From 045f54a044690af458e22727e0738f126ec5d825 Mon Sep 17 00:00:00 2001 From: damaz91 Date: Tue, 30 Jun 2026 09:29:09 +0000 Subject: [PATCH 1/3] chore: update governance to use workflow_run for review events This avoids missing secret issues when running governance checks on PRs from forks. TAG=agy CONV=22877122-68cc-4a76-b2c9-bebcca93f853 --- .github/workflows/governance.yml | 5 +++-- .github/workflows/pr-review-listener.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/pr-review-listener.yml diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 698fc99..8d41b89 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -13,8 +13,9 @@ on: assigned, unassigned ] - pull_request_review: - types: [submitted, dismissed] + workflow_run: + workflows: ["PR Review Listener"] + types: [completed] jobs: governance: diff --git a/.github/workflows/pr-review-listener.yml b/.github/workflows/pr-review-listener.yml new file mode 100644 index 0000000..641e7a9 --- /dev/null +++ b/.github/workflows/pr-review-listener.yml @@ -0,0 +1,12 @@ +name: PR Review Listener +on: + pull_request_review: + types: [submitted, dismissed] + +jobs: + signal: + runs-on: ubuntu-latest + steps: + - name: Signal success + run: | + echo "PR ${{ github.event.pull_request.number }} review state changed." From a0fb7a8fa18ccc3a0ee555ace0705e4fd9ab1b7d Mon Sep 17 00:00:00 2001 From: damaz91 Date: Thu, 2 Jul 2026 10:42:00 +0000 Subject: [PATCH 2/3] chore: pass pr-number and commit-sha to reusable governance workflow --- .github/workflows/governance.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 8d41b89..47e0140 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -20,8 +20,6 @@ on: jobs: governance: name: Reviews - # skip for draft PRs - if: github.event.pull_request.draft == false permissions: statuses: write contents: read @@ -29,6 +27,9 @@ jobs: # Use the reusable workflow defined in the central governance repository # zizmor: ignore[ref-confusion] uses: Universal-Commerce-Protocol/.github/.github/workflows/reusable-governance.yml@main + with: + pr-number: ${{ github.event.pull_request.number || github.event.workflow_run.pull_requests[0].number }} + commit-sha: ${{ github.event.pull_request.head.sha || github.event.workflow_run.head_sha }} secrets: # Required: An org-level Read token to read team memberships ORG_READ_TOKEN: ${{ secrets.ORG_READ_TOKEN }} From cdb944bda6816b314dc82d317d9697461658149e Mon Sep 17 00:00:00 2001 From: damaz91 Date: Thu, 2 Jul 2026 12:05:00 +0000 Subject: [PATCH 3/3] chore: update governance workflow to let central repo resolve PR number from SHA --- .github/workflows/governance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 47e0140..9aedeb8 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -28,7 +28,7 @@ jobs: # zizmor: ignore[ref-confusion] uses: Universal-Commerce-Protocol/.github/.github/workflows/reusable-governance.yml@main with: - pr-number: ${{ github.event.pull_request.number || github.event.workflow_run.pull_requests[0].number }} + pr-number: ${{ github.event.pull_request.number }} commit-sha: ${{ github.event.pull_request.head.sha || github.event.workflow_run.head_sha }} secrets: # Required: An org-level Read token to read team memberships