From 68c61564c69a0f181fd4d4390ffc33b4131eeff6 Mon Sep 17 00:00:00 2001 From: Chummy Date: Sun, 1 Mar 2026 21:49:50 +0800 Subject: [PATCH 1/5] ci: make PR intake Linear key advisory --- .github/workflows/scripts/pr_intake_checks.js | 6 +++--- docs/ci-map.md | 2 +- docs/i18n/vi/ci-map.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scripts/pr_intake_checks.js b/.github/workflows/scripts/pr_intake_checks.js index 0a07239d1..9b6371af1 100644 --- a/.github/workflows/scripts/pr_intake_checks.js +++ b/.github/workflows/scripts/pr_intake_checks.js @@ -88,8 +88,8 @@ module.exports = async ({ github, context, core }) => { blockingFindings.push(`Dangerous patch markers found (${dangerousProblems.length})`); } if (linearKeys.length === 0) { - blockingFindings.push( - "Missing Linear issue key reference (`RMN-`, `CDV-`, or `COM-`) in PR title/body.", + advisoryFindings.push( + "Missing Linear issue key reference (`RMN-`, `CDV-`, or `COM-`) in PR title/body (recommended for traceability, non-blocking).", ); } @@ -156,7 +156,7 @@ module.exports = async ({ github, context, core }) => { "", "Action items:", "1. Complete required PR template sections/fields.", - "2. Link this PR to exactly one active Linear issue key (`RMN-xxx`/`CDV-xxx`/`COM-xxx`).", + "2. (Recommended) Link this PR to one active Linear issue key (`RMN-xxx`/`CDV-xxx`/`COM-xxx`) for traceability.", "3. Remove tabs, trailing whitespace, and merge conflict markers from added lines.", "4. Re-run local checks before pushing:", " - `./scripts/ci/rust_quality_gate.sh`", diff --git a/docs/ci-map.md b/docs/ci-map.md index b786ab21d..762f2afcf 100644 --- a/docs/ci-map.md +++ b/docs/ci-map.md @@ -127,7 +127,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u - Keep merge-blocking checks deterministic and reproducible (`--locked` where applicable). - Keep merge-queue compatibility explicit by supporting `merge_group` on required workflows (`ci-run`, `sec-audit`, and `sec-codeql`). -- Keep PRs mapped to Linear issue keys (`RMN-*`/`CDV-*`/`COM-*`) via PR intake checks. +- Keep PRs mapped to Linear issue keys (`RMN-*`/`CDV-*`/`COM-*`) when available for traceability (recommended by PR intake checks, non-blocking). - Keep `deny.toml` advisory ignore entries in object form with explicit reasons (enforced by `deny_policy_guard.py`). - Keep deny ignore governance metadata current in `.github/security/deny-ignore-governance.json` (owner/reason/expiry/ticket enforced by `deny_policy_guard.py`). - Keep gitleaks allowlist governance metadata current in `.github/security/gitleaks-allowlist-governance.json` (owner/reason/expiry/ticket enforced by `secrets_governance_guard.py`). diff --git a/docs/i18n/vi/ci-map.md b/docs/i18n/vi/ci-map.md index 0a26afe63..a8ee8c897 100644 --- a/docs/i18n/vi/ci-map.md +++ b/docs/i18n/vi/ci-map.md @@ -115,7 +115,7 @@ Các kiểm tra chặn merge nên giữ nhỏ và mang tính quyết định. C - Giữ các kiểm tra chặn merge mang tính quyết định và tái tạo được (`--locked` khi áp dụng được). - Đảm bảo tương thích merge queue bằng cách hỗ trợ `merge_group` cho các workflow bắt buộc (`ci-run`, `sec-audit`, `sec-codeql`). -- Bắt buộc PR liên kết với Linear issue key (`RMN-*`/`CDV-*`/`COM-*`) qua PR intake checks. +- Khuyến nghị PR liên kết với Linear issue key (`RMN-*`/`CDV-*`/`COM-*`) khi có để truy vết (PR intake checks chỉ cảnh báo, không chặn merge). - Bắt buộc entry `advisories.ignore` trong `deny.toml` dùng object có `id` + `reason` (được kiểm tra bởi `deny_policy_guard.py`). - Giữ metadata governance cho deny ignore trong `.github/security/deny-ignore-governance.json` luôn cập nhật (owner/reason/expiry/ticket được kiểm tra bởi `deny_policy_guard.py`). - Giữ metadata quản trị allowlist gitleaks trong `.github/security/gitleaks-allowlist-governance.json` luôn cập nhật (owner/reason/expiry/ticket được kiểm tra bởi `secrets_governance_guard.py`). From bf660f0b4ca2b77b73134a0c0bdb4869f0c829c8 Mon Sep 17 00:00:00 2001 From: Chummy Date: Sun, 1 Mar 2026 22:12:32 +0800 Subject: [PATCH 2/5] docs(ci): clarify PR intake re-trigger semantics --- docs/ci-map.md | 3 ++- docs/i18n/vi/ci-map.