feat(safety)!: opt-in release-age policy and default-on auto-merge (#85)#86
Merged
Conversation
…in verdict layer BREAKING CHANGE: post-PR release-age verification is now opt-in via release_age_policy (default "off") and auto_merge defaults to true; the fail_on_age_violation input is removed. Refs #85
… dependency-safety.yml BREAKING CHANGE: post-PR release-age verification is now opt-in via release_age_policy (default "off") and auto_merge defaults to true; the fail_on_age_violation input is removed. Refs #85
BREAKING CHANGE: post-PR release-age verification is now opt-in via release_age_policy (default "off") and auto_merge defaults to true; the fail_on_age_violation input is removed. Refs #85
…d v3-to-v4 migration BREAKING CHANGE: post-PR release-age verification is now opt-in via release_age_policy (default "off") and auto_merge defaults to true; the fail_on_age_violation input is removed. Refs #85
BREAKING CHANGE: post-PR release-age verification is now opt-in via release_age_policy (default "off") and auto_merge defaults to true; the fail_on_age_violation input is removed. Refs #85
j7an
added a commit
to j7an/cross-agent-reviews
that referenced
this pull request
Jun 14, 2026
…licy (#59) Bumps dependency-safety.yml and tag-release.yml from v3.0.2 (29bcd57) to v4.0.0 (dd7254c). dependency-safety.yml: sets release_age_policy: advisory (was v3 default hard-fail) and auto_merge: true (was v3 default false, i.e. manual merge), making both explicit at the call site. dependency-safety-non-bot-gate.yml: status description reworded off 'cooldown'. Mirrors j7an/dep-rank#133. Refs j7an/shared-workflows#86.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes post-PR release-age verification opt-in and auto-merge default-on in
dependency-safety.yml, shipping as v4.0.0 (breaking).release_age_policystring input:"off"(default — no age lookup),advisory(label + comment, gate green, auto-merge suppressed),blocking(gate fails).auto_mergenow defaults totrue; callers opt out withauto_merge: false.fail_on_age_violationis removed — stale callers fail loudly at workflow startup. Migration table in README (true → blocking,false → advisory).safety-verdict.sh) validates the policy enum fail-closed, including an orchestrator-bug invariant (off⇒ zero age counts) and a quoting hint for the YAML-booleanofffootgun.case advisory|blocking) so invalid values never trigger network calls.tests/safety-workflow-contract.batsstatically asserts the publicworkflow_callinput surface.YAML
offnoteGitHub's workflow-syntax reference does not state which YAML spec version the parser uses (no 1.1-vs-1.2 statement), so the design assumes nothing: the input default is quoted (
"off"), README examples quote it, the allowlist guard ignores any coerced value, and the verdict validator fails closed with a quoting hint iffalsearrives.Release step (required)
This repo does not auto-release on merge. Immediately after merging, dispatch
release-self.yml— the Conventional Commits (feat!) infer a major bump tov4.0.0. The README@v4pins in this PR are invalid until that tag exists.Fixes #85.