diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index f24c211..9115d83 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -2,7 +2,7 @@ name: Auto-Approve Clean PRs on: workflow_run: - workflows: [".github/workflows/base.yml", "PyDeequ Bot"] + workflows: [".github/workflows/base.yml", "Shadow"] types: [completed] permissions: @@ -55,6 +55,21 @@ jobs: return; } + // Condition 0: never auto-approve a PR that changes the bot's own + // guardrails (workflows or engine config) — that lets a PR weaken + // the approval gate and be approved by the very gate it edits. + // Require a human for these. + const files = await github.paginate(github.rest.pulls.listFiles, { + owner, repo, pull_number: prNumber, per_page: 100 + }); + const guarded = files.find(f => + f.filename.startsWith('.github/') || f.filename === '.shadow.yml' + ); + if (guarded) { + core.info(`PR touches guarded path ${guarded.filename} — requires human review, skipping`); + return; + } + // Condition 1: CI must have passed for this SHA const {data: workflowRuns} = await github.rest.actions.listWorkflowRunsForRepo({ owner, repo, head_sha: sha, status: 'completed' @@ -72,7 +87,7 @@ jobs: owner, repo, pull_number: prNumber }); - const CLEAN_MARKER = ''; + const CLEAN_MARKER = ''; const latestBot = reviews .filter(r => r.user.login === 'github-actions[bot]') diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml index dd20644..a91aa1f 100644 --- a/.github/workflows/issue-bot.yml +++ b/.github/workflows/issue-bot.yml @@ -1,4 +1,4 @@ -name: PyDeequ Bot # load-bearing: auto-approve.yml keys on this exact name +name: Shadow # load-bearing: auto-approve.yml keys on this exact name # To upgrade the engine, bump the SHA in BOTH `uses:` and `shadow_ref` below # (GitHub forbids expressions in `uses:`, so they can't share a variable). @@ -54,6 +54,7 @@ jobs: KB_S3_BUCKET: ${{ secrets.KB_S3_BUCKET }} KB_S3_KEY: ${{ secrets.KB_S3_KEY }} BEDROCK_MODEL_ID: ${{ secrets.BEDROCK_MODEL_ID }} + # Repo variables (not secrets); empty falls back to engine defaults. BEDROCK_REPORTER_MODEL_ID: ${{ vars.BEDROCK_REPORTER_MODEL_ID }} BEDROCK_CRITIC_MODEL_ID: ${{ vars.BEDROCK_CRITIC_MODEL_ID }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.shadow.yml b/.shadow.yml index 3f09bbb..2fe03d4 100644 --- a/.shadow.yml +++ b/.shadow.yml @@ -7,7 +7,7 @@ codebase: language: python bot: - name: deequ-bot # not pydeequ-bot: must render the marker auto-approve.yml greps for + name: shadow # renders the marker auto-approve.yml greps for attribution: "Reviewed by Shadow · github.com/sudsali/shadow" escalate_label: needs-human max_replies: 2