Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion standards/workflows/agent-shield.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ permissions:

jobs:
agent-shield:
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@208ec2d69b75227d375edf8745d84fbac05a76b2 # v1
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@agent-shield/stable
10 changes: 6 additions & 4 deletions standards/workflows/auto-rebase.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,11 @@
# AGENTS — READ BEFORE EDITING:
# • This file is a THIN CALLER STUB. All branch-update logic lives in the
# reusable workflow above.
# • You MAY change: the SHA in the `uses:` line when upgrading the reusable
# workflow version (bump SHA to latest main of petry-projects/.github).
# • You MUST NOT change: trigger event, the concurrency group name,
# • You MUST NOT change: the `uses:` ref — it is pinned to the
# `auto-rebase/stable` channel, a moving tag advanced centrally. Never
# repoint it to `@main`, a SHA, or a frozen `@vX` (see ci-standards.md →
# Reusable workflow versioning). Also do not change the trigger event,
# the concurrency group name,
# or the job-level `permissions:` block — reusable workflows can be
# granted no more permissions than the calling job has, so removing
# the stanza breaks the reusable's gh API calls.
Expand Down Expand Up @@ -48,5 +50,5 @@ jobs:
permissions:
contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # post comments on PRs
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@auto-rebase/stable
secrets: inherit
2 changes: 1 addition & 1 deletion standards/workflows/dependabot-automerge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,5 @@ jobs:
permissions:
contents: read
pull-requests: read
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1
uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@dependabot-automerge/stable
secrets: inherit
14 changes: 6 additions & 8 deletions standards/workflows/dependabot-rebase.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,11 @@
# AGENTS — READ BEFORE EDITING:
# • This file is a THIN CALLER STUB. All rebase/merge serialization logic
# lives in the reusable workflow above.
# • You MAY change: the SHA in the `uses:` line when upgrading the reusable
# workflow version (bump SHA to latest main of petry-projects/.github).
# • SHA-pinned intentionally (not @v1): no semver tags are maintained for
# this internal reusable workflow. Downstream repos pin to a specific
# commit SHA and bump deliberately. To look up the current SHA:
# gh api repos/petry-projects/.github/branches/main --jq '.commit.sha'
# • You MUST NOT change: the concurrency group name, the explicit secrets
# • You MUST NOT change: the `uses:` ref — it is pinned to the
# `dependabot-rebase/stable` channel, a moving tag advanced centrally.
# Never repoint it to `@main`, a SHA, or a frozen `@vX` (see
# ci-standards.md → Reusable workflow versioning). Also do not change the
# concurrency group name, the explicit secrets
# block, or the job-level `permissions:` block — reusable workflows can be
# granted no more permissions than the calling job has, so removing the
# stanza breaks the reusable's gh API calls. Do not remove any trigger
Expand Down Expand Up @@ -52,7 +50,7 @@ jobs:
permissions:
contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # re-approve PRs after branch update
uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@9a694e5798ebb596476e6eda80f11e832d8fd0a9 # main
uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@dependabot-rebase/stable
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
2 changes: 1 addition & 1 deletion standards/workflows/dependency-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ permissions:

jobs:
dependency-audit:
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@dependency-audit/stable
19 changes: 10 additions & 9 deletions standards/workflows/pr-review-mention.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,16 @@
# AGENTS — READ BEFORE EDITING:
# • This file is a THIN CALLER STUB. All review-dispatch logic lives in the
# reusable workflow above.
# • You MAY change: the tag in the `uses:` line when upgrading the reusable
# workflow version (e.g. bump `@v1` → `@v2` when petry-projects/.github cuts a new release).
# • You MUST NOT change: trigger events or the job-level `permissions:` block —
# reusable workflows can be granted no more permissions than the calling job,
# so removing the stanza breaks the reusable's gh API calls.
# • You MUST NOT change: the `uses:` ref — it is pinned to the
# `pr-review-mention/stable` channel, a moving tag advanced centrally.
# Never repoint it to `@main`, a SHA, or a frozen `@vX` (see
# ci-standards.md → Reusable workflow versioning). Also do not change the
# trigger events or the job-level `permissions:` block — reusable workflows
# can be granted no more permissions than the calling job, so removing the
# stanza breaks the reusable's gh API calls.
# • If you need different behaviour, open a PR against the reusable in the
# central repo.
# • When publishing a new version of this reusable, also update this template and
# open a fanout PR across all caller repos.
# central repo. A new release is rolled out by moving the channel tag
# centrally — never by editing callers, so no fanout PR is needed.
# ─────────────────────────────────────────────────────────────────────────────
#
# PR Review Mention — thin caller for the org-level reusable.
Expand All @@ -36,5 +37,5 @@ jobs:
pr-review-mention:
permissions:
pull-requests: write
uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@v2
uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@pr-review-mention/stable
secrets: inherit
Loading