Skip to content

fix(ci): make finishingbot/seambot/rhodibot workflows actually green#47

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/ci-bot-workflows-clone-and-exitcode
May 17, 2026
Merged

fix(ci): make finishingbot/seambot/rhodibot workflows actually green#47
hyperpolymath merged 1 commit into
mainfrom
fix/ci-bot-workflows-clone-and-exitcode

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 17, 2026

Problem

The three bot workflows were re-enabled against gitbot-fleet in #42, but they were still red on every run for two reasons that have nothing to do with the bots themselves (verified from run logs 25977596773/777/771):

  1. Step ordering. Swatinem/rust-cache ran before the gitbot-fleet clone, with workspaces: pointing at a path that did not exist yet. rust-cache errored (The cwd: …/bots/<bot> does not exist!), the cache never worked, and for seambot it left $RUNNER_TEMP/gitbot-fleet present so the subsequent git clone died with destination path … already exists and is not an empty directory (exit 128).

  2. Exit-code capture under set -e. bin … > results.txt 2>&1; echo $? > exit-code.txt runs under bash -e. A non-zero bot exit — which is the intended gating signal — aborts the step before the exit-code file is written. The non-continue-on-error "Display results" step then hard-fails on the missing file, so the job goes red even though the gate logic was supposed to handle it.

Fix (all three workflows)

  • Clone gitbot-fleet before the cache step; rm -rf the target dir first for idempotency.
  • Capture the exit code without aborting, then re-exit with it: 
    rc=0
"$BIN"> <bot>-results.txt 2>&1 || rc=$?
echo "$rc" > <bot>-exit-code.txt
exit "$rc"
    This preserves the step's failure outcome so the Fail on …findings/violations gate still fires on real issues, while the job is green only when the bot is genuinely clean.
  • Hardened the Display results cat against a missing file.

Verification

CLI invocations checked against gitbot-fleet @ pinned ref 2e0ea3ca (which is gitbot-fleet#150's commit, so rhodibot check exists):

bot invocation clap definition @ ref
finishingbot finishing-bot --path <ws> audit global --path (default .) + Audit subcommand ✓
seambot seambot check global --path (default .) + Check subcommand ✓
rhodibot rhodibot check --owner … --repo … Check { owner, repo, format } (added in #150) ✓

All three YAML files validated with yaml.safe_load.

Closes #39
Closes #40
Closes #41
Refs #37 (parent — the three sub-issues complete it)

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(ci): make finishingbot/seambot/rhodibot workflows actually green
171e276 
The bots were re-enabled against gitbot-fleet in #42, but the workflows
still fail on every run for two structural reasons unrelated to the bots:

1. Step order. `Swatinem/rust-cache` ran *before* the gitbot-fleet
   clone, with `workspaces:` pointing at a path that did not yet exist.
   rust-cache errored ("cwd ... does not exist") and, for seambot, left
   `$RUNNER_TEMP/gitbot-fleet` present so the subsequent `git clone`
   died with `destination path ... already exists` (exit 128).
   Fix: clone first, then cache; `rm -rf` the dir before cloning.

2. Exit-code capture. `bin ... > results.txt 2>&1; echo $? > code.txt`
   runs under `bash -e`; a non-zero bot exit (the *intended* gating
   signal) aborts the step before the exit-code file is written, so the
   non-continue-on-error "Display results" step then hard-fails on a
   missing file. Fix: `rc=0; bin ... || rc=$?; echo "$rc" > code.txt;
   exit "$rc"` — records the code, preserves the failure outcome so the
   "Fail on …findings/violations" gate still fires, and the job goes
   green only when the bot is genuinely clean. Display `cat` hardened.

Binary invocations verified against gitbot-fleet @ pinned ref
2e0ea3ca (incl. gitbot-fleet#150's `rhodibot check` CLI): finishing-bot
`--path <ws> audit`, `seambot check`, `rhodibot check --owner --repo`
all match the clap definitions at that ref.

Closes #39
Closes #40
Closes #41
Refs #37

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 1e4fa2c into main May 17, 2026
12 of 20 checks passed
@hyperpolymath hyperpolymath deleted the fix/ci-bot-workflows-clone-and-exitcode branch May 17, 2026 05:17
@hyperpolymath hyperpolymath mentioned this pull request May 17, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

🔍 Hypatia Security Scan

Findings: 17 issues detected

Severity Count
🔴 Critical 8
🟠 High 3
🟡 Medium 6

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/benchmarks/mapper.bench.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/benchmarks/io.bench.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/benchmarks/validation.bench.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/tests/mapper.test.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/tests/core.test.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/tests/privacy.test.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/ubicity/ubicity/tests/export.test.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@hyperpolymath