chore(ci): move Argus to the AAO Secretariat App identity#970
Open
bokelley wants to merge 1 commit into
Open
Conversation
Mint the review App token from SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY instead of the IPR App secrets, pin the review verifier to aao-secretariat[bot] via ARGUS_BOT_LOGIN, load the reviewer prompt from the PR's base SHA (failing closed if missing at base), and append the WG constitution fetched from adcontextprotocol/adcp@main to the review prompt at review time. The reviewer prompt identifies Argus as the AAO Secretariat's review desk and cites DR-NNNN decision records for settled precedent. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the Argus AI-review workflow from the IPR App identity to the new AAO Secretariat GitHub App, matching the spec repo's migration (adcontextprotocol/adcp#5832).
What changed
.github/workflows/ai-review.yml):secrets.IPR_APP_ID/secrets.IPR_APP_PRIVATE_KEY→secrets.SECRETARIAT_APP_ID/secrets.SECRETARIAT_APP_PRIVATE_KEY. Reviews will post asaao-secretariat[bot](previouslyaao-ipr-bot[bot]) and continue to count toward the "1 review required" branch-protection check.ARGUS_BOT_LOGIN: aao-secretariat[bot]env and pinned the review-verification step on that login (it previously matched anyuser.type == "Bot"review).git show "${BASE_SHA}:.github/ai-review/expert-adcp-reviewer.md", failing closed if the file is missing at base. Previously it wascatfrom the working checkout (which was checked out at base SHA, but without the explicit fail-closed base-SHA read)..agents/wg/constitution.mdfrom adcontextprotocol/adcp@main at review time and appends it under a## WG constitution (from adcontextprotocol/adcp@main)heading when non-empty. It is fetched from the spec repo's main branch — not from this repo and not from the PR — so it is not attacker-controlled by the PR under review. If the fetch fails, the review runs without it..github/ai-review/expert-adcp-reviewer.md): replaced the personal-voice identity clause with the AAO Secretariat review-desk identity — apply the WG constitution appended to the prompt and cite decision records (DR-NNNNin the spec repo'sgovernance/decisions/) when a question is settled precedent. Repo-specific review logic (MUST FIX lists, coverage rules, expert delegation) is untouched.No other workflows, changesets, or version files touched.
ipr-agreement.ymlkeeps its own IPR App secrets.DO NOT MERGE until the org-level
SECRETARIAT_APP_ID/SECRETARIAT_APP_PRIVATE_KEYsecrets are visible to this repo — otherwise the Mint App token step fails and Argus reviews stop on every PR.🤖 Generated with Claude Code