From 25061d4d96ddd0622f3ef93ae12a9d8107d4f3b0 Mon Sep 17 00:00:00 2001 From: jdalton Date: Wed, 25 Mar 2026 09:45:19 -0400 Subject: [PATCH 1/3] fix(ci): repair broken weekly-update workflow YAML MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The workflow was invalid YAML since creation — the `gh pr create --body` multiline string had unindented continuation lines that broke the YAML block scalar. Also fixes exit code capture (PIPESTATUS instead of $?) after pipe to tee, and adds token-based auth for git push since persist-credentials is disabled. --- .github/workflows/weekly-update.yml | 38 +++++++++++++++++------------ 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml index 07a561a2..a9dda365 100644 --- a/.github/workflows/weekly-update.yml +++ b/.github/workflows/weekly-update.yml @@ -107,12 +107,15 @@ jobs: exit 0 fi + set +e claude --print --dangerously-skip-permissions \ --model sonnet \ "/updating - Run the updating skill to update all dependencies. Create atomic commits for each update. You are running in CI mode - skip builds and tests. Do not push or create a PR." \ 2>&1 | tee claude-output.log + CLAUDE_EXIT=${PIPESTATUS[0]} + set -e - if [ $? -eq 0 ]; then + if [ "$CLAUDE_EXIT" -eq 0 ]; then echo "success=true" >> $GITHUB_OUTPUT else echo "success=false" >> $GITHUB_OUTPUT @@ -130,8 +133,11 @@ jobs: - name: Push branch if: steps.claude.outputs.success == 'true' && steps.changes.outputs.has-changes == 'true' env: + GH_TOKEN: ${{ github.token }} BRANCH_NAME: ${{ steps.branch.outputs.branch }} - run: git push origin "$BRANCH_NAME" + run: | + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" + git push origin "$BRANCH_NAME" - name: Create Pull Request if: steps.claude.outputs.success == 'true' && steps.changes.outputs.has-changes == 'true' @@ -141,27 +147,27 @@ jobs: run: | COMMITS=$(git log --oneline origin/main..HEAD) COMMIT_COUNT=$(git rev-list --count origin/main..HEAD) + PR_BODY="## Weekly Dependency Update - gh pr create \ - --title "chore(deps): weekly dependency update ($(date +%Y-%m-%d))" \ - --body "## Weekly Dependency Update + Automated weekly update of npm packages. -Automated weekly update of npm packages. + ### Commits (${COMMIT_COUNT}) -### Commits (${COMMIT_COUNT}) +
+ View commit history -
-View commit history + \`\`\` + ${COMMITS} + \`\`\` -\`\`\` -${COMMITS} -\`\`\` +
-
+ --- ---- - -Generated by [weekly-update.yml](.github/workflows/weekly-update.yml)" \ + Generated by [weekly-update.yml](.github/workflows/weekly-update.yml)" + gh pr create \ + --title "chore(deps): weekly dependency update ($(date +%Y-%m-%d))" \ + --body "$PR_BODY" \ --draft \ --head "$BRANCH_NAME" \ --base main From d5ea05b3d0470c4f6e7f149fe19b92e07e9288bc Mon Sep 17 00:00:00 2001 From: jdalton Date: Wed, 25 Mar 2026 11:33:53 -0400 Subject: [PATCH 2/3] chore: add zizmor config to disable secrets-outside-env --- .github/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..944e1474 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,2 @@ +secrets-outside-env: + disable: true From 6e39868a84e449e95118bf8a97f6b0d8a2c2e0d3 Mon Sep 17 00:00:00 2001 From: jdalton Date: Wed, 25 Mar 2026 11:39:39 -0400 Subject: [PATCH 3/3] fix: wrap zizmor config under rules key --- .github/zizmor.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 944e1474..39d1b180 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,2 +1,3 @@ -secrets-outside-env: - disable: true +rules: + secrets-outside-env: + disable: true