diff --git a/.github/workflows/proof-pr.yml b/.github/workflows/proof-pr.yml index ee83252..346953f 100644 --- a/.github/workflows/proof-pr.yml +++ b/.github/workflows/proof-pr.yml @@ -9,10 +9,10 @@ permissions: jobs: proof: - uses: saagpatel/proof-pr/.github/workflows/proof-pr-receipt.yml@v0.2.7 + uses: saagpatel/proof-pr/.github/workflows/proof-pr-receipt.yml@v0.2.8 with: receipt_path: proof-pr.json - proof_pr_ref: v0.2.7 + proof_pr_ref: v0.2.8 check_public_git_metadata: true public_git_metadata_mode: introduced artifact_name: github-repo-auditor-proof-pr diff --git a/docs/proof-pr-dogfood.md b/docs/proof-pr-dogfood.md index 6450145..3901c2c 100644 --- a/docs/proof-pr-dogfood.md +++ b/docs/proof-pr-dogfood.md @@ -12,7 +12,7 @@ environment and render the proof block from a generated receipt: ```bash python3 -m venv /tmp/gra-proof-pr-venv /tmp/gra-proof-pr-venv/bin/python -m pip install \ - git+https://github.com/saagpatel/proof-pr.git@v0.2.7 + git+https://github.com/saagpatel/proof-pr.git@v0.2.8 /tmp/gra-proof-pr-venv/bin/proof-pr init \ --cwd . \ --tier T1 \ @@ -25,13 +25,14 @@ python3 -m venv /tmp/gra-proof-pr-venv /tmp/gra-proof-pr.json /tmp/gra-proof-pr-venv/bin/proof-pr receipt-hygiene \ /tmp/gra-proof-pr.json \ - --explain + --explain \ + --check public-git-metadata \ + --fix-only ``` `receipt-hygiene --explain` is the author-facing nudge for incomplete receipts. -It keeps hygiene read-only, but adds copyable commands and compact receipt patch -examples for missing evidence such as public git metadata, secrets posture, -permission posture, or rollback specificity. +Add `--check --fix-only` when you want just one copyable command and compact +receipt patch, instead of the full hygiene report. It keeps hygiene read-only. For GithubRepoAuditor, keep the risk tier honest: