From cc56ce093544aca8be763037daed0ee4e30af145 Mon Sep 17 00:00:00 2001 From: repo-pipeline Date: Wed, 20 May 2026 20:38:38 -0700 Subject: [PATCH] Keep audit-only Agent Law provisioner runs green Constraint: Scheduled Agent Law provisioner runs without AGENT_LAW_ADMIN_TOKEN intentionally run audit-only with the repo-scoped token.\nRejected: Treat expected missing admin scope as a hard failure in audit-only mode | it creates noisy default-branch failures while no write was attempted.\nConfidence: high\nScope-risk: narrow\nDirective: Continue treating admin-scope failures as blocking when --apply is used; audit-only should report skipped scope, not fail.\nTested: python3 -m py_compile scripts/provision-agent-law.py; git diff --check; python3 scripts/provision-agent-law.py --owner KyaniteLabs --ensure-org-ruleset --ensure-repo-rulesets --repair-files exited 0\nNot-tested: Scheduled GitHub Actions run after merge. --- scripts/provision-agent-law.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/provision-agent-law.py b/scripts/provision-agent-law.py index 3b85de1..85086c7 100644 --- a/scripts/provision-agent-law.py +++ b/scripts/provision-agent-law.py @@ -163,6 +163,8 @@ def ensure_org_ruleset(owner: str, *, apply: bool) -> str: return "skipped:not-org" listed = gh_api(f"/orgs/{owner}/rulesets", check=False) if listed.returncode != 0: + if not apply: + return "skipped:admin-org-scope-required" return "blocked:admin-org-scope-required" for item in json.loads(listed.stdout or "[]"): if item.get("name") == RULESET_NAME: @@ -176,6 +178,8 @@ def ensure_org_ruleset(owner: str, *, apply: bool) -> str: def ensure_repo_ruleset(repo: Repo, *, apply: bool) -> str: listed = gh_api(f"/repos/{repo.name_with_owner}/rulesets", check=False) if listed.returncode != 0: + if not apply: + return "skipped:repo-admin-required" return "blocked:repo-admin-required" for item in json.loads(listed.stdout or "[]"): if item.get("name") == RULESET_NAME: