Skip to content

Forward native runner credentials and publication policy#121

Merged
chubes4 merged 1 commit into
mainfrom
fix/native-run-credentials-publication
Jul 13, 2026
Merged

Forward native runner credentials and publication policy#121
chubes4 merged 1 commit into
mainfrom
fix/native-run-credentials-publication

Conversation

@chubes4

@chubes4 chubes4 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Declare and forward optional OPENAI_API_KEY to WP Codebox; fail closed before a live OpenAI run when it is absent, while allowing explicit run_agent: false and dry_run: true paths.
  • Replace the consumer ACCESS_TOKEN secret with the caller-scoped ${{ github.token }} for same-repository target checkout and publication. The reusable job declares contents: write, pull-requests: write, and issues: write.
  • Require publication for technical and user bootstrap lanes, preserve no-change success for maintenance lanes, and expose the selected policy through success_requires_pr plus the bounded publication projection.
  • Keep EXTERNAL_PACKAGE_SOURCE_POLICY required and separate.
  • Add contract coverage for the credential forwarding, no-secret recipe serialization, and all lane publication policies.

Related

Secret setup

  • Set OPENAI_API_KEY in a consumer repository for live run_agent: true OpenAI runs. It is optional for explicit skipped and dry-run calls.
  • Set the required EXTERNAL_PACKAGE_SOURCE_POLICY repository secret to the documented v1 package allowlist.
  • Remove consumer ACCESS_TOKEN mappings. Same-repository publication uses the caller workflow GITHUB_TOKEN; callers grant contents: write, pull-requests: write, and issues: write.

Compatibility impact

  • Same-repository consumers no longer need an ACCESS_TOKEN secret and must map OPENAI_API_KEY for live OpenAI execution.
  • Bootstrap lanes now fail unless the runner publishes the configured pull request. Maintenance lanes retain no-change success.
  • Cross-repository publication is not supported by this contract because Docs Agent always targets the calling repository; no source evidence established a concrete override need.

How to test

  1. Run php tests/validate-docs-agent-bundle.php.
  2. Run php tests/validate-external-native-package-sources.php.
  3. Check out WP Codebox at 54c2f9a7bc3cd1fe20055d496c83efcfb99afb41 and run WP_CODEBOX_DIR=/path/to/wp-codebox php tests/validate-wp-codebox-run-agent-task-contract.php.
  4. Check out Agents API and run AGENTS_API_DIR=/path/to/agents-api php tests/native-agent-import.php.
  5. Run php tests/repair-docs-links-smoke.php, actionlint -config-file .github/actionlint.yaml .github/workflows/*.yml, and git diff --check.

AI assistance

  • AI assistance: Yes
  • Tool(s): OpenAI GPT-5.6 Sol via OpenCode general coding subagent
  • Used for: Implemented the reusable-workflow credential and publication-policy contract, updated documentation and contract tests, and ran deterministic validation.

@chubes4 chubes4 merged commit 5344a4b into main Jul 13, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Complete native cutover and remove the legacy Data Machine path

1 participant