Dogfood proof-pr receipt workflow

[saagpatel]

What

Adds a manual proof-pr dogfood workflow plus a committed proof-pr.json receipt for GitHub Repo Auditor.

Why

This gives proof-pr its second public consumer repo and validates the v0.2 stable dogfood contract against a proof-adjacent project, not just bridge-db.

Review Of What Was Built

• Added .github/workflows/proof-pr.yml using saagpatel/proof-pr/.github/workflows/proof-pr-receipt.yml@v0.1.3.
• Added proof-pr.json as an advisory T3 receipt for this workflow/receipt-only change.
• Kept the workflow manual-only with explicit read permissions.

Cleanup Review

No generated portfolio truth, application code, release config, or private proof package content was changed. The existing tracked .github/.DS_Store is intentionally untouched in this scoped dogfood lane.

Verification Summary

Proof Bundle

Risk: T3
Receipt: proof-pr.v1 for 976ae751e2421f5c8a7be2bd3ee55a964ce8c5c7
Decision: ready_with_operator_awareness

Evidence:

• proof-pr-validate: PYTHONDONTWRITEBYTECODE=1 python3 /Users/d/Projects/proof-pr/scripts/proof_pr.py validate proof-pr.json -> passed (Committed receipt validates against proof-pr.v1 schema.)
• proof-pr-render: PYTHONDONTWRITEBYTECODE=1 python3 /Users/d/Projects/proof-pr/scripts/proof_pr.py render proof-pr.json -> passed (Receipt renders into the standard Markdown PR block.)
• workflow-yaml: ruby -e "require 'yaml'; YAML.load_file('.github/workflows/proof-pr.yml')" -> passed (New workflow YAML parses.)
• public-fixture-proof-package: PYTHONDONTWRITEBYTECODE=1 python3 scripts/validate_proof_package.py docs/demo-proof/public-fixture/proof-package.json -> passed (Existing public fixture proof package remains valid.)
• secrets-scan: gitleaks detect --source . --no-banner --redact --verbose -> passed (No leaks found.)
• public-boundary-scan: targeted scan of the new workflow and receipt for private repo names, local paths, personal email, and token prefixes -> passed (no matches.)
• github-pr-checks: gh pr checks 87 -R saagpatel/GithubRepoAuditor --watch --interval 10 -> passed (CodeQL and test (3.11) passed.)
• full-test-suite: passed (GitHub PR CI ran the repository test/lint/typecheck lane.)
• screenshots: not_applicable (No UI, workbook, dashboard, or visual artifact changed.)
• rollback: documented (Revert this PR or remove .github/workflows/proof-pr.yml and proof-pr.json.)

Known gaps:

• The committed receipt uses pending-pr-head; a receipt committed in the same change cannot know its final commit SHA before the commit exists. The PR proof block is anchored to the remote head SHA.
• The workflow is manual-only for dogfood; pull_request enforcement is intentionally deferred.

Shipped Summary

If merged, GitHub Repo Auditor will have an advisory proof-pr receipt workflow that can be manually dispatched on main and upload the committed receipt as a proof artifact.

Next Phase

Run the manual proof-pr workflow from main after merge. If it passes, proof-pr has two consumer repos satisfying the v0.2 dogfood readiness criterion.

Remaining Roadmap

• Update proof-pr to model committed-receipt head SHA anchoring more cleanly.
• Decide whether v0.2.0 is ready to tag after the second consumer run.
• Defer pull_request enforcement until manual dogfood has stayed boring.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 976ae751e2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin the proof-pr workflow and installer to immutable SHAs

When this manual workflow is dispatched, both the reusable workflow reference and the proof_pr_ref input execute code from the mutable v0.1.3 tag. GitHub’s Actions hardening guidance notes that full-length commit SHAs are the only immutable action references and that tags can be moved or deleted, so a retagged or compromised proof-pr release would let this repo validate/upload evidence with code that was not reviewed here; this is especially risky for a proof receipt workflow where reproducibility is the point. Pin both references to the exact commit SHA for the intended release, matching the existing SHA-pinned style in the other workflows.

Useful? React with 👍 / 👎.