Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
// BLOCKS an Edit/Write that changes a SocketDev/socket-registry shared
// workflow/action SHA pin by hand:
//
// uses: SocketDev/socket-registry/.github/workflows/ci.yml@<40-hex>
// uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@<40-hex>
// uses: SocketDev/socket-registry/.github/actions/setup-and-install@<40-hex>
//
// Those pins are OWNED by the cascade: `cascade-workflows.mts` (in
Expand Down
16 changes: 10 additions & 6 deletions .claude/hooks/repo/shared-workflow-cascade/index.mts
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@
// Claude Code PostToolUse hook — shared-workflow-cascade (repo-specific).
//
// TRIGGER: After any Bash tool call that commits or pushes a change to
// a shared workflow file in socket-registry (.github/workflows/ci.yml,
// .github/workflows/provenance.yml, or any _local-not-for-reuse-*.yml).
// a shared workflow file in socket-registry (.github/workflows/
// weekly-update.yml / publish-npm.yml / get-green.yml, or any
// _local-not-for-reuse-*.yml). ci.yml is NOT shared anymore — it is the
// fleet-canonical INLINED workflow cascaded from socket-wheelhouse.
//
// WHAT IT DOES: When a shared workflow file changes on main, the
// consuming fleet repos have stale SHA pins. This hook emits a REMINDER
Expand All @@ -19,8 +21,9 @@
//
// DETECTION: inspects the latest commit on the current branch for
// changes to the canonical shared-workflow paths:
// - .github/workflows/ci.yml (Layer 3 reusable workflow)
// - .github/workflows/provenance.yml (Layer 3 reusable workflow)
// - .github/workflows/weekly-update.yml (Layer 3 reusable workflow)
// - .github/workflows/publish-npm.yml (Layer 3 reusable workflow)
// - .github/workflows/get-green.yml (Layer 3 reusable workflow)
// - .github/workflows/_local-not-for-reuse-*.yml (Layer 4 — signals cascade complete)
//
// EXIT 2 = block (with error message to stderr).
Expand All @@ -42,8 +45,9 @@ const BYPASS_PHRASE = 'Allow workflow-cascade bypass'

// Shared workflow files whose change triggers the cascade obligation.
const SHARED_WORKFLOW_PATTERNS: readonly RegExp[] = [
/\.github\/workflows\/ci\.yml$/,
/\.github\/workflows\/provenance\.yml$/,
/\.github\/workflows\/weekly-update\.yml$/,
/\.github\/workflows\/publish-npm\.yml$/,
/\.github\/workflows\/get-green\.yml$/,
/\.github\/workflows\/_local-not-for-reuse-.*\.yml$/,
]

Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/fleet/agent-ci/reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ When stdout is not a TTY (piped, redirected, captured by a parent process), the
## Requirements rationale

- **Docker.** agent-ci executes each workflow job inside a container, the same way GitHub's runners do. It connects via `AGENT_CI_DOCKER_HOST` (default `unix:///var/run/docker.sock`) — **not** the standard `DOCKER_HOST` (setting `DOCKER_HOST` makes agent-ci exit with a rename error; use `AGENT_CI_DOCKER_HOST` for a remote `ssh://`/`tcp://` daemon). Without a running daemon the run cannot start; it fails fast with a dangling-socket message and exit 1. On macOS the fleet provider is **OrbStack** (`open -a OrbStack`, then `docker info` to confirm). There is no degraded mode; if you can't start a daemon, use `greening-ci` (push and watch remote CI) instead.
- **Remote reusable workflows.** A fleet `ci.yml` doesn't contain the jobs — it `uses:` a `SocketDev/socket-registry/.github/workflows/ci.yml@<sha>` reusable workflow. agent-ci fetches that over the network, which needs `--github-token` (bare flag → `gh auth token`, or `AGENT_CI_GITHUB_TOKEN`). Without it the reusable workflow can't resolve and the run can't assemble the job graph.
- **Remote reusable workflows.** A fleet `ci.yml` is INLINED (fleet-canonical block cascaded from socket-wheelhouse) — no remote fetch needed for it. But other workflows still `uses:` remote reusables (e.g. the `SocketDev/socket-registry` `weekly-update.yml` / `publish-npm.yml` delegators); running those needs `--github-token` (bare flag → `gh auth token`, or `AGENT_CI_GITHUB_TOKEN`) or the run can't assemble the job graph.
- **macOS jobs.** `runs-on: macos-*` jobs run in a real throwaway macOS VM via `tart` (Apple Silicon only) with `sshpass`. Missing either tool, or on Linux/Intel, those jobs **skip with a reason** rather than failing the run; the Linux/container jobs still execute. VM concurrency caps at `AGENT_CI_MACOS_VM_CONCURRENCY` (default 2 — tart's free tier). Windows jobs (`runs-on: windows-*`) always skip (unsupported).
- **Missing tools in the runner image.** Jobs run in `ghcr.io/actions/actions-runner:latest`, which ships node/git/curl/jq/unzip but **not** build toolchains, `python3`, or `xz`. A job failing on a missing tool isn't your code — add a `.github/agent-ci.Dockerfile` (`FROM ghcr.io/actions/actions-runner:latest` + `apt-get install`); agent-ci picks it up automatically and caches by content hash.
- **Install.** `@redwoodjs/agent-ci` is a fleet devDependency declared as `catalog:` in every repo's `package.json`, pinned in the wheelhouse `pnpm-workspace.yaml` catalog. `pnpm install` provisions it. The published package is a self-contained Node CLI (`dist/cli.js`) — it has no platform-binary dependencies and its `ssh2` native build scripts are declined in the fleet's `allowBuilds`/`allowScripts` (the CLI runs without them).
Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/fleet/cleaning-ci/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ context: fork
Audit + clean redundant CI surface on a Socket fleet repo. Three
target classes:

1. **Orphan workflow YAML files**: `lint.yml`, `check.yml`, `type.yml`, `test.yml`. The fleet consolidated those into the shared `ci.yml` (via `SocketDev/socket-registry/.github/workflows/ci.yml`) long ago. Any per-repo file with those names is a leftover from pre-consolidation days. Delete them.
1. **Orphan workflow YAML files**: `lint.yml`, `check.yml`, `type.yml`, `test.yml`. The fleet consolidated those into `ci.yml` long ago (today the fleet-canonical INLINED ci.yml cascaded from socket-wheelhouse; historically the `SocketDev/socket-registry` reusable). Any per-repo file with those names is a leftover from pre-consolidation days. Delete them.

2. **GitHub-Dependabot automated security PRs**: the fleet pattern is to handle vulnerability fixes via `/updating-security` (pnpm `overrides:` for transitive deps), not via auto-PRs from Dependabot. The `dependabot.yml` no-op file (`open-pull-requests-limit: 0`) suppresses version-update PRs but does NOT suppress security PRs. Those flow from a separate repo-settings toggle (`automated-security-fixes`). Disable via `gh api -X DELETE /repos/{owner}/{repo}/automated-security-fixes`.

Expand Down
21 changes: 11 additions & 10 deletions .claude/skills/repo/updating-workflows/reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,9 @@ Layer 2b — setup-and-install (references Layer 1 + 2a):
setup-and-install -> refs: checkout, setup, install

Layer 3 — Shared reusable workflows (reference Layer 2):
ci.yml -> refs: setup-and-install, run-script
provenance.yml -> refs: setup-and-install
(ci.yml LEFT this layer: it is now the fleet-canonical INLINED workflow
cascaded from socket-wheelhouse — no consumers pin it anymore.)
publish-npm.yml -> refs: setup-and-install
weekly-update.yml -> thin delegator consumers pin; refs (uses:)
weekly-update.lock.yml. Hand-authored, cascaded.
weekly-update.lock.yml -> gh-aw compiled from weekly-update.md; runs the
Expand All @@ -45,8 +46,7 @@ Layer 3 — Shared reusable workflows (reference Layer 2):
escalation worker); same gh-aw-owned rules.

