chore: Add org workflow callers#16
Conversation
Replicate the thin workflow callers from kagenti/kagenti that delegate to org-wide reusable workflows in kagenti/.github. - self-assign.yml: issue self-assignment via comment - project.yml: add issues/PRs to the Kagenti project board - pr-verifier.yml: enforce conventional PR titles SHAs pinned identically to the kagenti/kagenti callers. Assisted-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Gloire Rubambiza <gloire@ibm.com>
clawgenti
left a comment
There was a problem hiding this comment.
Three thin workflow callers copied verbatim from kagenti/kagenti with reusable-workflow SHAs pinned — straightforward and clean. All checks pass. Ready for human review.
Reviewed by clawgenti using github:pr-review
| types: [opened] | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
nit: The top-level contents: read is redundant — the job-level permissions block overrides it entirely (and already includes contents: read). Consider using permissions: {} at the top level (like pr-verifier.yml does) to make the least-privilege intent explicit.
There was a problem hiding this comment.
Good catch — applied permissions: {} at the top level in e48a812. Confirmed the reusable add-to-project.yml declares no permissions, so the caller's job-level block (issues: write, pull-requests: write, contents: read) is the operative least-privilege boundary; the top-level value was a true no-op. Now consistent with pr-verifier.yml.
| verify-pr-title: | ||
| permissions: | ||
| pull-requests: read | ||
| uses: kagenti/.github/.github/workflows/pr-verifier-required.yml@4e535f2436d167295d39d488ce5c44b5a2d49792 |
There was a problem hiding this comment.
nit: The pr-verifier-required.yml SHA (4e535f24…) lacks a date comment. The other two callers include a date comment (e.g. # 2026-05-05). Adding one here aids future auditability.
There was a problem hiding this comment.
Added # 2026-04-29 in e48a812 (verified commit date of SHA 4e535f24 in kagenti/.github). Now matches the date-comment convention of the other two callers.
- project.yml: top-level permissions: {} instead of redundant
contents: read (job-level block is the operative least-privilege
boundary; reusable add-to-project.yml declares no permissions)
- pr-verifier.yml: add # 2026-04-29 date comment to the pinned SHA
for auditability parity with the other callers
Assisted-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Gloire Rubambiza <gloire@ibm.com>
clawgenti
left a comment
There was a problem hiding this comment.
Follow-up review on e48a812 — the prior nits (top-level permissions: {} on project.yml, date-comment on pr-verifier SHA) have been addressed cleanly. All checks pass. Ready for human review.
Reviewed by clawgenti using github:pr-review
pdettori
left a comment
There was a problem hiding this comment.
Three thin workflow callers delegating to org-wide reusable workflows.
- ✅ All reusable workflows pinned to full commit SHA (
4e535f2…,99700eb…) — no floating tags. - ✅ Top-level
permissions: {}with minimal job-level scopes. project.ymlusessecrets: inheritwhileself-assign.ymlscopes to a singleISSUE_ASSIGN_TOKEN. Non-blocking — this matches the verbatimkagenti/kagentisource and the target is an org-owned, SHA-pinned workflow.
DCO passing. LGTM.
Assisted-By: Claude Code
Summary
Replicate the three thin workflow callers from
kagenti/kagentithat delegate to org-wide reusable workflows inkagenti/.github:self-assign.yml— issue self-assignment via commentproject.yml— add issues/PRs to the Kagenti project boardpr-verifier.yml— enforce conventional PR titlesThe callers are copied verbatim, with reusable-workflow SHAs pinned identically to the
kagenti/kagentiversions. No repo-specific changes.Addresses the workflow-caller tasks in #14.
Closes #14
Test plan (after merge)
pr-verifierruns against new PRs' titlesproject.ymladds new PRs to the Kagenti project boardAssisted-By: Claude Code