Skip to content

Merge pull request #593 from Brad-Edwards/dev #123

Merge pull request #593 from Brad-Edwards/dev

Merge pull request #593 from Brad-Edwards/dev #123

Workflow file for this run

name: PR Title Lint
# Repository-side guard against agent-branded PR titles (e.g. `[codex] ...`)
# and a check that titles follow the conventional shape Ground Control
# documents for /implement Step 9. Enforced by repo automation, not only by
# agent workflow instructions (issue #567).
#
# The PR title is untrusted event data, so it is read from $GITHUB_EVENT_PATH
# by the checker (never shell-interpolated), the token is read-only, and this
# uses `pull_request` (never `pull_request_target`). There is no exemption for
# PRs targeting `dev`.
on:
pull_request:
types: [opened, edited, synchronize, reopened]
permissions:
contents: read
concurrency:
group: pr-title-lint-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
title-guard:
runs-on: ubuntu-latest
steps:
# Check out the BASE ref, not the PR head, so the policy executable is
# the trusted already-merged copy. A PR that edits or removes
# tools/check_pr_title.py must not be able to weaken its own required
# check (codex review finding, issue #567). The shared validator is still
# exercised against the PR's own code by the test suite in ci.yml.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.base.sha }}
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Validate PR title
# The checker reads the title from $GITHUB_EVENT_PATH (set automatically
# by the runner). It is stdlib-only, so no dependency install is needed.
run: |
if [ ! -f tools/check_pr_title.py ]; then
echo "::notice::tools/check_pr_title.py is not on the base ref yet; skipping (bootstrap for the PR that introduces the guard). Enforcement is active for every subsequent PR."
exit 0
fi
python tools/check_pr_title.py