Skip to content

Document allowlist automation workflows in README#714

Merged
dave2wave merged 3 commits intomainfrom
docs/workflow-automation-diagrams
Apr 18, 2026
Merged

Document allowlist automation workflows in README#714
dave2wave merged 3 commits intomainfrom
docs/workflow-automation-diagrams

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Apr 14, 2026

Summary

  • Document the workflows that keep actions.yml, .github/workflows/dummy.yml, and approved_patterns.yml in sync (update_actions.yml, update_dummy.yml, remove_expired.yml, verify_dependabot_action.yml, check_approved_limit.yml)
  • Split the pipeline diagram into two focused mermaid graphs — one under "Adding a New Action to the Allow List" (manual-PR path) and one under the renamed "Updating version of already approved action" section (Dependabot path + daily expiration cleanup)
  • Clarify that routine version removal is automated via expires_at + the daily remove_expired.yml job, leaving the manual removal section for urgent/security cases

Test plan

  • Verify both mermaid diagrams render correctly in the GitHub README preview
  • Confirm the TOC link to "Updating Version of Already Approved Action" resolves
  • Spot-check that the described workflow triggers and behaviors match the YAML in .github/workflows/

Generated-by: Claude Opus 4.6 (1M context)

@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 14, 2026

Better documents that we have in fact two different workflows.

@potiuk potiuk requested review from dave2wave and raboof April 14, 2026 21:50
@potiuk potiuk force-pushed the docs/workflow-automation-diagrams branch from b090a1a to 0422f96 Compare April 15, 2026 00:06
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 15, 2026

Rebased onto main after #712 merged, and updated all doc references to match the post-712 naming:

  • .github/workflows/dummy.yml.github/actions/for-dependabot-triggered-reviews/action.yml (both mermaid diagrams and the surrounding prose)
  • update_dummy.ymlupdate_composite_action.yml (diagram edge labels + the paragraph about what regenerates the generated files)

No other content changes — the structure and section ordering are the same as before the rebase.

@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 15, 2026

Depends on #717

raboof
raboof approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@raboof raboof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the text changes.

Splitting the mermaid graph into two graphs definitely makes these individual workflows easier to understand, but I'm not sure it makes "the whole system" easier to understand. I wonder if it'd make sense to have one "full" graph and then per section have that same graph but highlight the steps that are relevant for that workflow? OK as-is, too, though.

Comment thread README.md Outdated
Comment thread README.md Outdated
potiuk added 2 commits April 18, 2026 13:49
@potiuk
Document allowlist automation workflows in README
7ee0884
@potiuk
README: split auto-expiration into its own section
c07be58 
Addresses @raboof review feedback on #714:
- Pull the `expires_at` + `remove_expired.yml` explanation out of the
  "Updating Version" section into its own "Automatic Expiration of Old
  Versions" subsection between "Manual Version Addition" and "Removing a
  Version Manually", with its own mini mermaid graph showing the daily
  cleanup edge that was previously a self-loop on the updating diagram.
- Apply the line-288 wording suggestion: the manual-removal intro now
  says the manual path is needed only when you "can't wait for the entry
  to expire" rather than "the next daily run" — the daily cadence is a
  detail of the new section, not of the manual flow.

Rebased onto current main; no content changes beyond the review feedback.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk potiuk force-pushed the docs/workflow-automation-diagrams branch from 0422f96 to c07be58 Compare April 18, 2026 11:51
@potiuk
README: add a full-pipeline summary diagram
75f87e4 
Address @raboof's review idea of "one full graph" that ties the
per-section diagrams together. Adds a Pipeline Overview subsection at
the top of the allow-list management section with a single mermaid
graph covering every entry point (human PR, Dependabot PR, daily cron),
every workflow (update_actions, update_composite_action,
remove_expired, verify_dependabot_action, check_approved_limit) and the
three files they keep in sync (actions.yml, approved_patterns.yml,
for-dependabot-triggered-reviews/action.yml).

Edge styling carries meaning: thick arrows are regeneration flows that
rewrite the generated files, thin arrows feed new content into the
pipeline, dotted arrows are observer workflows. Node colors separate
the source of truth, generated files, triggers and observer workflows.
The existing per-section diagrams remain as focused zooms into each
slice of the overall flow.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 18, 2026

I also updated overall pipeline description. This one depends on merging #735

@potiuk potiuk requested a review from dfoulks1 April 18, 2026 12:03
@dave2wave dave2wave merged commit aff2200 into main Apr 18, 2026
7 of 8 checks passed
@dave2wave dave2wave deleted the docs/workflow-automation-diagrams branch April 18, 2026 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raboof raboof raboof approved these changes

@dave2wave dave2wave Awaiting requested review from dave2wave

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@potiuk @raboof @dave2wave