify.com/mergify-configuration-schema.json
Phase 0 CR: 0 finding(s).
Refs: T8615 (re-scoped 2026-05-28), IS-421
Generated by robots https://vyos.io
|
|
Two CI workflows in this repo have been failing on every PR for an
extended period. Both surfaced during the T8615 Mergify central-config
sweep against vyos/vyos-github-actions#9.
unused-imports.yml
==================
Workflow invoked 'make unused-imports' but this repo has no Makefile
(grep across full git history confirms no Makefile ever existed). The
'unused-imports' target appears to have been copy-pasted from a sister
repo (vyos/vyos-1x defines it). Workflow has been broken since the
'T6310: add PR templates' commit (d327ae1) introduced it.
Fix: invoke pylint directly, enabling only W0611 (unused-import) per
the workflow's original intent. Use 'git ls-files -z' + 'xargs -0' so
any future Python file with whitespace in its path is handled safely.
auto-author-assign.yml / assign_reviewer
========================================
The 'assign_reviewer' job authenticated via secrets.PR_ACTION_ASSIGN_REVIEWERS,
a classic personal access token whose lifetime exceeds 90 days. The
VyOS-Networks enterprise rejects this with:
The 'VyOS Networks' enterprise forbids access via a personal access
tokens (classic) if the token's lifetime is greater than 90 days.
Please adjust your token's lifetime at the following URL:
https://github.com/settings/tokens/1583410548
Fix: swap to a vyos-bot[bot] App-installation token minted via the
central composite action at vyos/.github/.github/actions/get-token@current
(established 2026-05-26 under Mirror Pipeline Rollout 1a). The minted
token is scoped down to pull_requests:write only โ narrower than the
App's default permissions, defense in depth for the pull_request_target
trigger surface.
The 'assign-author' job is unchanged โ it uses the default GITHUB_TOKEN
and works correctly. Only the broken 'assign_reviewer' job is touched.
Follow-up: the now-orphaned secrets.PR_ACTION_ASSIGN_REVIEWERS classic
PAT (https://github.com/settings/tokens/1583410548) can be revoked at
operator's discretion after this PR lands.
Test plan
=========
- Local YAML parses (verified)
- Phase 0 CR clean (0 findings after applying the round-2 review
suggestions about NUL-delimited xargs + removing internal docs link)
- Post-merge: next PR opened against current should see both
'Check for unused imports using Pylint' and 'PR Triage / assign_reviewer'
pass instead of fail
Refs: T8615 (re-scoped 2026-05-28), IS-421
Caught while landing: https://github.com/vyos/vyos-github-actions/pull/9
Generated by robots https://vyos.io
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
T6310: updated codeql version for other calls
|
|
|