ci: Teardown shll.ai Help-Tree Publish CI (Push → Pull Migration)#236
Merged
Conversation
Remove the final 'Publish help tree to shll.ai' step from .github/workflows/release.yml, per shll.ai's help-dump-contract Teardown Directive (push model → pull model). The single self-contained step carried all four push components — producer CI (rk help-dump + jq validate), PR-opening logic (clone/branch/commit/push + gh pr create), auto-merge wiring (gh pr merge --auto), and SHLLAI_TOKEN usage — all removed together (95 deletions). Preserve 'rk help-dump' unchanged: it is now the single contract surface shll.ai pulls from on a schedule. Reconcile docs/memory architecture (help-dump row, Release Flow section, changelog). The removed step was the last and best-effort, so the GitHub Release and Homebrew tap path is unaffected.
There was a problem hiding this comment.
Pull request overview
This PR removes run-kit’s now-obsolete “push” CI integration that published rk help-dump output into sahil87/shll.ai, aligning with shll.ai’s new “pull” model where shll.ai runs rk help-dump on a schedule. It keeps rk help-dump as the sole contract surface and updates internal architecture memory to reflect the new flow.
Changes:
- Deleted the
Publish help tree to shll.aistep (andSHLLAI_TOKENusage) from.github/workflows/release.yml. - Updated
docs/memory/run-kit/architecture.mdto describe the retired push step and the new pull-based consumption. - Added fab change artifacts documenting intake/plan/status/history for this teardown change.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/release.yml |
Removes the shll.ai publish step so the release job ends at the Homebrew tap update. |
docs/memory/run-kit/architecture.md |
Updates the documented release flow and help-dump consumption to reflect shll.ai pull model. |
fab/changes/260603-iak3-teardown-shllai-publish-ci/intake.md |
Captures rationale/scope for the teardown per the contract directive. |
fab/changes/260603-iak3-teardown-shllai-publish-ci/plan.md |
Records requirements/tasks/acceptance for the teardown. |
fab/changes/260603-iak3-teardown-shllai-publish-ci/.status.yaml |
Tracks fab pipeline stage progress for the change. |
fab/changes/260603-iak3-teardown-shllai-publish-ci/.history.jsonl |
Records fab stage transitions/commands for auditability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+115
to
+117
| 6 assumptions (4 certain, 2 confident, 0 tentative). | ||
| </content> | ||
| </invoke> |
Collaborator
Author
There was a problem hiding this comment.
Fixed — removed the stray </content>/</invoke> tool-call markup from the end of plan.md. (1ed9671)
| **GitHub Actions** (`.github/workflows/release.yml`): triggers on `v*` tag push. Steps: checkout → setup Go (from `go.mod`) → setup Node 20 + pnpm → install frontend deps → build frontend → copy dist to backend → cross-compile 4 targets → create GitHub Release with tarballs → update Homebrew tap → publish help tree to shll.ai. | ||
| **GitHub Actions** (`.github/workflows/release.yml`): triggers on `v*` tag push. Steps: checkout → setup Go (from `go.mod`) → setup Node 20 + pnpm → install frontend deps → build frontend → copy dist to backend → cross-compile 4 targets → create GitHub Release with tarballs → update Homebrew tap. | ||
|
|
||
| Cross-compile targets: `darwin/arm64`, `darwin/amd64`, `linux/arm64`, `linux/amd64`. Each target built with `CGO_ENABLED=0` and ldflags. Output: `run-kit-{os}-{arch}.tar.gz` tarballs uploaded to GitHub Release via `softprops/action-gh-release`. |
Collaborator
Author
There was a problem hiding this comment.
Fixed — corrected the tarball name from run-kit-{os}-{arch}.tar.gz to rk-{os}-{arch}.tar.gz to match release.yml. (1ed9671)
| **Help-tree publish to shll.ai — RETIRED (push → pull, `260603-iak3-teardown-shllai-publish-ci`):** the release job no longer publishes the help tree. The former **final** CI step (`Publish help tree to shll.ai`, deliberately placed after the GitHub Release and Homebrew tap) ran `rk help-dump help/run-kit.json` then opened a best-effort auto-merge PR into `sahil87/shll.ai` via the `SHLLAI_TOKEN` cross-repo write secret — that entire step was removed. shll.ai inverted its integration model from **push** (each toolkit CLI produced its help JSON in CI and PR'd it into shll.ai) to **pull** (shll.ai now runs `rk help-dump` itself on a schedule and captures the output), making the push path redundant work and a redundant attack surface (dual writers to `help/run-kit.json` could race). The `SHLLAI_TOKEN` reference was removed from CI along with the step; the GitHub repo secret itself is an operator follow-up to delete (least-privilege, no remaining consumer). The hidden `rk help-dump` subcommand is **preserved unchanged** as the single contract surface shll.ai pulls from (see `## CLI Subcommands`). After removal, the `release` job's final step is **Update Homebrew tap**. (Historical: the push step was added in `260602-a36m-help-dump-shll-ai` and hardened in `260602-2dt9-fix-shllai-help-publish`.) | ||
|
|
||
| **Homebrew tap update** (runs before the final help-tree publish step): computes SHA256 for all 4 tarballs, clones `sahil87/homebrew-tap` via `BUILD_TOKEN` secret, generates `Formula/rk.rb` from `.github/formula-template.rb` (placeholder substitution via `sed`), commits and pushes. | ||
| **Homebrew tap update** (now the **final** step in the `release` job): computes SHA256 for all 4 tarballs, clones `sahil87/homebrew-tap` via `BUILD_TOKEN` secret, generates `Formula/rk.rb` from `.github/formula-template.rb` (placeholder substitution via `sed`), commits and pushes. |
Collaborator
Author
There was a problem hiding this comment.
