GithubRepoAuditor/proof-pr.json at 976ae751e2421f5c8a7be2bd3ee55a964ce8c5c7 · saagpatel/GithubRepoAuditor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
{
  "schema_version": "proof-pr.v1",
  "receipt_id": "saagpatel-github-repo-auditor-proof-pr-dogfood",
  "generated_at": "2026-06-20T09:00:00Z",
  "subject": {
    "repo": "saagpatel/GithubRepoAuditor",
    "pr_number": null,
    "pr_url": null,
    "base_ref": "main",
    "base_sha": "b69bd828a240572594ed4a8afec159e546fccefa",
    "head_ref": "chore/proof-pr-dogfood",
    "head_sha": "pending-pr-head"
  },
  "producer": {
    "tool": "proof-pr",
    "version": "0.1.3",
    "agent": "codex",
    "mode": "local"
  },
  "risk": {
    "tier": "T3",
    "reasons": [
      "adds a GitHub Actions workflow",
      "introduces proof-pr as a reusable CI evidence consumer",
      "commits a machine-readable proof receipt"
    ],
    "changed_surfaces": [
      "github-actions",
      "proof-receipt",
      "public-repo-evidence"
    ]
  },
  "change": {
    "summary": "Adds an advisory proof-pr dogfood workflow and committed receipt for GitHub Repo Auditor.",
    "files_touched": [
      ".github/workflows/proof-pr.yml",
      "proof-pr.json"
    ],
    "diff_stats": {
      "files": 2,
      "additions": 175,
      "deletions": 0
    },
    "scope_notes": "No application code, package metadata, generated portfolio truth, or release workflow behavior changes."
  },
  "evidence": [
    {
      "id": "proof-pr-validate",
      "kind": "repo-native",
      "command": [
        "proof-pr validate proof-pr.json"
      ],
      "status": "passed",
      "required": true,
      "summary": "Committed receipt validates against proof-pr.v1 schema."
    },
    {
      "id": "proof-pr-render",
      "kind": "repo-native",
      "command": [
        "proof-pr render proof-pr.json"
      ],
      "status": "passed",
      "required": true,
      "summary": "Receipt renders into the standard Markdown PR block."
    },
    {
      "id": "workflow-yaml",
      "kind": "repo-native",
      "command": [
        "ruby -e \"require 'yaml'; YAML.load_file('.github/workflows/proof-pr.yml')\""
      ],
      "status": "passed",
      "required": true,
      "summary": "New workflow YAML parses."
    },
    {
      "id": "public-fixture-proof-package",
      "kind": "repo-native",
      "command": [
        "PYTHONDONTWRITEBYTECODE=1 python3 scripts/validate_proof_package.py docs/demo-proof/public-fixture/proof-package.json"
      ],
      "status": "passed",
      "required": true,
      "summary": "Existing public fixture proof package remains valid."
    },
    {
      "id": "secrets-scan",
      "kind": "security",
      "command": [
        "gitleaks detect --source . --no-banner --redact --verbose"
      ],
      "status": "passed",
      "required": true,
      "summary": "No leaks found in the dogfood worktree."
    },
    {
      "id": "public-boundary-scan",
      "kind": "security",
      "status": "passed",
      "required": true,
      "summary": "No private repo names, local paths, personal email, or token prefixes found in the new public dogfood files."
    },
    {
      "id": "full-test-suite",
      "kind": "test",
      "status": "skipped",
      "required": false,
      "summary": "No Python source, package metadata, or generated truth surface changed.",
      "reason": "The PR adds only an advisory workflow caller and proof receipt; normal CI still runs on pull_request."
    },
    {
      "id": "screenshots",
      "kind": "screenshot",
      "status": "not_applicable",
      "required": false,
      "summary": "No UI, workbook, dashboard, or visual artifact changed."
    }
  ],
  "security": {
    "secrets_scan": {
      "status": "passed",
      "summary": "Gitleaks scan found no leaks."
    },
    "permission_diff": {
      "status": "passed",
      "summary": "New workflow grants explicit read-only permissions: contents: read and actions: read."
    },
    "redaction": {
      "status": "not_applicable",
      "summary": "No screenshots or generated portfolio artifacts are included in this PR."
    }
  },
  "rollback": {
    "status": "documented",
    "path": "Revert this PR or remove .github/workflows/proof-pr.yml and proof-pr.json.",
    "notes": "The workflow is manual-only and advisory, so rollback does not require data migration or external cleanup."
  },
  "artifacts": [
    {
      "id": "proof-pr-json",
      "kind": "json",
      "path_or_url": "proof-pr.json",
      "description": "Committed proof-pr dogfood receipt.",
      "required": true,
      "external": false
    }
  ],
  "limitations": [
    "The committed receipt uses pending-pr-head because a receipt committed in the same change cannot know its final commit SHA before the commit exists.",
    "PR number and PR URL should be reflected in the pull request proof block after PR creation.",
    "The workflow is manual-only for dogfood; pull_request enforcement is intentionally deferred."
  ],
  "overall": {
    "status": "passed_with_warnings",
    "review_decision": "ready_with_operator_awareness"
  }
}