Commit 2b443e6
ci: allow git push in bot-write-docs allowlist (#2537)
The first end-to-end run of the docs-request path on issue #2536
([#25619794274](https://github.com/wheels-dev/wheels/actions/runs/25619794274))
revealed that bot-write-docs's allowlist scoped git too narrowly:
specific subcommands (status, log, diff, show, grep, add, commit) but
not push. The bot wrote the docs, committed them, then attempted
`gh pr create` — which needs the branch on remote, but the bot couldn't
push it. The workflow's "Push branch" step ran AFTER the bot finished,
pushing too late for the bot's `gh pr create` call.
Result: the docs/bot-2536-* branch landed on origin with full content,
but no PR was opened. The bot caught this in its issue comment and
explained the situation correctly ("the workflow's push step will
publish the branch after this run; once it is on the remote, the
draft PR can be opened from that branch") — high-quality failure
reporting, but the cascade stopped there.
Add `Bash(git push:*)` to the allowlist. The wheels-bot push-scope
ruleset (16174270) restricts WHERE the bot can push to bot/**,
fix/bot-*/**, and docs/bot-*/**, so granting push capability does
not expand the bot's blast radius — it just lets the bot execute
the push the ruleset will permit anyway. Mirrors propose-fix's
`Bash(git:*)` wildcard (which has been working since #2533).
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 24b83e8 commit 2b443e6
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
101 | 101 | | |
102 | 102 | | |
103 | 103 | | |
104 | | - | |
| 104 | + | |
105 | 105 | | |
106 | 106 | | |
107 | 107 | | |
| |||
0 commit comments