Fixed — corrected the secret name to HOMEBREW_TAP_TOKEN (exported as TAP_TOKEN) in the current-state prose. (1ed9671)
Comment on lines
+116
to
+117
| </content> | ||
| </invoke> |
Collaborator
Author
There was a problem hiding this comment.
Fixed — removed the stray </content>/</invoke> tool-call markup from the end of plan.md. (1ed9671)
| **Help-tree publish to shll.ai — RETIRED (push → pull, `260603-iak3-teardown-shllai-publish-ci`):** the release job no longer publishes the help tree. The former **final** CI step (`Publish help tree to shll.ai`, deliberately placed after the GitHub Release and Homebrew tap) ran `rk help-dump help/run-kit.json` then opened a best-effort auto-merge PR into `sahil87/shll.ai` via the `SHLLAI_TOKEN` cross-repo write secret — that entire step was removed. shll.ai inverted its integration model from **push** (each toolkit CLI produced its help JSON in CI and PR'd it into shll.ai) to **pull** (shll.ai now runs `rk help-dump` itself on a schedule and captures the output), making the push path redundant work and a redundant attack surface (dual writers to `help/run-kit.json` could race). The `SHLLAI_TOKEN` reference was removed from CI along with the step; the GitHub repo secret itself is an operator follow-up to delete (least-privilege, no remaining consumer). The hidden `rk help-dump` subcommand is **preserved unchanged** as the single contract surface shll.ai pulls from (see `## CLI Subcommands`). After removal, the `release` job's final step is **Update Homebrew tap**. (Historical: the push step was added in `260602-a36m-help-dump-shll-ai` and hardened in `260602-2dt9-fix-shllai-help-publish`.) | ||
|
|
||
| **Homebrew tap update** (runs before the final help-tree publish step): computes SHA256 for all 4 tarballs, clones `sahil87/homebrew-tap` via `BUILD_TOKEN` secret, generates `Formula/rk.rb` from `.github/formula-template.rb` (placeholder substitution via `sed`), commits and pushes. | ||
| **Homebrew tap update** (now the **final** step in the `release` job): computes SHA256 for all 4 tarballs, clones `sahil87/homebrew-tap` via `BUILD_TOKEN` secret, generates `Formula/rk.rb` from `.github/formula-template.rb` (placeholder substitution via `sed`), commits and pushes. |
Collaborator
Author
There was a problem hiding this comment.
Fixed — corrected the secret name to HOMEBREW_TAP_TOKEN (exported as TAP_TOKEN) in the current-state prose. (1ed9671)
| Cross-compile targets: `darwin/arm64`, `darwin/amd64`, `linux/arm64`, `linux/amd64`. Each target built with `CGO_ENABLED=0` and ldflags. Output: `run-kit-{os}-{arch}.tar.gz` tarballs uploaded to GitHub Release via `softprops/action-gh-release`. | ||
|
|
||
| **Help-tree publish to shll.ai** (the **final** CI step — placed after the GitHub Release and Homebrew tap deliberately): runs `dist/rk-linux-amd64/rk help-dump help/run-kit.json` against the versioned linux/amd64 artifact (so the emitted `version` is the real release), then validates the output with `jq empty`. **The entire in-repo produce+copy class — `rk help-dump`, `jq empty`, the `mkdir -p /tmp/shll-ai/help`, and the `cp help/run-kit.json` into the clone — is fatal and fails the job loudly (`::error::` + non-zero) on any defect** (missing binary, dump error, invalid JSON, missing source/dest); the `cp` is explicitly NOT part of the best-effort wrapper and is guarded so a failed copy can never reach the "unchanged → nothing to publish" no-diff `return 0` that previously silenced it. Because the step runs last, that failure does not preempt the already-published GitHub Release / Homebrew tap. The cross-repo publish itself is **best-effort / non-fatal**: it opens an auto-merge PR (not a direct push) into `sahil87/shll.ai` via the `SHLLAI_TOKEN` secret, mirroring the Homebrew-tap token-clone pattern (`git clone https://x-access-token:${SHLLAI_TOKEN}@github.com/sahil87/shll.ai.git`, fresh `rk-help-dump-<version>` branch off `main`, `gh pr create` + `gh pr merge --auto` with `GH_TOKEN=$SHLLAI_TOKEN`). Since it runs *after* the release artifacts / GitHub Release / Homebrew tap are produced, it skips with a log line when `help/run-kit.json` is unchanged, and logs a `::warning::` (leaving any PR open for manual merge) rather than failing the release if shll.ai (clone/PR/merge) is unreachable or repo-level auto-merge is disabled. `help/run-kit.json` is rk's slice of a multi-tool (7-tool) shll.ai "Command reference" rollout; the shll.ai site-side Astro loader / reference UI lives in a separate repo (out of scope). The producer is the hidden `rk help-dump` subcommand (see `## CLI Subcommands`). (`260602-a36m-help-dump-shll-ai`) | ||
