From 32ebf5f375e515440bb416927bdb9d2eb6d23bbd Mon Sep 17 00:00:00 2001 From: Seungpyo Hong Date: Mon, 22 Jun 2026 16:56:55 +0900 Subject: [PATCH] ci(verify-report): relay to TechEngine so the report is bot-authored verify-report ran inside TechAPI, which lacks the bot token, so its comment was authored by the human ENGINE_TOKEN owner. Relay to TechEngine (mode=tier0); the engine posts the Tier 0 report as TechEngineBot. Refs #1 --- .github/workflows/verify-report.yml | 99 +++++++---------------------- 1 file changed, 24 insertions(+), 75 deletions(-) diff --git a/.github/workflows/verify-report.yml b/.github/workflows/verify-report.yml index f6bd13443ef..a6907fe4115 100644 --- a/.github/workflows/verify-report.yml +++ b/.github/workflows/verify-report.yml @@ -1,14 +1,10 @@ name: verify-report -# Run the Tier 0 offline data *verification* (existence/trust scoring) on a PR and -# let TechEngineBot post the band analysis as a PR comment. The bot owns the -# analysis surface: this workflow only computes the report and hands it to the bot, -# which authors the comment via its own PAT (TECHENGINEBOT_TOKEN). It never gates a -# merge. -# -# Dormant unless a bot/automation token is configured. Restricted to same-repo -# branch PRs so fork PRs never see the token. The structural gate stays in -# validate-data.yml; this is purely informational. +# On every data/verifier PR, post the Tier 0 verification band report as +# TechEngineBot. The bot's token lives in TechEngine, so we RELAY there (a comment +# posted from TechAPI would be authored by the human relay PAT, not the bot). +# TechEngine's techapi-verify-comment.yml runs app.verify (mode=tier0) and posts +# the report. Informational; never gates a merge. Same-repo PRs only. on: pull_request: types: [opened, synchronize, reopened, ready_for_review] @@ -19,84 +15,37 @@ on: permissions: contents: read - pull-requests: write concurrency: group: verify-report-${{ github.event.pull_request.number }} cancel-in-progress: true jobs: - verify-report: + relay: runs-on: ubuntu-latest if: github.event.pull_request.head.repo.full_name == github.repository env: - PYTHONIOENCODING: utf-8 - # Prefer TechEngineBot's PAT so the analysis comment is authored by the bot - # (TECHENGINEBOT_TOKEN, Issues/PR write on both repos). Fall back to - # ENGINE_TOKEN only so the workflow still runs if the bot token is absent. - BOT_TOKEN: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }} + ENGINE_TOKEN: ${{ secrets.ENGINE_TOKEN }} steps: - - name: Dormant when no bot token is configured - if: env.BOT_TOKEN == '' - run: echo "::warning::No TECHENGINEBOT_TOKEN/ENGINE_TOKEN โ€” TechEngineBot verify comment skipped." + - name: Dormant when ENGINE_TOKEN is unset + if: env.ENGINE_TOKEN == '' + run: echo "::warning::ENGINE_TOKEN not configured; cannot relay the verify report to TechEngine." - - uses: actions/checkout@v4 - if: env.BOT_TOKEN != '' - with: - fetch-depth: 0 - - - uses: actions/setup-python@v5 - if: env.BOT_TOKEN != '' - with: - python-version: "3.12" - - - name: Tier 0 verification (changed + full baseline) - if: env.BOT_TOKEN != '' - id: verify - run: | - git fetch origin main --depth=1 || true - { - echo 'report<> "$GITHUB_OUTPUT" - - - name: TechEngineBot posts the verification analysis - if: env.BOT_TOKEN != '' + - name: Relay Tier 0 verify report to TechEngine + if: env.ENGINE_TOKEN != '' uses: actions/github-script@v7 - env: - REPORT: ${{ steps.verify.outputs.report }} with: - github-token: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }} + github-token: ${{ secrets.ENGINE_TOKEN }} script: | - const marker = ''; - const report = (process.env.REPORT || '').trim() || '(no output)'; - const body = [ - marker, - '## ๐Ÿ”Ž Data verification โ€” Tier 0 (offline existence/trust)', - '', - 'Scored by `app.verify`; posted by **TechEngineBot**. Informational only โ€” the structural gate (`app.validate`) is separate and authoritative for merge.', - '', - report, - '', - 'green = authoritative source + complete + consistent ยท ' - + 'yellow = plausible, needs confirmation ยท red = sparse/weak source or a hard contradiction. ' - + 'Promotion to `verified` runs in the scheduled `verify-network` workflow.', - ].join('\n'); - const { owner, repo } = context.repo; - const issue_number = context.payload.pull_request.number; - const comments = await github.paginate(github.rest.issues.listComments, { - owner, repo, issue_number, per_page: 100, + await github.rest.repos.createDispatchEvent({ + owner: 'GetTechAPI', + repo: 'TechEngine', + event_type: 'techapi-verify', + client_payload: { + pr_number: String(context.payload.pull_request.number), + head_sha: context.payload.pull_request.head.sha, + mode: 'tier0', + requested_by: context.payload.pull_request.user.login, + }, }); - const existing = comments.find((c) => c.body && c.body.includes(marker)); - if (existing) { - await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body }); - } else { - await github.rest.issues.createComment({ owner, repo, issue_number, body }); - } + core.info(`relayed tier0 verify report for PR #${context.payload.pull_request.number}`);