|
1 | 1 | name: verify-report |
2 | 2 |
|
3 | | -# Run the Tier 0 offline data *verification* (existence/trust scoring) on a PR and |
4 | | -# let TechEngineBot post the band analysis as a PR comment. The bot owns the |
5 | | -# analysis surface: this workflow only computes the report and hands it to the bot, |
6 | | -# which authors the comment via its own PAT (TECHENGINEBOT_TOKEN). It never gates a |
7 | | -# merge. |
8 | | -# |
9 | | -# Dormant unless a bot/automation token is configured. Restricted to same-repo |
10 | | -# branch PRs so fork PRs never see the token. The structural gate stays in |
11 | | -# validate-data.yml; this is purely informational. |
| 3 | +# On every data/verifier PR, post the Tier 0 verification band report as |
| 4 | +# TechEngineBot. The bot's token lives in TechEngine, so we RELAY there (a comment |
| 5 | +# posted from TechAPI would be authored by the human relay PAT, not the bot). |
| 6 | +# TechEngine's techapi-verify-comment.yml runs app.verify (mode=tier0) and posts |
| 7 | +# the report. Informational; never gates a merge. Same-repo PRs only. |
12 | 8 | on: |
13 | 9 | pull_request: |
14 | 10 | types: [opened, synchronize, reopened, ready_for_review] |
|
19 | 15 |
|
20 | 16 | permissions: |
21 | 17 | contents: read |
22 | | - pull-requests: write |
23 | 18 |
|
24 | 19 | concurrency: |
25 | 20 | group: verify-report-${{ github.event.pull_request.number }} |
26 | 21 | cancel-in-progress: true |
27 | 22 |
|
28 | 23 | jobs: |
29 | | - verify-report: |
| 24 | + relay: |
30 | 25 | runs-on: ubuntu-latest |
31 | 26 | if: github.event.pull_request.head.repo.full_name == github.repository |
32 | 27 | env: |
33 | | - PYTHONIOENCODING: utf-8 |
34 | | - # Prefer TechEngineBot's PAT so the analysis comment is authored by the bot |
35 | | - # (TECHENGINEBOT_TOKEN, Issues/PR write on both repos). Fall back to |
36 | | - # ENGINE_TOKEN only so the workflow still runs if the bot token is absent. |
37 | | - BOT_TOKEN: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }} |
| 28 | + ENGINE_TOKEN: ${{ secrets.ENGINE_TOKEN }} |
38 | 29 | steps: |
39 | | - - name: Dormant when no bot token is configured |
40 | | - if: env.BOT_TOKEN == '' |
41 | | - run: echo "::warning::No TECHENGINEBOT_TOKEN/ENGINE_TOKEN — TechEngineBot verify comment skipped." |
| 30 | + - name: Dormant when ENGINE_TOKEN is unset |
| 31 | + if: env.ENGINE_TOKEN == '' |
| 32 | + run: echo "::warning::ENGINE_TOKEN not configured; cannot relay the verify report to TechEngine." |
42 | 33 |
|
43 | | - - uses: actions/checkout@v4 |
44 | | - if: env.BOT_TOKEN != '' |
45 | | - with: |
46 | | - fetch-depth: 0 |
47 | | - |
48 | | - - uses: actions/setup-python@v5 |
49 | | - if: env.BOT_TOKEN != '' |
50 | | - with: |
51 | | - python-version: "3.12" |
52 | | - |
53 | | - - name: Tier 0 verification (changed + full baseline) |
54 | | - if: env.BOT_TOKEN != '' |
55 | | - id: verify |
56 | | - run: | |
57 | | - git fetch origin main --depth=1 || true |
58 | | - { |
59 | | - echo 'report<<VERIFY_EOF' |
60 | | - echo "### Changed records in this PR" |
61 | | - echo "" |
62 | | - python -m app.verify score --changed --no-cache --format md |
63 | | - echo "" |
64 | | - echo "### Full-dataset baseline" |
65 | | - echo "" |
66 | | - python -m app.verify score --no-cache --format md |
67 | | - echo VERIFY_EOF |
68 | | - } >> "$GITHUB_OUTPUT" |
69 | | -
|
70 | | - - name: TechEngineBot posts the verification analysis |
71 | | - if: env.BOT_TOKEN != '' |
| 34 | + - name: Relay Tier 0 verify report to TechEngine |
| 35 | + if: env.ENGINE_TOKEN != '' |
72 | 36 | uses: actions/github-script@v7 |
73 | | - env: |
74 | | - REPORT: ${{ steps.verify.outputs.report }} |
75 | 37 | with: |
76 | | - github-token: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }} |
| 38 | + github-token: ${{ secrets.ENGINE_TOKEN }} |
77 | 39 | script: | |
78 | | - const marker = '<!-- techengine-verify-report -->'; |
79 | | - const report = (process.env.REPORT || '').trim() || '(no output)'; |
80 | | - const body = [ |
81 | | - marker, |
82 | | - '## 🔎 Data verification — Tier 0 (offline existence/trust)', |
83 | | - '', |
84 | | - 'Scored by `app.verify`; posted by **TechEngineBot**. Informational only — the structural gate (`app.validate`) is separate and authoritative for merge.', |
85 | | - '', |
86 | | - report, |
87 | | - '', |
88 | | - '<sub>green = authoritative source + complete + consistent · ' |
89 | | - + 'yellow = plausible, needs confirmation · red = sparse/weak source or a hard contradiction. ' |
90 | | - + 'Promotion to `verified` runs in the scheduled `verify-network` workflow.</sub>', |
91 | | - ].join('\n'); |
92 | | - const { owner, repo } = context.repo; |
93 | | - const issue_number = context.payload.pull_request.number; |
94 | | - const comments = await github.paginate(github.rest.issues.listComments, { |
95 | | - owner, repo, issue_number, per_page: 100, |
| 40 | + await github.rest.repos.createDispatchEvent({ |
| 41 | + owner: 'GetTechAPI', |
| 42 | + repo: 'TechEngine', |
| 43 | + event_type: 'techapi-verify', |
| 44 | + client_payload: { |
| 45 | + pr_number: String(context.payload.pull_request.number), |
| 46 | + head_sha: context.payload.pull_request.head.sha, |
| 47 | + mode: 'tier0', |
| 48 | + requested_by: context.payload.pull_request.user.login, |
| 49 | + }, |
96 | 50 | }); |
97 | | - const existing = comments.find((c) => c.body && c.body.includes(marker)); |
98 | | - if (existing) { |
99 | | - await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body }); |
100 | | - } else { |
101 | | - await github.rest.issues.createComment({ owner, repo, issue_number, body }); |
102 | | - } |
| 51 | + core.info(`relayed tier0 verify report for PR #${context.payload.pull_request.number}`); |
0 commit comments