Skip to content

Revert PR #707#711

Merged
cryppadotta merged 1 commit intomasterfrom
revert-pr-707
Mar 12, 2026
Merged

Revert PR #707#711
cryppadotta merged 1 commit intomasterfrom
revert-pr-707

Conversation

@cryppadotta
Copy link
Copy Markdown
Contributor

@cryppadotta cryppadotta commented Mar 12, 2026

Summary

  • revert merge commit 56df8d3 from PR ci: refresh pnpm lockfile before merge #707
  • restore the previous lockfile refresh workflow configuration
  • remove the PR-specific lockfile refresh workflow and related policy/doc changes

Verification

  • pnpm -r typecheck
  • pnpm test:run
  • pnpm build

@cryppadotta
Revert "Merge pull request #707 from paperclipai/nm/premerge-lockfile…
b888f92 
…-refresh"

This reverts commit 56df8d3, reversing
changes made to ac82cae.
@cryppadotta cryppadotta merged commit 5201222 into master Mar 12, 2026
3 checks passed
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 12, 2026

Greptile Summary

This PR reverts merge commit 56df8d3 from PR #707, restoring the previous lockfile management strategy: PRs may not include pnpm-lock.yaml changes, and a post-merge workflow on master regenerates the lockfile and opens a dedicated chore/refresh-lockfile PR when changes are detected.

Key changes:

  • refresh-lockfile-pr.yml removed — the per-PR auto-commit bot introduced in ci: refresh pnpm lockfile before merge #707 is deleted.
  • refresh-lockfile.yml restored — the push-to-master-triggered workflow that creates a chore/refresh-lockfile PR is re-added.
  • pr-policy.yml updated — replaces the gh api-based changed-file detection with git diff, splits the logic into two steps (block lockfile edits, validate manifest resolution), and adds a branch-name exemption for the bot PR.
  • pr-verify.yml — switches to --no-frozen-lockfile since PRs can no longer carry an updated lockfile.
  • doc/DEVELOPING.md — updates the policy description, but the final bullet inaccurately mentions a --frozen-lockfile verification pass that does not exist in the restored workflow.

The one substantive issue is the branch-name guard in pr-policy.yml: the chore/refresh-lockfile exemption relies solely on github.head_ref, which any fork contributor can set to that value. Adding a same-repo check (github.event.pull_request.head.repo.full_name == github.repository) would close the bypass.

Confidence Score: 3/5

  • Safe to merge after addressing the branch-name bypass in pr-policy.yml; the revert logic itself is sound.
  • The revert correctly restores the previous workflow structure and the overall policy design is coherent. The one logic issue — the chore/refresh-lockfile exemption relying solely on branch name — is a meaningful security gap that allows a fork contributor to bypass the lockfile-edit block by naming their branch accordingly. The documentation inaccuracy is minor but adds confusion. Neither issue would break CI under normal circumstances, but the bypass warrants a fix before merging.
  • pr-policy.yml — the branch-name-only guard on line 35 needs an additional same-repo check.

Important Files Changed

Filename Overview
.github/workflows/pr-policy.yml Reverts to a simpler two-step lockfile policy: block lockfile edits on PRs and validate dependency resolution when manifests change. The exemption for the bot's chore/refresh-lockfile branch is gated only on the branch name, which can be spoofed by any fork contributor to bypass the lockfile-edit block.
.github/workflows/pr-verify.yml Switches the install step from --frozen-lockfile to --no-frozen-lockfile. This is a deliberate and necessary change for the new policy where PRs cannot include lockfile updates; previously --frozen-lockfile would fail for any PR that changed manifests.
.github/workflows/refresh-lockfile-pr.yml Deleted as part of the revert; this was the PR #707-introduced per-PR lockfile auto-commit workflow that the revert removes.
.github/workflows/refresh-lockfile.yml Restores (re-adds) the master-push-triggered lockfile refresh workflow. On every push to master it regenerates the lockfile, creates/updates the chore/refresh-lockfile branch, and opens a PR if one doesn't exist. Logic looks correct.
doc/DEVELOPING.md Updates the lockfile policy section but inaccurately describes the post-master-push flow as including a --frozen-lockfile verification step, which does not exist in the restored workflow.
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: .github/workflows/pr-policy.yml
Line: 35

Comment:
**Branch-name bypass allows arbitrary lockfile commits**

The condition `github.head_ref != 'chore/refresh-lockfile'` is intended to exempt the bot's auto-generated PR from the lockfile block, but `github.head_ref` is just the source branch name and is fully controlled by the PR author. Any external contributor can name their fork branch `chore/refresh-lockfile` and commit arbitrary changes to `pnpm-lock.yaml` without triggering this check, bypassing the policy entirely.