| **Help-tree publish to shll.ai — RETIRED (push → pull, `260603-iak3-teardown-shllai-publish-ci`):** the release job no longer publishes the help tree. The former **final** CI step (`Publish help tree to shll.ai`, deliberately placed after the GitHub Release and Homebrew tap) ran `rk help-dump help/run-kit.json` then opened a best-effort auto-merge PR into `sahil87/shll.ai` via the `SHLLAI_TOKEN` cross-repo write secret — that entire step was removed. shll.ai inverted its integration model from **push** (each toolkit CLI produced its help JSON in CI and PR'd it into shll.ai) to **pull** (shll.ai now runs `rk help-dump` itself on a schedule and captures the output), making the push path redundant work and a redundant attack surface (dual writers to `help/run-kit.json` could race). The `SHLLAI_TOKEN` reference was removed from CI along with the step; the GitHub repo secret itself is an operator follow-up to delete (least-privilege, no remaining consumer). The hidden `rk help-dump` subcommand is **preserved unchanged** as the single contract surface shll.ai pulls from (see `## CLI Subcommands`). After removal, the `release` job's final step is **Update Homebrew tap**. (Historical: the push step was added in `260602-a36m-help-dump-shll-ai` and hardened in `260602-2dt9-fix-shllai-help-publish`.) |
Collaborator
Author
There was a problem hiding this comment.
Fixed — corrected the retired-step command to dist/rk-linux-amd64/rk help-dump help/run-kit.json (the versioned linux/amd64 artifact). (1ed9671)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Meta
Pipeline: intake ✓ → apply ✓ → review ✓ → hydrate ✓ → ship → review-pr
Impact: +0/−95 code (excluding
fab/,docs/) · +395/−99 totalSummary
shll.ai inverted its help-dump integration from a push model to a pull model: instead of each toolkit CLI pushing its help JSON into
sahil87/shll.aivia a release-CI auto-merge PR, shll.ai now runs a scheduled job that invokesrk help-dumpitself and captures the output. This PR executes the contract's Teardown Directive for run-kit — removing the now-redundant producer/push transport while preservingrk help-dump, which is now the single contract surface shll.ai pulls from.Changes
Publish help tree to shll.aistep from.github/workflows/release.yml(95 deletions). run-kit's entire push path lived in one self-contained final step, so this single deletion removes all four directive components at once:rk help-dump help/run-kit.json+jq emptyvalidatepublish_to_shllai()clone/branch/commit/push +gh pr creategh pr merge "$branch" --auto --squashSHLLAI_TOKENusage — theenv: SHLLAI_TOKENblock and all its referencesrk help-dumpunchanged —app/backend/cmd/rk/help_dump.goand its tests are untouched. It is now the single contract surface shll.ai pulls from (still exits 0, emits valid JSON,schema_version: 1,tool == "rk").docs/memory/run-kit/architecture.md— updated thehelp-dumpCLI Subcommands row (push step → shll.ai pulls via scheduledrk help-dump), rewrote the Release Flow & CI/CD section (final release step is nowUpdate Homebrew tap), and added a teardown changelog row.Release path unaffected
The removed step was the last step of the
releasejob and was deliberately best-effort: it ran only after the GitHub Release and Homebrew tap were already published, precisely so it could never preempt the user-visible release artifacts. Removing it cannot affect the GitHub Release or the Homebrew tap. After this change the job's final step isUpdate Homebrew tap.Directive precondition
The Teardown Directive is correct only once shll.ai's pull workflow is live and proven — executing it prematurely would open a stale-help gap. Issuing this change is taken as confirmation that the pull workflow is live. If that turns out to be premature, this PR is fully reversible via a one-step
git revert(it is a pure deletion of one CI step).Operator follow-up (out of tree)
After this merges and shll.ai's pull workflow is confirmed live, delete the
SHLLAI_TOKENGitHub repository secret from repo settings. It now has no remaining consumer — all code references are removed by this PR — so retaining a cross-repo write-scoped token violates least-privilege (Constitution §I, Security First). This is a repo-settings action, not a code change, so it is not part of this PR's diff.