Skip to content

fix: make immutable release gate executable#22

Merged
jmcte merged 1 commit into
mainfrom
codex/flow-release-token-permission
Jul 13, 2026
Merged

fix: make immutable release gate executable#22
jmcte merged 1 commit into
mainfrom
codex/flow-release-token-permission

Conversation

@jmcte

@jmcte jmcte commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • remove the impossible immutable-release preflight call from the workflow's built-in GITHUB_TOKEN
  • document that the dispatcher must verify the setting with an administrator-capable token before tagging
  • retain and regression-test the postpublication assertion that GitHub reports the published release immutable

Governing Issue

Refs #13

Validation

  • python3 -m unittest discover -s tests -p 'test_policy_release.py' -v — 9 passed
  • python3 -m unittest discover -s tests -v — 68 passed
  • All four Flow policy validators passed
  • git diff --check passed
  • Required PR checks are expected to satisfy CI Gate
  • Skipped checks: publication retry waits for this reviewed repair to merge

Bootstrap Governance

  • Changes are scoped to the linked issue's immutable-release prerequisite
  • Contributor and PR guidance are unchanged
  • PR author will enable squash auto-merge after creation
  • No real secrets, runtime auth, or machine-local env files are committed

Flow Contract

  • Owner lane: Pheidon
  • Repair owner: Pheidon
  • Autonomy class: review-gated autonomous
  • Risk class: release policy and supply chain

Flow Merge Readiness

  • Every blocker has a next actor and next action: Athena must independently review this repair
  • No active blocking requested changes remain
  • Non-author approval is present when required
  • PR author will enable squash auto-merge after creation

Merge Automation

  • PR author will enable auto-merge with gh pr merge --auto --squash

Notes

The first governed v1.0.0 run failed before publication because the immutable-release settings endpoint requires repository Administration permission, which the built-in workflow token cannot receive. An administrator verified the setting is enabled before the tag was created. Run: https://github.com/OMT-Global/flow/actions/runs/29264697493

Keep the administrator-only repository setting check in the dispatcher contract and retain the workflow-token-readable postpublication immutable assertion.

Signed-off-by: Your Name <you@example.com>
@jmcte
jmcte requested a review from a team as a code owner July 13, 2026 16:04
@jmcte
jmcte requested a review from athena-omt July 13, 2026 16:04
@jmcte
jmcte enabled auto-merge (squash) July 13, 2026 16:04

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

I refreshed the PR refs and reviewed head c9a77d1 against base 214d612. The branch is 0 behind / 1 ahead, auto-merge is enabled, and the required checks are green.

The workflow change removes only the admin-only repos/${GITHUB_REPOSITORY}/immutable-releases pre-publication call, while preserving the post-publication releases/tags/${TAG} lookup and [[ "$immutable" == "true" ]] assertion. The docs now place the repository immutable-release setting verification on the administrator-capable dispatcher before tag creation, which matches the permission boundary of the built-in GITHUB_TOKEN. The added test coverage locks in both sides of that behavior.

Local verification: python3 -m unittest tests.test_policy_release -v passed on the PR head, 9 tests.

Residual risk is operational rather than code-level: the dispatcher/admin-token preflight has to remain part of the release runbook, since the workflow can only verify immutability after publication.

@jmcte
jmcte merged commit 504c79e into main Jul 13, 2026
4 checks passed
@jmcte
jmcte deleted the codex/flow-release-token-permission branch July 13, 2026 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants