You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Batch range:7fb41555a9e55677d1aaea29ca567a5b369c2b05..c0b4e30cf6f07c0852612c9f38d7c1e65ee7eab0 Promotion branch:staging-promote/c0b4e30c-24735636972 Base:staging-promote/8fffa879-24726363404 Triggered by: Staging CI batch at 2026-04-21 17:03 UTC
Current base:staging-promote/8fffa879-24726363404 Current head:staging-promote/c0b4e30c-24735636972 Current range:origin/staging-promote/8fffa879-24726363404..origin/staging-promote/c0b4e30c-24735636972
[CRITICAL:95] Authorization bypass - release input exposed in workflow_dispatch. This allows any GitHub contributor with actions:write permission to manually trigger release-style tagging without going through the approved release.yml workflow.
Fix: Remove release from workflow_dispatch.inputs and only accept it in workflow_call.
description: "Set true to force release-style tags (:version, :latest, :sha-xxx)"
[HIGH:85] Downstream dispatch silently skips on transient failures. The ironclaw-dind trigger step (line 210-218) has continue-on-error:true on token creation. If gh api fails transiently, dispatch is silently skipped with no notification.
Fix: Either remove continue-on-error or add explicit logging if dispatch is skipped.
[MEDIUM:68] Release dispatch lacks VERSION guarantee. The condition at line 210 checks for non-empty VERSION but if version extraction fails, dispatch is silently skipped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-promotion from staging CI
Batch range:
7fb41555a9e55677d1aaea29ca567a5b369c2b05..c0b4e30cf6f07c0852612c9f38d7c1e65ee7eab0Promotion branch:
staging-promote/c0b4e30c-24735636972Base:
staging-promote/8fffa879-24726363404Triggered by: Staging CI batch at 2026-04-21 17:03 UTC
Commits in this batch (64):
onboardfails with "Failed to save settings to database", butironclawstarts successfully and applies migrations #846) (fix(setup): run migrations during onboard when DATABASE_URL preset (#846) #2309)Current commits in this promotion (1)
Current base:
staging-promote/8fffa879-24726363404Current head:
staging-promote/c0b4e30c-24735636972Current range:
origin/staging-promote/8fffa879-24726363404..origin/staging-promote/c0b4e30c-24735636972Auto-updated by staging promotion metadata workflow
Waiting for gates:
Auto-created by staging-ci workflow