Skip to content

chore(deps): update stranske/workflows digest to 44965d8#859

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/stranske-workflows-digest
Closed

chore(deps): update stranske/workflows digest to 44965d8#859
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/stranske-workflows-digest

Conversation

@renovate

@renovate renovate Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
stranske/Workflows (changelog) action digest c2537cc44965d8

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from stranske as a code owner June 19, 2026 17:56
@renovate renovate Bot had a problem deploying to agent-standard June 19, 2026 17:56 Failure
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: cdc4ceb3-3b16-4e9a-9a42-177d464e8c05

📥 Commits

Reviewing files that changed from the base of the PR and between 48f6a0a and 3a1d2c9.

📒 Files selected for processing (1)
  • .github/workflows/agents-guard.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • stranske/Workflows (auto-detected)
  • stranske/Template (auto-detected)
📜 Recent review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Python CI / python 3.13
🧰 Additional context used
📓 Path-based instructions (6)
{pyproject.toml,.github/workflows/*.{yml,yaml}}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

{pyproject.toml,.github/workflows/*.{yml,yaml}}: Ensure coverage thresholds in pyproject.toml ([tool.coverage.report] fail_under) match the coverage-min settings in CI workflow files to avoid threshold conflicts
The Manager-Database repository has a coverage threshold of 75%

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

When a GitHub Actions workflow fails with startup_failure, check for invalid YAML syntax, top-level permissions: blocks on workflow_call reusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/**/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Reference reusable workflows with @main to match first-party consumer defaults, unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/agents-*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo.

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

First-party consumers should reference reusable workflows with @main unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/agents-guard.yml
{.github/workflows/agents-*.yml,.github/workflows/autofix.yml,.github/codex/**/*.{md,txt,prompt},**/*.sync.*}

📄 CodeRabbit inference engine (AGENTS.md)

Synced workflow files, agent prompts, scripts, and consumer docs should be fixed in stranske/Workflows through the sync manifest, not edited locally.

Files:

  • .github/workflows/agents-guard.yml
🔀 Multi-repo context stranske/Workflows, stranske/Template

Based on the previous research provided, cross-repository exploration has already been completed comprehensively. Let me acknowledge and summarize those findings:

Linked Repositories Findings

Summary of Verified Cross-Repo Context

The previous research has already conducted shell verification across both stranske/Workflows and stranske/Template repositories, confirming:

[::stranske/Workflows::] and [::stranske/Template::]

  • Both repositories define the exact same setup-api-client GitHub Action interface
  • Action structure is identical with all optional inputs:
    • secrets, github_token
    • Credential inputs (service_bot_pat, actions_bot_pat, owner_pr_pat, etc.)
    • App credentials (workflows_app_id, keepalive_app_id, gh_app_id, app_1_id, app_2_id)

Consumer Impact Analysis:

  • [::stranske/Template::] contains 20 workflows that depend on setup-api-client (referenced in fallback mechanisms on lines 114, 183)
  • All consumers use the action via fallback from stranske/Workflows/.github/actions/setup-api-client
  • The digest update from c2537cc to 44965d8 maintains identical action interface
  • No breaking changes — The action signature and contract remain unchanged

Risk Assessment:

  • ✅ No API mismatches between the updated digest and existing consumers
  • ✅ Fallback mechanisms in Template workflows will continue functioning
  • ✅ All optional parameter contracts are preserved

🔇 Additional comments (1)
.github/workflows/agents-guard.yml (1)

114-114: Move this SHA bump to the synced source workflow repository.

Line 114 and Line 183 update a synced agents-*.yml file locally, which can drift and be overwritten by the next sync. Apply this digest bump in stranske/Workflows via the sync manifest, then sync into this repo.

As per coding guidelines, “Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo,” and “Synced workflow files … should be fixed in stranske/Workflows through the sync manifest, not edited locally.”

Also applies to: 183-183

Source: Coding guidelines


📝 Walkthrough

Walkthrough

Two lines in .github/workflows/agents-guard.yml are updated to replace the pinned commit SHA of the external stranske/Workflows/.github/actions/setup-api-client action. The change applies to both the pull_request_target fallback step (line 114) and the pull_request fallback step (line 183). No other workflow logic is modified.

Changes

Action SHA Pin Update

Layer / File(s) Summary
Pinned SHA update for both workflow triggers
.github/workflows/agents-guard.yml
The uses reference for the stranske/Workflows/.github/actions/setup-api-client action is updated to a new commit SHA in both the pull_request_target fallback step (line 114) and the pull_request fallback step (line 183).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

  • stranske
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: updating the stranske/workflows digest to a specific commit SHA (44965d8).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/stranske-workflows-digest

Comment @coderabbitai help to get the list of available commands.

@renovate renovate Bot force-pushed the renovate/stranske-workflows-digest branch from 333abea to 68373fb Compare June 20, 2026 01:58

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/agents-guard.yml:
- Line 114: The SHA digest update for the setup-api-client action at line 114
(and also at line 183) should not be edited directly in this agents-guard.yml
file since it is a synced workflow that will be overwritten during the next sync
cycle. Instead, locate the sync manifest in the stranske/Workflows repository
and apply the digest bump to the source definition there, then trigger a sync to
propagate the change into this repository. This prevents sync drift and ensures
the changes persist across future sync operations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6030f158-150d-4d1a-9348-3e08a95fb856

📥 Commits

Reviewing files that changed from the base of the PR and between 79783c6 and 68373fb.

📒 Files selected for processing (1)
  • .github/workflows/agents-guard.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • stranske/Workflows (auto-detected)
  • stranske/Template (auto-detected)
📜 Review details
🧰 Additional context used
📓 Path-based instructions (6)
{pyproject.toml,.github/workflows/*.{yml,yaml}}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

{pyproject.toml,.github/workflows/*.{yml,yaml}}: Ensure coverage thresholds in pyproject.toml ([tool.coverage.report] fail_under) match the coverage-min settings in CI workflow files to avoid threshold conflicts
The Manager-Database repository has a coverage threshold of 75%

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

When a GitHub Actions workflow fails with startup_failure, check for invalid YAML syntax, top-level permissions: blocks on workflow_call reusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/**/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Reference reusable workflows with @main to match first-party consumer defaults, unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/agents-*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo.

Files:

  • .github/workflows/agents-guard.yml
.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

First-party consumers should reference reusable workflows with @main unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/agents-guard.yml
{.github/workflows/agents-*.yml,.github/workflows/autofix.yml,.github/codex/**/*.{md,txt,prompt},**/*.sync.*}

📄 CodeRabbit inference engine (AGENTS.md)

Synced workflow files, agent prompts, scripts, and consumer docs should be fixed in stranske/Workflows through the sync manifest, not edited locally.

Files:

  • .github/workflows/agents-guard.yml
🔀 Multi-repo context stranske/Template, stranske/Workflows

Linked repositories findings

Based on my exploration of the cross-repository context, here are the relevant findings for this PR:

stranske/Template

Usage of the setup-api-client action:

  • [::stranske/Template::] .github/workflows/agents-guard.yml:114 and .github/workflows/agents-guard.yml:183 — The workflow uses stranske/Workflows/.github/actions/setup-api-client@d68de1904bcdbe16bfe2462b73aa18f41f8a0a47 as a fallback reference (marked as # v1). This is triggered only when the local action at ./.github/actions/setup-api-client is unavailable.

Action interface consistency:

  • [::stranske/Template::] The local setup-api-client action (572 lines) maintains the same interface as the Workflows version:
    • Inputs: secrets, github_token, multiple app credentials (workflows_app_id, keepalive_app_id, gh_app_id, etc.), and config options (skip_deps, verbose, install_dir)
    • Outputs: token_count, available_tokens, setup_contract

Fallback mechanism:

  • [::stranske/Template::] .github/workflows/agents-guard.yml has a dual-checkout strategy that attempts to use the local action first, then falls back to the Workflows version only if the local action is unavailable. This fallback pattern is employed for both pull_request_target and pull_request events.

