Skip to content

fix(ci): always notify ciam-core on push to main#159

Merged
ksroda-sa merged 4 commits into
mainfrom
fix/extract-always-dispatch-on-main
May 13, 2026
Merged

fix(ci): always notify ciam-core on push to main#159
ksroda-sa merged 4 commits into
mainfrom
fix/extract-always-dispatch-on-main

Conversation

@ksroda-sa

@ksroda-sa ksroda-sa commented May 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

The auto-sync to ciam-core hasn't actually fired since the PR-side "Verify no drift" check was added to .github/workflows/extract.yml. The two gates contradict each other:

Step Gate Effect
validate.Verify no drift (PR only) Requires yarn all was run + committed PR can't merge if there IS drift
commit.Notify ciam-core of snippet changes Only fires if there IS drift Dispatch only fires when the PR didn't pre-regenerate

Combined: a merged PR has no drift (validation enforced it), so the post-merge diff is clean, so the dispatch never fires, so ciam-core never gets the quickstart-snippets-updated event, so no auto-PR ever opens against ciam-core's dev branch.

Fix

Drop the if: steps.diff.outputs.changed == 'true' from the dispatch step. Fire the repository_dispatch unconditionally on every push to main. The downstream sync workflow uses peter-evans/create-pull-request, which is idempotent — it opens or updates a PR only when the destination genuinely differs.

The "commit updated artifacts" step keeps its diff gate (we don't want to pollute history with empty commits).

Additional change - CODEOWNERS

  • Allow @SecureAuthCorp/team-eng-ciam-ui-write to approve .github/ changes alongside @SecureAuthCorp/devops.

🤖 Generated with Claude Code

ksroda-sa and others added 4 commits May 12, 2026 13:02
The dispatch was previously gated on `steps.diff.outputs.changed == 'true'`,
but the PR-side "Verify no drift" check enforces that snippets.json /
snippet-manifest.yaml are regenerated and committed before merge. The
post-merge diff is therefore almost always clean — meaning the dispatch
to ciam-core was effectively never firing.

Fire the dispatch unconditionally. The downstream sync workflow uses
peter-evans/create-pull-request, which is idempotent: it opens or
updates a PR only when the destination actually differs from the source.
The committing-of-regenerated-artifacts step keeps its diff gate so we
don't pollute history with empty commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously only @SecureAuthCorp/devops could approve PRs touching
.github/ (Actions workflows, dependabot config, this CODEOWNERS file).
Add @SecureAuthCorp/team-eng-ciam-ui-write to the same rule so either
team can sign off — the UI team owns most of the workflow files that
support the quickstart samples anyway.

GitHub treats multiple owners on a single CODEOWNERS rule as OR
semantics: any one of the listed teams' approvals satisfies the
requirement.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the CI auto-sync signal to ciam-core by ensuring the repository_dispatch notification is sent on every push to main, avoiding the previous contradiction where “no drift” enforcement prevented the post-merge dispatch from ever firing. It also updates CODEOWNERS to allow an additional team to approve .github/ changes.

Changes:

  • Remove the drift-based condition so the quickstart-snippets-updated repository_dispatch always fires on pushes to main.
  • Keep the “commit updated artifacts” step gated on actual diffs to avoid empty commits.
  • Update .github/CODEOWNERS to allow approvals for .github/ changes from either @SecureAuthCorp/devops or @SecureAuthCorp/team-eng-ciam-ui-write.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/extract.yml Makes the ciam-core notification dispatch unconditional on main pushes.
.github/CODEOWNERS Expands ownership for .github/ to include an additional approving team.
Comments suppressed due to low confidence (1)

.github/workflows/extract.yml:97

  • The dispatched client_payload[sha] uses ${{ github.sha }}, which is the SHA that triggered the workflow, not necessarily the commit currently checked out after the optional "Commit updated artifacts" step runs and pushes a new commit. If the workflow ever creates a new commit, this payload can point ciam-core at the wrong revision. Consider computing the SHA from the workspace (e.g., git rev-parse HEAD after the commit step) and sending that instead, or store the new SHA as a step output and use it here.
      - name: Notify ciam-core of snippet changes
        run: |
          gh api repos/SecureAuthCorp/ciam-core/dispatches \
            -f event_type=quickstart-snippets-updated \
            -f 'client_payload[sha]=${{ github.sha }}'

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ksroda-sa
ksroda-sa merged commit bf8a2e0 into main May 13, 2026
5 checks passed
@ksroda-sa
ksroda-sa deleted the fix/extract-always-dispatch-on-main branch May 13, 2026 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants