Tags: geolonia/.github
Tags
feat: route-issue reusable workflow + template (public dispatch leg) (#… …57) * feat: add route-issue reusable workflow + template Public dispatch leg for org-wide issue auto-routing. A thin caller in any participating repo forwards issues:[field_added,field_removed] events to the reusable workflow, which mints the low-priv OPS_DISPATCH app token and sends a repository_dispatch to the private geolonia-operations repo. No project IDs, routing logic, or privileged credentials live here. Mirrors the reusable-sync-team-access.yml dispatch-to-central pattern. Refs #56 * feat: add optional remove_on_field_removed input Per-repo opt-in: when a repo sets remove_on_field_removed: true, a cleared Department field also removes the issue from its board. Default false (keep on board). The flag is forwarded in the dispatch payload; the central receiver in geolonia-operations performs the removal. Refs #56 * feat: exclusive routing by default (replaces remove_on_field_removed) Default behavior is now: an issue lives on only the board for its current Department. Changing the department removes the issue from the other department boards; clearing it removes from all of them. This fixes accidental double-add when a mis-set department is corrected (field_added on update no longer leaves the stale board item behind). Renames the per-repo input remove_on_field_removed -> exclusive_routing (default true; set false for additive routing). Only department boards listed in routing.yml are ever touched -- never a master board or unrelated project. Refs #56 * docs: drop master board references No master/all-work board exists or is planned. Reword the exclusive_routing docs to say only department boards are ever removed from (any other project is left alone), without referencing a master board. Refs #56 * fix: scope dispatch token to least privilege (CodeRabbit) repository_dispatch needs only Metadata: read + Contents: write, so request exactly those on the minted token instead of inheriting the OPS_DISPATCH app's full installation permissions. Refs #56
feat: route-issue reusable workflow + template (public dispatch leg) (#… …57) * feat: add route-issue reusable workflow + template Public dispatch leg for org-wide issue auto-routing. A thin caller in any participating repo forwards issues:[field_added,field_removed] events to the reusable workflow, which mints the low-priv OPS_DISPATCH app token and sends a repository_dispatch to the private geolonia-operations repo. No project IDs, routing logic, or privileged credentials live here. Mirrors the reusable-sync-team-access.yml dispatch-to-central pattern. Refs #56 * feat: add optional remove_on_field_removed input Per-repo opt-in: when a repo sets remove_on_field_removed: true, a cleared Department field also removes the issue from its board. Default false (keep on board). The flag is forwarded in the dispatch payload; the central receiver in geolonia-operations performs the removal. Refs #56 * feat: exclusive routing by default (replaces remove_on_field_removed) Default behavior is now: an issue lives on only the board for its current Department. Changing the department removes the issue from the other department boards; clearing it removes from all of them. This fixes accidental double-add when a mis-set department is corrected (field_added on update no longer leaves the stale board item behind). Renames the per-repo input remove_on_field_removed -> exclusive_routing (default true; set false for additive routing). Only department boards listed in routing.yml are ever touched -- never a master board or unrelated project. Refs #56 * docs: drop master board references No master/all-work board exists or is planned. Reword the exclusive_routing docs to say only department boards are ever removed from (any other project is left alone), without referencing a master board. Refs #56 * fix: scope dispatch token to least privilege (CodeRabbit) repository_dispatch needs only Metadata: read + Contents: write, so request exactly those on the minted token instead of inheriting the OPS_DISPATCH app's full installation permissions. Refs #56