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/ci-map.md b/docs/ci-map.md index 762f2afcf..f983a2df9 100644 --- a/docs/ci-map.md +++ b/docs/ci-map.md @@ -118,7 +118,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u 3. Release failures (tag/manual/scheduled): inspect `.github/workflows/pub-release.yml` and the `prepare` job outputs. 4. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`. 5. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`. -6. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs. +6. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs. If intake policy changed recently, trigger a fresh `pull_request_target` event (for example close/reopen PR) because `Re-run jobs` can reuse the original workflow snapshot. 7. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`. 8. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`. 9. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope. @@ -128,6 +128,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u - Keep merge-blocking checks deterministic and reproducible (`--locked` where applicable). - Keep merge-queue compatibility explicit by supporting `merge_group` on required workflows (`ci-run`, `sec-audit`, and `sec-codeql`). - Keep PRs mapped to Linear issue keys (`RMN-*`/`CDV-*`/`COM-*`) when available for traceability (recommended by PR intake checks, non-blocking). +- Keep PR intake backfills event-driven: when intake logic changes, prefer triggering a fresh PR event over rerunning old runs so checks evaluate against the latest workflow/script snapshot. - Keep `deny.toml` advisory ignore entries in object form with explicit reasons (enforced by `deny_policy_guard.py`). - Keep deny ignore governance metadata current in `.github/security/deny-ignore-governance.json` (owner/reason/expiry/ticket enforced by `deny_policy_guard.py`). - Keep gitleaks allowlist governance metadata current in `.github/security/gitleaks-allowlist-governance.json` (owner/reason/expiry/ticket enforced by `secrets_governance_guard.py`). diff --git a/docs/i18n/vi/ci-map.md b/docs/i18n/vi/ci-map.md index a8ee8c897..11d9417f0 100644 --- a/docs/i18n/vi/ci-map.md +++ b/docs/i18n/vi/ci-map.md @@ -105,7 +105,7 @@ Các kiểm tra chặn merge nên giữ nhỏ và mang tính quyết định. C 8. Cảnh báo drift tính tái lập build: kiểm tra artifact của `.github/workflows/ci-reproducible-build.yml`. 9. Lỗi provenance/ký số: kiểm tra log và bundle artifact của `.github/workflows/ci-supply-chain-provenance.yml`. 10. Sự cố lập kế hoạch/thực thi rollback: kiểm tra summary + artifact `ci-rollback-plan` của `.github/workflows/ci-rollback.yml`. -11. PR intake thất bại: kiểm tra comment sticky `.github/workflows/pr-intake-checks.yml` và run log. +11. PR intake thất bại: kiểm tra comment sticky `.github/workflows/pr-intake-checks.yml` và run log. Nếu policy intake vừa thay đổi, hãy kích hoạt sự kiện `pull_request_target` mới (ví dụ close/reopen PR) vì `Re-run jobs` có thể dùng lại snapshot workflow cũ. 12. Lỗi parity chính sách nhãn: kiểm tra `.github/workflows/pr-label-policy-check.yml`. 13. Lỗi tài liệu trong CI: kiểm tra log job `docs-quality` trong `.github/workflows/ci-run.yml`. 