The guard should additionally verify the PR originates from the same repository (i.e. is not a fork):

```suggestion
        if: github.head_ref != 'chore/refresh-lockfile' || github.event.pull_request.head.repo.full_name != github.repository
```

With this fix the exemption only fires when the branch name matches **and** the PR comes from the canonical repo (i.e. the real bot PR), so fork-originated PRs from a branch named `chore/refresh-lockfile` are still subject to the lockfile-edit block.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: doc/DEVELOPING.md
Line: 24

Comment:
**Documentation does not match the actual workflow**

The line states that pushes to `master` "run verification with `--frozen-lockfile`", but the actual `refresh-lockfile.yml` workflow only regenerates the lockfile and opens a PR — it never runs a frozen install. Additionally, `pr-verify.yml` was changed in this same PR to use `--no-frozen-lockfile` for all PRs (including the `chore/refresh-lockfile` PR). The `--frozen-lockfile` verification step described here does not exist anywhere in the current CI setup.

```suggestion
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile` and open a `chore/refresh-lockfile` PR if the lockfile changed.
```

How can I resolve this? If you propose a fix, please make it concise.

Last reviewed commit: b888f92

greptile-apps[bot]
greptile-apps bot reviewed Mar 12, 2026
View reviewed changes
Comment thread .github/workflows/pr-policy.yml
env:
GH_TOKEN: ${{ github.token }}
- name: Block manual lockfile edits
if: github.head_ref != 'chore/refresh-lockfile'
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Branch-name bypass allows arbitrary lockfile commits

The condition github.head_ref != 'chore/refresh-lockfile' is intended to exempt the bot's auto-generated PR from the lockfile block, but github.head_ref is just the source branch name and is fully controlled by the PR author. Any external contributor can name their fork branch chore/refresh-lockfile and commit arbitrary changes to pnpm-lock.yaml without triggering this check, bypassing the policy entirely.

The guard should additionally verify the PR originates from the same repository (i.e. is not a fork):

Suggested change
if: github.head_ref != 'chore/refresh-lockfile'
if: github.head_ref != 'chore/refresh-lockfile' || github.event.pull_request.head.repo.full_name != github.repository

With this fix the exemption only fires when the branch name matches and the PR comes from the canonical repo (i.e. the real bot PR), so fork-originated PRs from a branch named chore/refresh-lockfile are still subject to the lockfile-edit block.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/pr-policy.yml
Line: 35

Comment:
**Branch-name bypass allows arbitrary lockfile commits**

The condition `github.head_ref != 'chore/refresh-lockfile'` is intended to exempt the bot's auto-generated PR from the lockfile block, but `github.head_ref` is just the source branch name and is fully controlled by the PR author. Any external contributor can name their fork branch `chore/refresh-lockfile` and commit arbitrary changes to `pnpm-lock.yaml` without triggering this check, bypassing the policy entirely.

The guard should additionally verify the PR originates from the same repository (i.e. is not a fork):

```suggestion
        if: github.head_ref != 'chore/refresh-lockfile' || github.event.pull_request.head.repo.full_name != github.repository
```

With this fix the exemption only fires when the branch name matches **and** the PR comes from the canonical repo (i.e. the real bot PR), so fork-originated PRs from a branch named `chore/refresh-lockfile` are still subject to the lockfile-edit block.

How can I resolve this? If you propose a fix, please make it concise.

Comment thread doc/DEVELOPING.md
- Pull request CI validates lockfile freshness when manifests change and verifies with `--frozen-lockfile`.
- Do not commit `pnpm-lock.yaml` in pull requests.
- Pull request CI validates dependency resolution when manifests change.
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile`, commit it back if needed, and then run verification with `--frozen-lockfile`.
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation does not match the actual workflow

The line states that pushes to master "run verification with --frozen-lockfile", but the actual refresh-lockfile.yml workflow only regenerates the lockfile and opens a PR — it never runs a frozen install. Additionally, pr-verify.yml was changed in this same PR to use --no-frozen-lockfile for all PRs (including the chore/refresh-lockfile PR). The --frozen-lockfile verification step described here does not exist anywhere in the current CI setup.

Suggested change
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile`, commit it back if needed, and then run verification with `--frozen-lockfile`.
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile` and open a `chore/refresh-lockfile` PR if the lockfile changed.
Prompt To Fix With AI 
This is a comment left during a code review.
Path: doc/DEVELOPING.md
Line: 24

Comment:
**Documentation does not match the actual workflow**

The line states that pushes to `master` "run verification with `--frozen-lockfile`", but the actual `refresh-lockfile.yml` workflow only regenerates the lockfile and opens a PR — it never runs a frozen install. Additionally, `pr-verify.yml` was changed in this same PR to use `--no-frozen-lockfile` for all PRs (including the `chore/refresh-lockfile` PR). The `--frozen-lockfile` verification step described here does not exist anywhere in the current CI setup.

```suggestion
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile` and open a `chore/refresh-lockfile` PR if the lockfile changed.
```

How can I resolve this? If you propose a fix, please make it concise.

tr00x pushed a commit to tr00x/paperclip that referenced this pull request Mar 26, 2026
@cryppadotta
Merge pull request paperclipai#711 from paperclipai/revert-pr-707
6bd45e1 
Revert PR paperclipai#707
hhhhansel pushed a commit to hhhhansel/paperclip that referenced this pull request Mar 27, 2026
@cryppadotta
Merge pull request paperclipai#711 from paperclipai/revert-pr-707
9a6b9f9 
Revert PR paperclipai#707
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cryppadotta