Skip to content

Commit 222ae80

Browse files
committed
ci(verify): author the verify analysis comment as TechEngineBot
Use TECHENGINEBOT_TOKEN (the bot's PAT) for the github-script step so the Tier 0 analysis comment is authored by TechEngineBot, falling back to ENGINE_TOKEN only to keep the workflow running if the bot token is absent. Refs #1
1 parent 73e82ce commit 222ae80

1 file changed

Lines changed: 18 additions & 14 deletions

File tree

.github/workflows/verify-report.yml

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,13 @@ name: verify-report
22

33
# Run the Tier 0 offline data *verification* (existence/trust scoring) on a PR and
44
# let TechEngineBot post the band analysis as a PR comment. The bot owns the
5-
# analysis surface: this workflow only computes the report and hands it to the bot
6-
# (the comment is authored via the bot's token). It never gates a merge.
5+
# analysis surface: this workflow only computes the report and hands it to the bot,
6+
# which authors the comment via its own PAT (TECHENGINEBOT_TOKEN). It never gates a
7+
# merge.
78
#
8-
# Dormant unless ENGINE_TOKEN (TechEngineBot's PAT) is configured. Restricted to
9-
# same-repo branch PRs so fork PRs never see the token. The structural gate stays
10-
# in validate-data.yml; this is purely informational.
9+
# Dormant unless a bot/automation token is configured. Restricted to same-repo
10+
# branch PRs so fork PRs never see the token. The structural gate stays in
11+
# validate-data.yml; this is purely informational.
1112
on:
1213
pull_request:
1314
types: [opened, synchronize, reopened, ready_for_review]
@@ -30,24 +31,27 @@ jobs:
3031
if: github.event.pull_request.head.repo.full_name == github.repository
3132
env:
3233
PYTHONIOENCODING: utf-8
33-
ENGINE_TOKEN: ${{ secrets.ENGINE_TOKEN }}
34+
# Prefer TechEngineBot's PAT so the analysis comment is authored by the bot
35+
# (TECHENGINEBOT_TOKEN, Issues/PR write on both repos). Fall back to
36+
# ENGINE_TOKEN only so the workflow still runs if the bot token is absent.
37+
BOT_TOKEN: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }}
3438
steps:
35-
- name: Dormant when ENGINE_TOKEN is unset
36-
if: env.ENGINE_TOKEN == ''
37-
run: echo "::warning::ENGINE_TOKEN not configured — TechEngineBot verify comment skipped."
39+
- name: Dormant when no bot token is configured
40+
if: env.BOT_TOKEN == ''
41+
run: echo "::warning::No TECHENGINEBOT_TOKEN/ENGINE_TOKEN — TechEngineBot verify comment skipped."
3842

3943
- uses: actions/checkout@v4
40-
if: env.ENGINE_TOKEN != ''
44+
if: env.BOT_TOKEN != ''
4145
with:
4246
fetch-depth: 0
4347

4448
- uses: actions/setup-python@v5
45-
if: env.ENGINE_TOKEN != ''
49+
if: env.BOT_TOKEN != ''
4650
with:
4751
python-version: "3.12"
4852

4953
- name: Tier 0 verification (changed + full baseline)
50-
if: env.ENGINE_TOKEN != ''
54+
if: env.BOT_TOKEN != ''
5155
id: verify
5256
run: |
5357
git fetch origin main --depth=1 || true
@@ -62,12 +66,12 @@ jobs:
6266
} >> "$GITHUB_OUTPUT"
6367
6468
- name: TechEngineBot posts the verification analysis
65-
if: env.ENGINE_TOKEN != ''
69+
if: env.BOT_TOKEN != ''
6670
uses: actions/github-script@v7
6771
env:
6872
REPORT: ${{ steps.verify.outputs.report }}
6973
with:
70-
github-token: ${{ secrets.ENGINE_TOKEN }}
74+
github-token: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }}
7175
script: |
7276
const marker = '<!-- techengine-verify-report -->';
7377
const report = (process.env.REPORT || '').trim() || '(no output)';

0 commit comments

Comments
 (0)