@@ -2,12 +2,13 @@ name: verify-report
22
33# Run the Tier 0 offline data *verification* (existence/trust scoring) on a PR and
44# let TechEngineBot post the band analysis as a PR comment. The bot owns the
5- # analysis surface: this workflow only computes the report and hands it to the bot
6- # (the comment is authored via the bot's token). It never gates a merge.
5+ # analysis surface: this workflow only computes the report and hands it to the bot,
6+ # which authors the comment via its own PAT (TECHENGINEBOT_TOKEN). It never gates a
7+ # merge.
78#
8- # Dormant unless ENGINE_TOKEN (TechEngineBot's PAT) is configured. Restricted to
9- # same-repo branch PRs so fork PRs never see the token. The structural gate stays
10- # in validate-data.yml; this is purely informational.
9+ # Dormant unless a bot/automation token is configured. Restricted to same-repo
10+ # branch PRs so fork PRs never see the token. The structural gate stays in
11+ # validate-data.yml; this is purely informational.
1112on :
1213 pull_request :
1314 types : [opened, synchronize, reopened, ready_for_review]
@@ -30,24 +31,27 @@ jobs:
3031 if : github.event.pull_request.head.repo.full_name == github.repository
3132 env :
3233 PYTHONIOENCODING : utf-8
33- ENGINE_TOKEN : ${{ secrets.ENGINE_TOKEN }}
34+ # Prefer TechEngineBot's PAT so the analysis comment is authored by the bot
35+ # (TECHENGINEBOT_TOKEN, Issues/PR write on both repos). Fall back to
36+ # ENGINE_TOKEN only so the workflow still runs if the bot token is absent.
37+ BOT_TOKEN : ${{ secrets.TECHENGINEBOT_TOKEN || secrets.ENGINE_TOKEN }}
3438 steps :
35- - name : Dormant when ENGINE_TOKEN is unset
36- if : env.ENGINE_TOKEN == ''
37- run : echo "::warning::ENGINE_TOKEN not configured — TechEngineBot verify comment skipped."
39+ - name : Dormant when no bot token is configured
40+ if : env.BOT_TOKEN == ''
41+ run : echo "::warning::No TECHENGINEBOT_TOKEN/ENGINE_TOKEN — TechEngineBot verify comment skipped."
3842
3943 - uses : actions/checkout@v4
40- if : env.ENGINE_TOKEN != ''
44+ if : env.BOT_TOKEN != ''
4145 with :
4246 fetch-depth : 0
4347
4448 - uses : actions/setup-python@v5
45- if : env.ENGINE_TOKEN != ''
49+ if : env.BOT_TOKEN != ''
4650 with :
4751 python-version : " 3.12"
4852
4953 - name : Tier 0 verification (changed + full baseline)
50- if : env.ENGINE_TOKEN != ''
54+ if : env.BOT_TOKEN != ''
5155 id : verify
5256 run : |
5357 git fetch origin main --depth=1 || true
@@ -62,12 +66,12 @@ jobs:
6266 } >> "$GITHUB_OUTPUT"
6367
6468 - name : TechEngineBot posts the verification analysis
65- if : env.ENGINE_TOKEN != ''
69+ if : env.BOT_TOKEN != ''
6670 uses : actions/github-script@v7
6771 env :
6872 REPORT : ${{ steps.verify.outputs.report }}
6973 with :
70- github-token : ${{ secrets.ENGINE_TOKEN }}
74+ github-token : ${{ secrets.TECHENGINEBOT_TOKEN || secrets. ENGINE_TOKEN }}
7175 script : |
7276 const marker = '<!-- techengine-verify-report -->';
7377 const report = (process.env.REPORT || '').trim() || '(no output)';
0 commit comments