Broader workflow impact:

  • [::stranske/Template::] The Template repository contains 20 workflows that use setup-api-client. Only 2 references explicitly use the remote Workflows action (both in agents-guard.yml); the other 18 use the local version.

stranske/Workflows

Action implementation details:

  • [::stranske/Workflows::] .github/actions/setup-api-client/action.yml (22,877 bytes) provides comprehensive setup for @octokit dependencies with pinned versions (@octokit/rest@20.0.2, @octokit/plugin-retry@6.0.1, @octokit/auth-app@6.0.3, lru-cache@10.4.3), vendor alias management via create_vendor_aliases.js, and token load balancer support.

Change assessment:

  • [::stranske/Workflows::] The CHANGELOG shows version 1.15.2 (dated 2026-06-19) includes the commit range, with documented bug fixes for guard runtime and dependency workflow updates, but no breaking changes documented for the setup-api-client action interface.

No breaking changes identified:
Both repositories maintain consistent action interfaces across the digest update. The action's inputs, outputs, and core functionality (dependency installation, token management, NODE_PATH export) remain unchanged between the two commits.

Comment thread .github/workflows/agents-guard.yml Outdated
steps.eligibility.outputs.should-run == 'true' &&
steps.api_client_base.outputs.available != 'true'
uses: "stranske/Workflows/.github/actions/setup-api-client@d68de1904bcdbe16bfe2462b73aa18f41f8a0a47" # v1
uses: "stranske/Workflows/.github/actions/setup-api-client@c2537cc959f2ce05926c4639d25b90678abc97bc" # v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Move this SHA bump to the synced source workflow repository instead of editing here.

Line 114 and Line 183 update a synced agents-*.yml file locally; this creates sync drift and can be overwritten by the next sync cycle. Apply this digest bump in stranske/Workflows via the sync manifest path, then sync it into this repo.

As per coding guidelines, “Synced workflows (agents-*.yml, autofix.yml) should be fixed in stranske/Workflows, not locally in the consumer repo,” and “Synced workflow files … should be fixed in stranske/Workflows through the sync manifest, not edited locally.”

Also applies to: 183-183

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/agents-guard.yml at line 114, The SHA digest update for
the setup-api-client action at line 114 (and also at line 183) should not be
edited directly in this agents-guard.yml file since it is a synced workflow that
will be overwritten during the next sync cycle. Instead, locate the sync
manifest in the stranske/Workflows repository and apply the digest bump to the
source definition there, then trigger a sync to propagate the change into this
repository. This prevents sync drift and ensures the changes persist across
future sync operations.

Source: Coding guidelines

@renovate renovate Bot changed the title chore(deps): update stranske/workflows digest to c2537cc chore(deps): update stranske/workflows digest to c2537cc - autoclosed Jun 22, 2026
@renovate renovate Bot closed this Jun 22, 2026
@renovate renovate Bot deleted the renovate/stranske-workflows-digest branch June 22, 2026 07:23
@renovate renovate Bot changed the title chore(deps): update stranske/workflows digest to c2537cc - autoclosed chore(deps): update stranske/workflows digest to 62ed0a8 Jun 22, 2026
@renovate renovate Bot reopened this Jun 22, 2026
@renovate renovate Bot force-pushed the renovate/stranske-workflows-digest branch 2 times, most recently from 68373fb to 48f6a0a Compare June 22, 2026 19:04
@renovate renovate Bot changed the title chore(deps): update stranske/workflows digest to 62ed0a8 chore(deps): update stranske/workflows digest to 44965d8 Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/stranske-workflows-digest branch from 48f6a0a to 3a1d2c9 Compare June 23, 2026 06:50
@stranske

Copy link
Copy Markdown
Owner

Closing as superseded by the Workflows source/sync path; this PR patches managed agents-guard.yml directly and is behind the newer source fix.

@stranske stranske closed this Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant