Harden CI against scheduled-workflow inactivity disable#685
Open
rly wants to merge 2 commits into
Open
Conversation
Two related changes: 1. Decouple the linkcheck schedule from PR gating. GitHub auto-disables workflows that have a `schedule:` trigger after 60 days of repo inactivity, and once disabled the workflow ignores all triggers including `pull_request:`. That is how PR gating silently disappeared for ~5 months prior to PR #683. - `check_sphinx_links.yml` now triggers on `pull_request:` and `workflow_call:`. Without `schedule:` it is not subject to inactivity disable. - `check_sphinx_links_scheduled.yml` is a thin caller that fires the daily cron and reuses the PR workflow via `uses:`. If this file is ever auto-disabled, PR gating is unaffected. 2. Add `audit_disabled_workflows.yml`. Runs on push to `dev`, on `pull_request_target` (so it works for fork PRs with a writable token), and on manual dispatch. Lists workflows in `disabled_inactivity` state via the API and opens an issue, deduped by title against existing open issues. The audit itself has no `schedule:` trigger, so it cannot be auto-disabled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #684.
Summary
check_sphinx_links.ymlnow triggers onpull_request:+workflow_call:(noschedule:, so it cannot be auto-disabled). The daily cron lives in a new thin callercheck_sphinx_links_scheduled.ymlthat reuses the PR workflow viauses:(no duplicated steps). If the scheduled file is ever auto-disabled, PR gating is unaffected.audit_disabled_workflows.yml. Runs on push todev, onpull_request_target(chosen overpull_requestso the audit also works on fork PRs, wherepull_requestwould have a read-only token), and onworkflow_dispatch. Calls the workflows API, filters forstate == 'disabled_inactivity', and opens a deduped issue. The audit has noschedule:trigger, so it cannot be auto-disabled itself.pull_request_targetis normally a security footgun when a workflow checks out and executes PR code; this audit does neither (only API calls), so the elevated token is safe here.Test plan
Audit disabled workflowsjob runs and is green; linkcheck PR job runs and is green).dev; confirm the audit creates an issue with the expected title and skips on a subsequent push (dedup works).🤖 Generated with Claude Code