ci: fix release workflow + add kc-check-imports gate#13
Merged
Conversation
Release workflow fixes: - permissions: contents: read -> write (gh release upload requires write). - Tarball move logic: guarded mv when src and dst names already match. pnpm pack already produces "<name>-<version>.tgz", which equals the desired "kissclaw-<version>.tgz" when package.json name is "kissclaw". The unguarded mv would silently fail or no-op depending on coreutils. - Resolved release tag once via outputs, used consistently for checkout ref, integrity check, and upload. - Added workflow-dispatch artifact upload for dry-run testing. kc-check-imports CI gate (NEW): - Triggers on PRs targeting ga/** and lts/** branches. - Fetches MachineWisdomAI/kissclaw-tools (the repo for kc-check-imports). - Runs both --candidates (per-cherry-pick) and --final-tree (accumulated) modes against the v2026.4.20 baseline. - Uploads JSON reports as workflow artifacts. - Final-tree always runs even if per-candidate fails so reviewers see both views. This wires kc-check-imports as the authoritative CI gate per plan v4 Phase 3.5. Pre-commit hook can be bypassed; CI cannot.
timeleft--
added a commit
that referenced
this pull request
May 2, 2026
Release workflow fixes: - permissions: contents: read -> write (gh release upload requires write). - Tarball move logic: guarded mv when src and dst names already match. pnpm pack already produces "<name>-<version>.tgz", which equals the desired "kissclaw-<version>.tgz" when package.json name is "kissclaw". The unguarded mv would silently fail or no-op depending on coreutils. - Resolved release tag once via outputs, used consistently for checkout ref, integrity check, and upload. - Added workflow-dispatch artifact upload for dry-run testing. kc-check-imports CI gate (NEW): - Triggers on PRs targeting ga/** and lts/** branches. - Fetches MachineWisdomAI/kissclaw-tools (the repo for kc-check-imports). - Runs both --candidates (per-cherry-pick) and --final-tree (accumulated) modes against the v2026.4.20 baseline. - Uploads JSON reports as workflow artifacts. - Final-tree always runs even if per-candidate fails so reviewers see both views. This wires kc-check-imports as the authoritative CI gate per plan v4 Phase 3.5. Pre-commit hook can be bypassed; CI cannot. (cherry picked from commit 47624bb)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two CI changes:
permissions: contents: write(wasread), guarded tarball-rename mv (was unconditional self-mv), resolved release tag once via outputs.ga/**andlts/**. Fetches MachineWisdomAI/kissclaw-tools, runs both per-candidate and final-tree validation against the v2026.4.20 baseline, uploads JSON reports.Why
Release runs 25261002727 failed in two places:
pnpm build→ fixed in PR fix(agents): extend onAgentEvent callback type with sessionKey #12 (sessionKey type)gh release uploadwould fail with 403 becausepermissions: contents: readlacks the write capability needed for release-asset uploads. (This was masked because the build failed first.)The
mv *.tgz "kissclaw-${version}.tgz"line was also broken: whenpackage.jsonnameis alreadykissclaw, pnpm pack writeskissclaw-1.0.1-rc.1.tgzdirectly, and the unguarded mv becomes a same-file move.For kc-check-imports — per architect audit
01KQN6BG2GV02V387EWSP924E2, the tool was never wired into CI. Pre-commit hook is bypassable; CI is the authoritative gate. This wires it for PRs targeting release lines.Test plan
mainyet)MachineWisdomAI/kissclaw-tools(private repo) usingsecrets.GITHUB_TOKENor a configuredKISSCLAW_TOOLS_TOKENPAT