Skip to content

fix: resolve internal tooling refs consistently in pr_validation#121

Draft
hdamker wants to merge 4 commits intocamaraproject:mainfrom
hdamker:fix/pr-validation-ref-consistency-120
Draft

fix: resolve internal tooling refs consistently in pr_validation#121
hdamker wants to merge 4 commits intocamaraproject:mainfrom
hdamker:fix/pr-validation-ref-consistency-120

Conversation

@hdamker
Copy link
Copy Markdown
Contributor

@hdamker hdamker commented Mar 11, 2026

What type of PR is this?

enhancement/feature

What this PR does / why we need it:

Makes pr_validation resolve its internal tooling references (shared actions, linting config) from the same repository and commit that the caller selected, instead of hardcoding camaraproject/tooling@v0.

The reusable workflow now supports two operational models:

  1. OIDC-pinned resolution — Callers that grant id-token: write get SHA-pinned internal refs derived from the OIDC job_workflow_sha claim. This ensures that the linting config and shared actions match the exact commit the caller selected, enabling branch-based and SHA-based pilot testing.

  2. Legacy v0 fallback — Callers that do not grant id-token: write (i.e., all existing API repository caller workflows) automatically fall back to the current camaraproject/tooling@v0 behavior. No caller changes are needed for these repositories to continue working.

This follows the same OIDC-based ref resolution pattern already used by the release-automation reusable workflow (tooling PR #111), adapted for the permission-inheritance model needed here: the reusable workflow does not declare its own permissions block, so it inherits whatever the caller grants — making the OIDC path available only when the caller opts in.

Tested with both models on hdamker/TestRepo-QoD:

Which issue(s) this PR fixes:

Fixes #120

Special notes for reviewers:

The reusable workflow's permissions block is commented out (not removed) to document the expected caller permissions. This is intentional — the block cannot be active because GitHub Actions treats an explicit permissions block in a reusable workflow as a hard constraint: any permission not listed is denied, regardless of what the caller grants. Removing it allows conditional OIDC availability based on caller configuration.

Changelog input

 release-note
 pr_validation resolves internal tooling refs from the called workflow commit (OIDC), with automatic v0 fallback for callers without id-token permission

Additional documentation

docs
Updated linting/docs/Reusable Workflows.md with the new ref resolution and fallback behavior.

hdamker added 3 commits March 11, 2026 19:21
@hdamker
fix(pr-validation): resolve internal tooling refs consistently (camar…
c7f40ae 
…aproject#120)

- resolve workflow-owned tooling assets from OIDC job workflow claims
  when caller permissions allow ID-token access
- fall back to legacy camaraproject/tooling@v0 assets for callers that
  still use the older permissions block
- update caller comments and reusable-workflow docs to explain ref
  resolution and migration behavior
@hdamker
fix(pr-validation): allow legacy callers to start without id-token
2ed06a8 
- remove the top-level id-token permission requirement from the
  reusable workflow
- keep OIDC-based ref resolution when caller permissions expose an ID
  token at runtime
- let older callers reach the legacy v0 fallback path instead of
  failing during workflow startup
- clarify the fallback behavior in the reusable-workflow docs
@hdamker
test: remove reusable workflow permissions block to inherit from caller
32a43b1 
Enables conditional OIDC ref resolution: callers with id-token: write
get SHA-pinned checkout, others fall back to legacy v0.
@hdamker hdamker requested review from Kevsy and rartych as code owners March 11, 2026 21:06
@hdamker hdamker mentioned this pull request Mar 20, 2026
Open
@hdamker hdamker marked this pull request as draft March 20, 2026 08:49
@hdamker
Copy link
Copy Markdown
Contributor Author

hdamker commented Mar 20, 2026

Converted to draft — see deprioritization rationale on #120.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rartych rartych Awaiting requested review from rartych rartych is a code owner

@Kevsy Kevsy Awaiting requested review from Kevsy Kevsy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make pr_validation resolve internal actions and config from its called workflow ref

1 participant

@hdamker