fix(ci): make finishingbot/seambot/rhodibot workflows actually green

.github/workflows/finishingbot.yml

@@ -29,18 +29,23 @@ jobs:
         with:
           toolchain: stable
 
-      - name: Cache dependencies
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
-        with:
-          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/finishingbot
-
+      # Clone BEFORE the rust-cache step: rust-cache needs the workspace
+      # (Cargo.lock) to exist to key the cache, and cloning into a
+      # cache-created directory fails with `destination path ... already
+      # exists and is not an empty directory` (exit 128).
       - name: Fetch gitbot-fleet at pinned ref
         run: |
+          rm -rf "$RUNNER_TEMP/gitbot-fleet"
           git clone --no-checkout --filter=tree:0 \
             https://github.com/hyperpolymath/gitbot-fleet.git \
             "$RUNNER_TEMP/gitbot-fleet"
           git -C "$RUNNER_TEMP/gitbot-fleet" checkout "$GITBOT_FLEET_REF"
 
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
+        with:
+          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/finishingbot
+
       - name: Build finishingbot
         working-directory: ${{ runner.temp }}/gitbot-fleet/bots/finishingbot
         env:
@@ -52,9 +57,15 @@ jobs:
         continue-on-error: true
         run: |
           # The finishingbot crate's binary is `finishing-bot` (hyphenated).
+          # A non-zero audit is the intended gating signal. Capture it
+          # without letting `set -e` abort the step before the exit-code
+          # file is written, then re-exit with it so this step's outcome
+          # is `failure` and the "Fail on …findings" step below triggers.
+          rc=0
           "$RUNNER_TEMP/gitbot-fleet/bots/finishingbot/target/release/finishing-bot" \
-            --path "$GITHUB_WORKSPACE" audit > finishingbot-results.txt 2>&1
-          echo $? > finishingbot-exit-code.txt
+            --path "$GITHUB_WORKSPACE" audit > finishingbot-results.txt 2>&1 || rc=$?
+          echo "$rc" > finishingbot-exit-code.txt
+          exit "$rc"
 
       - name: Display results
         if: always()
@@ -65,7 +76,7 @@ jobs:
             cat finishingbot-results.txt >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
 
-            exit_code=$(cat finishingbot-exit-code.txt)
+            exit_code=$(cat finishingbot-exit-code.txt 2>/dev/null || echo unknown)
             if [ "$exit_code" = "0" ]; then
               echo "✅ Release readiness checks passed" >> $GITHUB_STEP_SUMMARY
             else

.github/workflows/rhodibot.yml

@@ -30,18 +30,23 @@ jobs:
         with:
           toolchain: stable
 
-      - name: Cache dependencies
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
-        with:
-          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/rhodibot
-
+      # Clone BEFORE the rust-cache step: rust-cache needs the workspace
+      # (Cargo.lock) to exist to key the cache, and cloning into a
+      # cache-created directory fails with `destination path ... already
+      # exists and is not an empty directory` (exit 128).
       - name: Fetch gitbot-fleet at pinned ref
         run: |
+          rm -rf "$RUNNER_TEMP/gitbot-fleet"
           git clone --no-checkout --filter=tree:0 \
             https://github.com/hyperpolymath/gitbot-fleet.git \
             "$RUNNER_TEMP/gitbot-fleet"
           git -C "$RUNNER_TEMP/gitbot-fleet" checkout "$GITBOT_FLEET_REF"
 
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
+        with:
+          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/rhodibot
+
       - name: Build rhodibot
         working-directory: ${{ runner.temp }}/gitbot-fleet/bots/rhodibot
         env:
@@ -56,11 +61,17 @@ jobs:
           # read-only workflow token is sufficient (no PAT needed).
           GITHUB_TOKEN: ${{ github.token }}
         run: |
+          # A non-zero check is the intended gating signal. Capture it
+          # without letting `set -e` abort the step before the exit-code
+          # file is written, then re-exit with it so this step's outcome
+          # is `failure` and the "Fail on …violations" step below triggers.
+          rc=0
           "$RUNNER_TEMP/gitbot-fleet/bots/rhodibot/target/release/rhodibot" check \
             --owner "${{ github.repository_owner }}" \
             --repo "${{ github.event.repository.name }}" \
-            > rhodibot-results.txt 2>&1
-          echo $? > rhodibot-exit-code.txt
+            > rhodibot-results.txt 2>&1 || rc=$?
+          echo "$rc" > rhodibot-exit-code.txt
+          exit "$rc"
 
       - name: Display results
         if: always()
@@ -71,7 +82,7 @@ jobs:
             cat rhodibot-results.txt >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
 
-            exit_code=$(cat rhodibot-exit-code.txt)
+            exit_code=$(cat rhodibot-exit-code.txt 2>/dev/null || echo unknown)
             if [ "$exit_code" = "0" ]; then
               echo "✅ RSR compliance checks passed" >> $GITHUB_STEP_SUMMARY
             else

.github/workflows/seambot.yml

@@ -39,20 +39,25 @@ jobs:
         with:
           toolchain: stable
 
-      - name: Cache dependencies
-        if: steps.check-seam.outputs.has_seam == 'true'
-        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
-        with:
-          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/seambot
-
+      # Clone BEFORE the rust-cache step: rust-cache needs the workspace
+      # (Cargo.lock) to exist to key the cache, and cloning into a
+      # cache-created directory fails with `destination path ... already
+      # exists and is not an empty directory` (exit 128).
       - name: Fetch gitbot-fleet at pinned ref
         if: steps.check-seam.outputs.has_seam == 'true'
         run: |
+          rm -rf "$RUNNER_TEMP/gitbot-fleet"
           git clone --no-checkout --filter=tree:0 \
             https://github.com/hyperpolymath/gitbot-fleet.git \
             "$RUNNER_TEMP/gitbot-fleet"
           git -C "$RUNNER_TEMP/gitbot-fleet" checkout "$GITBOT_FLEET_REF"
 
+      - name: Cache dependencies
+        if: steps.check-seam.outputs.has_seam == 'true'
+        uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db  # v2
+        with:
+          workspaces: ${{ runner.temp }}/gitbot-fleet/bots/seambot
+
       - name: Build seambot
         if: steps.check-seam.outputs.has_seam == 'true'
         working-directory: ${{ runner.temp }}/gitbot-fleet/bots/seambot
@@ -65,9 +70,13 @@ jobs:
         id: seambot
         continue-on-error: true
         run: |
+          # A non-zero check is the intended signal; capture it without
+          # letting `set -e` abort before the exit-code file is written.
+          rc=0
           "$RUNNER_TEMP/gitbot-fleet/bots/seambot/target/release/seambot" check \
-            > seambot-results.txt 2>&1
-          echo $? > seambot-exit-code.txt
+            > seambot-results.txt 2>&1 || rc=$?
+          echo "$rc" > seambot-exit-code.txt
+          exit "$rc"
 
       - name: Display results
         if: always() && steps.check-seam.outputs.has_seam == 'true'
@@ -78,7 +87,7 @@ jobs:
             cat seambot-results.txt >> $GITHUB_STEP_SUMMARY
             echo '```' >> $GITHUB_STEP_SUMMARY
 
-            exit_code=$(cat seambot-exit-code.txt)
+            exit_code=$(cat seambot-exit-code.txt 2>/dev/null || echo unknown)
             if [ "$exit_code" = "0" ]; then
               echo "✅ All seam checks passed" >> $GITHUB_STEP_SUMMARY
             else