14. Lỗi strict delta lint trong CI: kiểm tra log job `lint-strict-delta` và so sánh với phạm vi diff `BASE_SHA`. @@ -116,6 +116,7 @@ Các kiểm tra chặn merge nên giữ nhỏ và mang tính quyết định. C - Giữ các kiểm tra chặn merge mang tính quyết định và tái tạo được (`--locked` khi áp dụng được). - Đảm bảo tương thích merge queue bằng cách hỗ trợ `merge_group` cho các workflow bắt buộc (`ci-run`, `sec-audit`, `sec-codeql`). - Khuyến nghị PR liên kết với Linear issue key (`RMN-*`/`CDV-*`/`COM-*`) khi có để truy vết (PR intake checks chỉ cảnh báo, không chặn merge). +- Với backfill PR intake, ưu tiên kích hoạt sự kiện PR mới thay vì rerun run cũ để đảm bảo check đánh giá theo snapshot workflow/script mới nhất. - Bắt buộc entry `advisories.ignore` trong `deny.toml` dùng object có `id` + `reason` (được kiểm tra bởi `deny_policy_guard.py`). - Giữ metadata governance cho deny ignore trong `.github/security/deny-ignore-governance.json` luôn cập nhật (owner/reason/expiry/ticket được kiểm tra bởi `deny_policy_guard.py`). - Giữ metadata quản trị allowlist gitleaks trong `.github/security/gitleaks-allowlist-governance.json` luôn cập nhật (owner/reason/expiry/ticket được kiểm tra bởi `secrets_governance_guard.py`). From 8724945742000b574214bf247bc6b75850e44a2f Mon Sep 17 00:00:00 2001 From: Chummy Date: Sun, 1 Mar 2026 02:32:43 +0000 Subject: [PATCH 3/5] docs(testing): add mention_only non-text regression check --- TESTING_TELEGRAM.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/TESTING_TELEGRAM.md b/TESTING_TELEGRAM.md index 7a09c6fbd..fdf01a78e 100644 --- a/TESTING_TELEGRAM.md +++ b/TESTING_TELEGRAM.md @@ -115,6 +115,9 @@ After running automated tests, perform these manual checks: - Send message with @botname mention - Verify: Bot responds and mention is stripped - DM/private chat should always work regardless of mention_only + - Regression check (group non-text): verify group media without mention does not trigger bot reply + - Regression command: + `cargo test -q telegram_mention_only_group_photo_without_caption_is_ignored` 6. **Error logging** From efcc4928ea6388eecce3bceded4a6db46d5e1885 Mon Sep 17 00:00:00 2001 From: Chummy Date: Sun, 1 Mar 2026 02:32:21 +0000 Subject: [PATCH 4/5] docs(changelog): note agent session persistence rollout keys --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ece72d9dc..7413859d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `SecretStore::needs_migration()` — Check if a value uses the legacy `enc:` format - `SecretStore::is_secure_encrypted()` — Check if a value uses the secure `enc2:` format - `feishu_doc` tool — Feishu/Lark document operations (`read`, `write`, `append`, `create`, `list_blocks`, `get_block`, `update_block`, `delete_block`, `create_table`, `write_table_cells`, `create_table_with_values`, `upload_image`, `upload_file`) +- Agent session persistence guidance now includes explicit backend/strategy/TTL key names for rollout notes. - **Telegram mention_only mode** — New config option `mention_only` for Telegram channel. When enabled, bot only responds to messages that @-mention the bot in group chats. Direct messages always work regardless of this setting. Default: `false`. From b64cae9d3d9a57e1b12a9c3915145dd5cdc9341a Mon Sep 17 00:00:00 2001 From: Chummy Date: Sun, 1 Mar 2026 02:33:04 +0000 Subject: [PATCH 5/5] docs(test): note Rust 1.88 alignment for release checks --- RUN_TESTS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RUN_TESTS.md b/RUN_TESTS.md index eddc5785c..9a3182822 100644 --- a/RUN_TESTS.md +++ b/RUN_TESTS.md @@ -13,6 +13,8 @@ cargo test telegram --lib ``` +Toolchain note: CI/release metadata is aligned with Rust `1.88`; use the same stable toolchain when reproducing release-facing checks locally. + ## 📝 What Was Created For You ### 1. **test_telegram_integration.sh** (Main Test Suite)