From 5acbd2d26514b724f540919f9f6546462c9fe850 Mon Sep 17 00:00:00 2001 From: j7an Date: Wed, 27 May 2026 23:21:27 -0700 Subject: [PATCH] fix(safety): revert target_url additions to test phantom-failure trigger MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DIAGNOSTIC PR — not intended for permanent merge unless we confirm it fixes the bug AND decide to live with the unclickable gate status. Background: ci-safety.yml's dogfood (`safety / scan` job) has been silently broken since 2026-05-28 05:21 — every PR produces a 0-job phantom startup_failure. The complete file-level diff between the last working state (HEAD a8655fe at 2026-05-26 06:19) and the first broken state (HEAD 01d9280 at 2026-05-28 05:21) is exactly these 9 lines: three `-f target_url=...` arguments added to three `gh api .../statuses/${HEAD_SHA}` calls inside dep-safety.yml's run-blocks. This PR reverts those 3 lines (plus the 3 backslash-continuation modifications they required on the preceding `-f description=` lines) to test whether they are causally involved in the phantom-failure behavior. Possible outcomes when this lands on a PR: 1. Phantom failures STOP and ci-safety's `safety / scan` job runs again → the target_url expressions are causally involved. We then need to either find another way to make the gate clickable or accept the unclickable status. 2. Phantoms persist → the target_url changes are NOT involved; the regression must be a coincident GitHub-side platform change. Support ticket is the only path remaining. Refs phantom runs: - 26556360487 (first phantom, our feature branch push 2026-05-28 05:21) - 26556546736 (PR #71 merge) - 26556922328 (PR #72 feature branch) - 26557123379 (PR #73 feature branch) - 26557436258 (PR #74 merge) - 26558104480 (PR #75 merge — new workflow_id 284671829, still broken) The diagnostic itself reverts to the working file-content state for just this file; everything else (file rename to dep-safety.yml, doc header from #73, name="Dependency Safety (reusable)" from #74) is left intact since we want to test the target_url-specific hypothesis in isolation. --- .github/workflows/dep-safety.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dep-safety.yml b/.github/workflows/dep-safety.yml index eac4339..fd042b5 100644 --- a/.github/workflows/dep-safety.yml +++ b/.github/workflows/dep-safety.yml @@ -52,15 +52,13 @@ jobs: gh api "repos/${GH_REPO}/statuses/${HEAD_SHA}" \ -f state="success" \ -f context="dependency-safety / gate" \ - -f description="Non-bot PR — no cool-down required" \ - -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + -f description="Non-bot PR — no cool-down required" echo "skip=true" >> "$GITHUB_OUTPUT" else gh api "repos/${GH_REPO}/statuses/${HEAD_SHA}" \ -f state="pending" \ -f context="dependency-safety / gate" \ - -f description="Scanning dependencies for known exploits..." \ - -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + -f description="Scanning dependencies for known exploits..." echo "skip=false" >> "$GITHUB_OUTPUT" fi @@ -1896,5 +1894,4 @@ jobs: gh api "repos/${GH_REPO}/statuses/${HEAD_SHA}" \ -f state="$GATE_STATE" \ -f context="dependency-safety / gate" \ - -f description="$STATUS_DESC" \ - -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + -f description="$STATUS_DESC"