-
Notifications
You must be signed in to change notification settings - Fork 0
108 lines (103 loc) · 4.1 KB
/
Copy pathget-green.yml
File metadata and controls
108 lines (103 loc) · 4.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Layer 3 — reusable workflow (thin delegator). The stable entry point for the
# get-green test-fix worker; it delegates to the gh-aw-compiled get-green.lock.yml,
# which runs the sonnet-tier agent behind the gh-aw firewall + github-mcp-server
# and opens the PR via safe-outputs. The .lock.yml is gh-aw-owned (regenerated by
# `gh aw compile` from get-green.md) — never hand-edited, and excluded from the
# SHA-pin cascade (gh-aw files are skipped). When this file or the .lock.yml
# bumps, the merge SHA becomes the PROPAGATION SHA: Layer 4
# (`_local-not-for-reuse-get-green.yml`) pins to it, and weekly-update's
# dispatch-workflow targets the compiled lock directly.
#
# Dependencies:
# - ./.github/workflows/get-green.lock.yml
name: 🟢 Get Green
# Reusable get-green workflow for socket-* repos. Dispatched by weekly-update
# when a dependency update breaks the build/tests: the stronger (sonnet) model
# diagnoses + fixes the failure on the update branch, re-runs tests, and opens
# the PR once green. The fix logic lives in the consumer repo's get-green agent
# prompt (get-green.md), which the gh-aw agent runs.
on:
workflow_call:
inputs:
branch:
description: 'The update branch with the failing changes to fix'
required: true
type: string
build-log:
description: 'Last 100 lines of the failing build output'
required: false
type: string
default: ''
fix-model:
description: 'Claude model for the fix (the escalation tier)'
required: false
type: string
default: 'sonnet'
fix-timeout-minutes:
description: 'Timeout for the fix step'
required: false
type: number
default: 15
pr-base:
description: 'Base branch for the PR'
required: false
type: string
default: 'main'
pr-title-prefix:
description: 'PR title prefix (date suffix added automatically: "... (YYYY-MM-DD)")'
required: false
type: string
default: 'chore(deps): weekly dependency update'
test-log:
description: 'Last 100 lines of the failing test output'
required: false
type: string
default: ''
test-script:
description: 'Test command'
required: false
type: string
default: 'pnpm test'
test-setup-script:
description: 'Command to run before tests (e.g., "pnpm run build")'
required: false
type: string
default: 'pnpm run build'
validate-file-patterns:
description: 'Shell case-glob patterns (pipe-separated) of file paths allowed to change during the fix.'
required: false
type: string
default: 'package.json|*/package.json|pnpm-lock.yaml|*/pnpm-lock.yaml|.npmrc|pnpm-workspace.yaml|.gitmodules|.config/lockstep.json'
secrets:
ANTHROPIC_API_KEY:
description: 'Anthropic API key for Claude Code invocations'
required: true
SOCKET_API_TOKEN:
description: 'Socket API token — sfw-enterprise instead of sfw-free when provided'
required: false
permissions: {}
jobs:
get-green:
name: Get Green (gh-aw)
# The gh-aw impl runs the agent + opens the PR via safe-outputs — hence the
# write union. The token cannot exceed what the caller grants.
permissions:
contents: write
pull-requests: write
uses: ./.github/workflows/get-green.lock.yml
with:
branch: ${{ inputs.branch }}
build-log: ${{ inputs.build-log }}
fix-model: ${{ inputs.fix-model }}
fix-timeout-minutes: ${{ inputs.fix-timeout-minutes }}
pr-base: ${{ inputs.pr-base }}
pr-title-prefix: ${{ inputs.pr-title-prefix }}
test-log: ${{ inputs.test-log }}
test-script: ${{ inputs.test-script }}
test-setup-script: ${{ inputs.test-setup-script }}
validate-file-patterns: ${{ inputs.validate-file-patterns }}
# Explicit pass-through (not `inherit`) so only the secrets the gh-aw impl
# needs cross the boundary.
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }}