1010# sits "open" on the bus forever (there is no GitHub->bus merge sync) and
1111# joined harnesses keep getting offered already-merged work.
1212# Joined harnesses pick up open requests from the bus — this workflow does NOT poll or review.
13+ #
14+ # The bus is fail-open: a town-crier hiccup (cold start, transient 5xx) must never red a
15+ # PR's checks, so both jobs use continue-on-error + a curl --max-time. Neither job touches
16+ # the GITHUB_TOKEN (they auth to the bus with TOWN_CRIER_TOKEN), so permissions are dropped.
1317name : town-crier producer (announce + resolve)
1418
19+ permissions : {}
20+
1521on :
1622 pull_request :
1723 types : [labeled, closed]
2228 runs-on : ubuntu-latest
2329 steps :
2430 - name : Announce to the crier
31+ continue-on-error : true
2532 env :
2633 CRIER_URL : ${{ vars.TOWN_CRIER_URL }}
2734 CRIER_TOKEN : ${{ secrets.TOWN_CRIER_TOKEN }}
3138 REQUESTER : ${{ github.event.pull_request.user.login }}
3239 run : |
3340 # jq builds the JSON so a PR title with quotes can't break the payload.
34- curl -fsS -X POST "$CRIER_URL/announce" \
41+ curl -fsS --max-time 10 - X POST "$CRIER_URL/announce" \
3542 -H "Authorization: Bearer $CRIER_TOKEN" \
3643 -H "Content-Type: application/json" \
3744 -d "$(jq -n \
@@ -46,14 +53,15 @@ jobs:
4653 runs-on : ubuntu-latest
4754 steps :
4855 - name : Resolve on the crier
56+ continue-on-error : true
4957 env :
5058 CRIER_URL : ${{ vars.TOWN_CRIER_URL }}
5159 CRIER_TOKEN : ${{ secrets.TOWN_CRIER_TOKEN }}
5260 PR_URL : ${{ github.event.pull_request.html_url }}
5361 MERGED : ${{ github.event.pull_request.merged }}
5462 run : |
5563 NOTE=$([ "$MERGED" = "true" ] && echo "merged" || echo "closed without merge")
56- curl -fsS -X POST "$CRIER_URL/resolve" \
64+ curl -fsS --max-time 10 - X POST "$CRIER_URL/resolve" \
5765 -H "Authorization: Bearer $CRIER_TOKEN" \
5866 -H "Content-Type: application/json" \
5967 -d "$(jq -n --arg pr "$PR_URL" --arg note "$NOTE" '{pr_url:$pr, note:$note}')"
0 commit comments