From dec5127fa9c237ef0c5e17a273cb3114c1f418a0 Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Mon, 29 Jun 2026 13:14:00 -0400
Subject: [PATCH] chore: remove fleet-status workflow (moved to
 bounded-systems/fleet)

The board can't self-commit to .github main (ruleset: PR-only + signed), so it
now lives in its own repo bounded-systems/fleet. Remove the orphaned workflow here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/fleet-status.yml | 56 ------------------------------
 1 file changed, 56 deletions(-)
 delete mode 100644 .github/workflows/fleet-status.yml

diff --git a/.github/workflows/fleet-status.yml b/.github/workflows/fleet-status.yml
deleted file mode 100644
index 3fde889..0000000
--- a/.github/workflows/fleet-status.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-# Fleet status board — synoptic Layer 2 (monitoring).
-#
-# Runs synoptic's `status` mode against the bounded-systems org and commits a
-# freshness-stamped STATUS.md + status.json. The tool stays bdelanghe/synoptic-
-# github; only this deployment lives in the org. See that repo's examples/.
-#
-# AUTH = the OIDC token-broker (prx-26bq), same as front-desk-add.yml: OIDC ->
-# least-privilege App installation token. NO PAT, NO personal token, NO PEM.
-# The board reads (metadata/actions/PRs) + the push-back both use this one token.
-#
-# Actions are SHA-pinned (org policy sha_pinning_required=true). The synoptic
-# action is allow-listed in this repo's selected-actions (it's bdelanghe's own
-# tool); broker-gh-token is same-org; checkout is github-owned.
-#
-# Schedule stays COMMENTED until a manual dispatch confirms green, so a half-wired
-# board can't spam red scheduled runs.
-name: fleet-status
-on:
-  # schedule:
-  #   - cron: '0 */6 * * *'   # enable after the first successful dispatch
-  workflow_dispatch: {}
-permissions:
-  id-token: write   # OIDC -> cf-token-broker, to mint the App token
-  contents: read    # checkout; the board push uses the minted token below
-jobs:
-  status:
-    runs-on: ubuntu-latest
-    steps:
-      # persist-credentials:false so checkout does NOT install the default
-      # GITHUB_TOKEN as a git auth header — otherwise it overrides the app-token
-      # URL the synoptic container sets, and the board push runs as the read-only
-      # github-actions[bot] (403). With it off, the push uses the minted app token.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: Mint a fleet token via the OIDC broker
-        id: app-token
-        if: ${{ vars.FRONT_DESK_BROKER_URL != '' }}
-        uses: bounded-systems/.github/.github/actions/broker-gh-token@4a77867f40419ea5b38f3a3be7c481fa7e0eab84 # broker-gh-token (prx-26bq)
-        with:
-          # prx-forge bucket (the write bucket: contents/issues/PRs/checks + metadata,
-          # per docs/prx/github-apps-architecture.md) — reused, not a new app. The board
-          # reads CI via the Checks API (checks:read), so this bucket covers it without
-          # actions:read. Requires the broker's GH_APPS to carry a "forge" entry.
-          app: forge
-          broker-url: ${{ vars.FRONT_DESK_BROKER_URL }}
-
-      - name: Fleet status board
-        if: ${{ steps.app-token.outputs.token != '' }}
-        uses: bdelanghe/synoptic-github@4128373fbf7ee807ad9f080d210770072b7de3b6 # v2.2.8 (CI via Checks API)
-        with:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-          mode: status
-          gh-user: bounded-systems
-          status-out: STATUS.md