feat: route-issue reusable workflow + template (public dispatch leg) (#… …57) * feat: add route-issue reusable workflow + template Public dispatch leg for org-wide issue auto-routing. A thin caller in any participating repo forwards issues:[field_added,field_removed] events to the reusable workflow, which mints the low-priv OPS_DISPATCH app token and sends a repository_dispatch to the private geolonia-operations repo. No project IDs, routing logic, or privileged credentials live here. Mirrors the reusable-sync-team-access.yml dispatch-to-central pattern. Refs #56 * feat: add optional remove_on_field_removed input Per-repo opt-in: when a repo sets remove_on_field_removed: true, a cleared Department field also removes the issue from its board. Default false (keep on board). The flag is forwarded in the dispatch payload; the central receiver in geolonia-operations performs the removal. Refs #56 * feat: exclusive routing by default (replaces remove_on_field_removed) Default behavior is now: an issue lives on only the board for its current Department. Changing the department removes the issue from the other department boards; clearing it removes from all of them. This fixes accidental double-add when a mis-set department is corrected (field_added on update no longer leaves the stale board item behind). Renames the per-repo input remove_on_field_removed -> exclusive_routing (default true; set false for additive routing). Only department boards listed in routing.yml are ever touched -- never a master board or unrelated project. Refs #56 * docs: drop master board references No master/all-work board exists or is planned. Reword the exclusive_routing docs to say only department boards are ever removed from (any other project is left alone), without referencing a master board. Refs #56 * fix: scope dispatch token to least privilege (CodeRabbit) repository_dispatch needs only Metadata: read + Contents: write, so request exactly those on the minted token instead of inheriting the OPS_DISPATCH app's full installation permissions. Refs #56
fix(pinact): canonical .pinact.yml needs version 3 + geolonia exempti… …on (#49) The canonical pinact/.pinact.yml shipped in v1.15.0 was missing the required `version: 3` schema field, so pinact v4 errors on it ("schema version is required"). Add it, plus two refinements proven in the geolonia-infra-cdk pilot: - `separator: " # "` so pins match the org's two-space comment style. - A `rules` entry exempting `geolonia/*` from the 7-day cooldown: the cooldown guards against hijacked third-party releases, but a brand-new geolonia/.github reusable would otherwise be un-adoptable for a week (no older release contains it). Still SHA-pinned; Dependabot maintains. Docs updated to note the exemption.
Add reusable Action Pinning Check (pinact) + canonical config (#48) * Add reusable Action Pinning Check (pinact) + canonical config Establishes the org GitHub Actions pinning standard primitive: - reusable-pinact-check.yml: per-PR gate running pinact in validation-only mode (fix: false, verify-comment, verify-min-age). SHA-pins its own actions (checkout v6.0.2, pinact-action v3.0.0). - workflow-template pinact-check.yml + .properties.json so repos opt in from the Actions picker. - pinact/.pinact.yml: canonical min_age (7 days, always) config repos copy. - pinact/.pre-commit-config.example.yaml: local auto-pin hook. - docs/workflows.md: usage, prerequisites, local pre-commit, adoption. pinact-action v3.0.0 bundles pinact CLI v4.0.0, so CI and local runs use the same engine. * Address CodeRabbit: $default-branch, nested action.yml, unique headings - pinact-check.yml template: use $default-branch instead of hardcoded main (matches the bumblebee-scan template convention). - .pre-commit-config.example.yaml: broaden files regex to match action.yml/action.yaml at any depth (composite actions in subdirs). - docs/workflows.md: rename new subsections (Required files / Check inputs / Enabling the check) to avoid MD024 duplicate-heading collisions.
fix(pinact): canonical .pinact.yml needs version 3 + geolonia exempti… …on (#49) The canonical pinact/.pinact.yml shipped in v1.15.0 was missing the required `version: 3` schema field, so pinact v4 errors on it ("schema version is required"). Add it, plus two refinements proven in the geolonia-infra-cdk pilot: - `separator: " # "` so pins match the org's two-space comment style. - A `rules` entry exempting `geolonia/*` from the 7-day cooldown: the cooldown guards against hijacked third-party releases, but a brand-new geolonia/.github reusable would otherwise be un-adoptable for a week (no older release contains it). Still SHA-pinned; Dependabot maintains. Docs updated to note the exemption.
PreviousNext