Layer 4 — _local workflows (reference Layer 3, not reused externally):
_local-not-for-reuse-ci.yml -> refs: ci.yml, setup-and-install, cache-npm-packages
_local-not-for-reuse-provenance.yml -> refs: provenance.yml
_local-not-for-reuse-provenance.yml -> refs: publish-npm.yml
_local-not-for-reuse-weekly-update.yml -> refs: weekly-update.yml (the delegator, via uses)
```

Expand Down Expand Up @@ -74,9 +74,9 @@ substrate + testing story (`gh aw trial`, not Agent CI).

## Propagation SHA

The **propagation SHA** is the Layer 3 merge SHA — the one where `ci.yml`,
`provenance.yml`, `weekly-update.yml` (the delegator), or `weekly-update.lock.yml`
were updated.
The **propagation SHA** is the Layer 3 merge SHA — the one where
`publish-npm.yml`, `weekly-update.yml` (the delegator), or
`weekly-update.lock.yml` were updated.

- Layer 4 (`_local-not-for-reuse-*`) pins to the propagation SHA
- External repos pin to the propagation SHA
Expand All @@ -94,7 +94,7 @@ Starting from the layer **above** the change, create a PR for each layer.
```
1. PR: Update Layer 2a pins (setup) -> merge -> get SHA
2. PR: Update Layer 2b pins (setup-and-install) -> merge -> get SHA
3. PR: Update Layer 3 pins (ci.yml, provenance.yml) -> merge -> get SHA <-- PROPAGATION SHA
3. PR: Update Layer 3 pins (publish-npm, weekly-update) -> merge -> get SHA <-- PROPAGATION SHA
4. PR: Update Layer 4 pins (_local workflows) -> merge
5. Propagate the Layer 3 SHA to all consuming repos
```
Expand All @@ -113,8 +113,9 @@ pinning during the cascade:
line that delegates to a Layer 3 reusable workflow.
2. Inline `uses: SocketDev/socket-registry/.github/actions/<action>@<SHA>`
steps inside additional jobs the wrapper runs (e.g.
`_local-not-for-reuse-ci.yml`'s `test-npm-packages` job has its own
`setup-and-install` step on top of delegating to `ci.yml`).
a wrapper running extra jobs alongside its delegation — historically
`_local-not-for-reuse-ci.yml`'s `test-npm-packages`, whose jobs now live
below the inlined `ci.yml`'s fleet-canonical block).

Both go to the propagation SHA. Verify with:

Expand Down
5 changes: 5 additions & 0 deletions .github/aw/actions-lock.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{
"entries": {
"actions/checkout@v5.0.0": {
"repo": "actions/checkout",
"version": "v5.0.0",
"sha": "08c6903cd8c0fde910a37f88322edcfb5dd907a8"
},
"actions/github-script@v9.0.0": {
"repo": "actions/github-script",
"version": "v9.0.0",
Expand Down
52 changes: 0 additions & 52 deletions .github/workflows/_local-not-for-reuse-ci.yml

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/_local-not-for-reuse-weekly-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ permissions:

jobs:
weekly-update:
uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@f686e4e3b7554d83a4597f1e60514ea70ce09ed8 # main (2026-07-10)
uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@121653d21199adf489fa222506e41b5aeb2b86d2 # main (2026-07-11)
with:
test-setup-script: ''
test-script: 'pnpm test'
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/agentics-maintenance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,9 @@ jobs:

- name: Record outputs
id: record
run: echo "operation=${{ inputs.operation }}" >> "$GITHUB_OUTPUT"
env:
OPERATION: ${{ inputs.operation }}
run: echo "operation=$OPERATION" >> "$GITHUB_OUTPUT"

update_pull_request_branches:
if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'update_pull_request_branches' && (!(github.event.repository.fork)) }}
Expand Down Expand Up @@ -280,7 +282,9 @@ jobs:

- name: Record outputs
id: record
run: echo "run_url=${{ inputs.run_url }}" >> "$GITHUB_OUTPUT"
env:
RUN_URL: ${{ inputs.run_url }}
run: echo "run_url=$RUN_URL" >> "$GITHUB_OUTPUT"

create_labels:
if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'create_labels' && (!(github.event.repository.fork)) }}
Expand Down
Loading
Loading