ci: auto-bump platform submodule on merge to main

[NiveditJain]

Summary

Adds .github/workflows/bump-platform-submodule.yml. On every push to main in this repo, it pushes a matching failproofai/oss gitlink bump to FailproofAI/platform main, so the monorepo's pinned submodule commit tracks upstream automatically. No PR in platform — direct push of a one-line gitlink update.

How it works

• Triggers on push to main (and workflow_dispatch for manual re-syncs).
• Checks out FailproofAI/platform main with a PAT (PLATFORM_BUMP_TOKEN).
• Rewrites the gitlink for failproofai/oss via git update-index --cacheinfo 160000,<sha>,failproofai/oss — no need to clone submodule contents.
• Commits as github-actions[bot] with the upstream commit subject in the body, then pushes.
• concurrency: bump-platform-submodule serializes back-to-back merges so we never lose a bump.
• A 3-attempt rebase-and-retry loop handles races where someone pushes to platform main between checkout and push.
• Skips cleanly if the gitlink is already at the new SHA (e.g. on a manual re-run).
• Pins actions/checkout to a commit SHA (v6.0.1, matching osv-scanner.yml) and sets persist-credentials: false so the cross-repo PAT isn't written into git config; the push/fetch in the retry loop authenticate inline via http.extraheader.

---

🚨 Required setup before this merges

This won't actually work until one repo secret exists and one PAT is provisioned. Do these in order.

1. Create a fine-grained Personal Access Token

GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens → Generate new token

• Resource owner: FailproofAI
• Repository access: Only select repositories → FailproofAI/platform
• Repository permissions:
  • Contents: Read and write (required — needed to push the bump commit)
  • Metadata: Read-only (auto-selected)
• Expiration: whatever your security policy prefers (90d / 1y / custom). Note the expiry on a calendar so the workflow doesn't silently break later.

Copy the token — you only see it once.

⚠️ A classic PAT with repo scope also works but grants way more access than needed. Prefer fine-grained.

2. Add the token as a repo secret on this repo

FailproofAI/failproofai → Settings → Secrets and variables → Actions → New repository secret

• Name: PLATFORM_BUMP_TOKEN (must match exactly — the workflow references this name)
• Value: the token from step 1

3. (If applicable) Allow the bot to push to platform main

If FailproofAI/platform has branch protection on main that requires PRs or status checks, direct push from this workflow will fail. Pick one:

• Easiest: add the PAT owner (or a dedicated bot account that owns the PAT) to the bypass list on the main branch protection rule.
• Cleaner: switch the workflow to open a PR in platform instead of direct-pushing (use peter-evans/create-pull-request). Happy to follow up with that variant if preferred — just say the word.

If main has no protection, no action needed.

4. Smoke-test after merge

Once this PR merges:

1. Go to Actions in this repo → find the most recent Bump platform submodule pointer run.
2. Confirm it succeeded.
3. In FailproofAI/platform, git log --oneline main -3 should show a fresh Bump failproofai/oss to <short-sha> commit by github-actions[bot].
4. To re-test on demand without merging anything: Actions → Bump platform submodule pointer → Run workflow on main.

---

Test plan

• Step 1 — fine-grained PAT created with Contents: read & write on FailproofAI/platform
• Step 2 — PLATFORM_BUMP_TOKEN secret added to this repo
• Step 3 — platform main branch protection allows the PAT owner to push (or N/A)
• Step 4 — post-merge: first push-triggered run succeeds AND lands a bump commit in platform main
• Step 4 — manual workflow_dispatch from the Actions tab also succeeds and is a no-op when already in sync

Summary by CodeRabbit

Chores

• Added an automated workflow to continuously manage and synchronize platform dependency updates during main branch merges. Includes built-in retry mechanisms and automatic conflict resolution to ensure reliable deployments.

Documentation

• Updated changelog documenting the new automated platform dependency management workflow and its operational features.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that, on pushes to main or manual dispatch, checks out FailproofAI/platform main, rewrites the failproofai/oss submodule gitlink to this repo SHA, commits a bump with upstream metadata, and pushes with a rebase-and-retry loop; CHANGELOG updated.

Changes

Automated submodule bump workflow

Layer / File(s)	Summary
Workflow triggers and concurrency .github/workflows/bump-platform-submodule.yml	Defines workflow name, triggers for push to main and workflow_dispatch, and a concurrency group to serialize runs.
Checkout and auth .github/workflows/bump-platform-submodule.yml	Checks out FailproofAI/platform@main with submodules disabled using PLATFORM_BUMP_TOKEN, avoiding persistent credentials.
Submodule gitlink rewrite, commit, and push with retries .github/workflows/bump-platform-submodule.yml	Reads existing failproofai/oss gitlink SHA, updates it to github.sha, creates a bump commit with shortened SHA and upstream metadata, and pushes to origin main with up to 3 attempts, fetching and rebasing on failure.
Changelog entry CHANGELOG.md	Adds a 0.0.11-beta.3 features bullet documenting the new bump workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through YAML under moonlit code,
Poked a gitlink where the submodules go,
Wrote a short SHA, then tried thrice to shove,
Rebasing neat as a rabbit in love,
CI hums — automation steals the show.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding automated submodule bumping on merges to main via a GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description is comprehensive and well-structured, covering purpose, implementation details, required setup steps, and test plan.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/bump-platform-submodule.yml:
- Around line 23-30: The checkout step currently uses actions/checkout@v6
without pinning to a commit SHA and leaves credential persistence enabled;
update the step that references "uses: actions/checkout@v6" to pin the action to
a specific commit SHA (replace `@v6` with the full SHA for the release you want)
and add the input "persist-credentials: false" alongside the existing inputs
(token, ref, fetch-depth, submodules) so the cross-repo token is not written to
git config.

In `@CHANGELOG.md`:
- Line 6: The CHANGELOG entry for the bump-platform-submodule workflow is
missing the PR number; update the single-line entry describing the
`bump-platform-submodule.yml` workflow (the line that mentions
`PLATFORM_BUMP_TOKEN`, `failproofai/oss` gitlink bump and `FailproofAI/platform`
main) to append the PR reference in the format `(#<PR_NUMBER>)` so the line
becomes one sentence followed by the PR number per repo convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3426775a-dcae-4b49-b0a1-c0cb1c263e7c

📥 Commits

Reviewing files that changed from the base of the PR and between 8d46a62 and 7952394.

📒 Files selected for processing (2)

• .github/workflows/bump-platform-submodule.yml
• CHANGELOG.md

[coderabbitai]

Actionable comments posted: 0