fix(ci): always notify ciam-core on push to main#159
Merged
Conversation
The dispatch was previously gated on `steps.diff.outputs.changed == 'true'`, but the PR-side "Verify no drift" check enforces that snippets.json / snippet-manifest.yaml are regenerated and committed before merge. The post-merge diff is therefore almost always clean — meaning the dispatch to ciam-core was effectively never firing. Fire the dispatch unconditionally. The downstream sync workflow uses peter-evans/create-pull-request, which is idempotent: it opens or updates a PR only when the destination actually differs from the source. The committing-of-regenerated-artifacts step keeps its diff gate so we don't pollute history with empty commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously only @SecureAuthCorp/devops could approve PRs touching .github/ (Actions workflows, dependabot config, this CODEOWNERS file). Add @SecureAuthCorp/team-eng-ciam-ui-write to the same rule so either team can sign off — the UI team owns most of the workflow files that support the quickstart samples anyway. GitHub treats multiple owners on a single CODEOWNERS rule as OR semantics: any one of the listed teams' approvals satisfies the requirement. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ksroda-sa
marked this pull request as ready for review
May 12, 2026 11:13
ksroda-sa
requested review from
artursmolarek,
Copilot,
dfranco-sa,
jgutikonda-sa,
jkotiuk,
justintvnguyen,
lgonczarik and
rharasani-sa
May 12, 2026 11:13
There was a problem hiding this comment.
Pull request overview
This PR fixes the CI auto-sync signal to ciam-core by ensuring the repository_dispatch notification is sent on every push to main, avoiding the previous contradiction where “no drift” enforcement prevented the post-merge dispatch from ever firing. It also updates CODEOWNERS to allow an additional team to approve .github/ changes.
Changes:
- Remove the drift-based condition so the
quickstart-snippets-updatedrepository_dispatchalways fires on pushes tomain. - Keep the “commit updated artifacts” step gated on actual diffs to avoid empty commits.
- Update
.github/CODEOWNERSto allow approvals for.github/changes from either@SecureAuthCorp/devopsor@SecureAuthCorp/team-eng-ciam-ui-write.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/extract.yml |
Makes the ciam-core notification dispatch unconditional on main pushes. |
.github/CODEOWNERS |
Expands ownership for .github/ to include an additional approving team. |
Comments suppressed due to low confidence (1)
.github/workflows/extract.yml:97
- The dispatched
client_payload[sha]uses${{ github.sha }}, which is the SHA that triggered the workflow, not necessarily the commit currently checked out after the optional "Commit updated artifacts" step runs and pushes a new commit. If the workflow ever creates a new commit, this payload can point ciam-core at the wrong revision. Consider computing the SHA from the workspace (e.g.,git rev-parse HEADafter the commit step) and sending that instead, or store the new SHA as a step output and use it here.
- name: Notify ciam-core of snippet changes
run: |
gh api repos/SecureAuthCorp/ciam-core/dispatches \
-f event_type=quickstart-snippets-updated \
-f 'client_payload[sha]=${{ github.sha }}'
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jkotiuk
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The auto-sync to ciam-core hasn't actually fired since the PR-side "Verify no drift" check was added to .github/workflows/extract.yml. The two gates contradict each other:
validate.Verify no drift (PR only)yarn allwas run + committedcommit.Notify ciam-core of snippet changesCombined: a merged PR has no drift (validation enforced it), so the post-merge diff is clean, so the dispatch never fires, so ciam-core never gets the
quickstart-snippets-updatedevent, so no auto-PR ever opens against ciam-core'sdevbranch.Fix
Drop the
if: steps.diff.outputs.changed == 'true'from the dispatch step. Fire therepository_dispatchunconditionally on every push to main. The downstream sync workflow usespeter-evans/create-pull-request, which is idempotent — it opens or updates a PR only when the destination genuinely differs.The "commit updated artifacts" step keeps its diff gate (we don't want to pollute history with empty commits).
Additional change - CODEOWNERS
@SecureAuthCorp/team-eng-ciam-ui-writeto approve.github/changes alongside@SecureAuthCorp/devops.🤖 Generated with Claude Code