Skip to content

feat(ci): add automated Epic documentation audit workflow#36294

Open
jdcmsd wants to merge 14 commits into
mainfrom
autodoc-action-addition
Open

feat(ci): add automated Epic documentation audit workflow#36294
jdcmsd wants to merge 14 commits into
mainfrom
autodoc-action-addition

Conversation

@jdcmsd

@jdcmsd jdcmsd commented Jun 23, 2026

Copy link
Copy Markdown
Member

This resolves #36293 by adding an automation that hopefully works. Testing on core-workflow-repo seemed entirely promising, so hopefully the change of environment won't add any complications!

All secrets (AUTODOC_*) have already been provisioned by moi.

This PR fixes: #36293

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🤖 Bedrock Review — us.deepseek.r1-v1:0

New Issues

  • 🔴 Critical: .github/workflows/issue_autodoc.yml:119 — Finalize step commits changes but never pushes them (local commit will be lost after job ends)
  • 🟠 High: .github/workflows/issue_autodoc.yml:44 — jq query fails when issue has no parent (parent is null), breaking preflight check for non-Epic issues
  • 🟠 High: .github/workflows/issue_autodoc.yml:70 — Missing contents: write permission (needed to push doc changes in finalize step)
  • 🟡 Medium: .github/workflows/issue_autodoc.yml:103 — Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)

Run: #28055682450 · tokens: in: 2428 · out: 1767 · total: 4195

@claude

claude Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Claude finished @jdcmsd's task in 1m 42s —— View job


Rollback Safety Analysis

  • Read rollback-unsafe categories reference
  • Get full PR diff
  • Analyze diff against all unsafe categories
  • Apply safety label

Result: ✅ Safe To Rollback

This PR contains three changes, none of which match any rollback-unsafe category:

  1. .github/workflows/issue_autodoc.yml (new file) — A new GitHub Actions CI workflow. Workflow files have no effect on the dotCMS application binary, database schema, Elasticsearch mappings, or any stored data. Adding or removing a workflow file is entirely safe to roll back by reverting the commit.

  2. OwaspEncoderTool.java — Javadoc-only changes. The diff updates the @code tag in the class-level comment from $encode to $owasp and updates the example snippets accordingly. No change to any method signature, return type, or the viewtool's actual registration key in toolbox.xml. This is documentation text only — no compiled contract change, no VTL runtime impact (category H-8 does not apply).

  3. Language.properties — Fixes a typo ("writting" → "writing") in a UI label string. A UI string change carries no data, schema, or API contract implications.

All categories checked: C-1, C-2, C-3, C-4, H-1, H-2, H-3, H-4, H-5, H-6, H-7, H-8, M-1, M-2, M-3, M-4 — none match.

Label applied: AI: Safe To Rollback

@github-actions github-actions Bot added the Area : CI/CD PR changes GitHub Actions/workflows label Jun 23, 2026
Replace uv/Python-script-based eval and finalize steps with:
- Python3 stdlib context assembly using gh CLI and grep
- Shell finalize using gh issue comment, curl for dotCMS API,
  and git commit/push
- prompts/burlap.txt read directly via cat (no YAML parsing)
- Fix jq null parent bug in preflight guard

Eliminates dependency on dotcms-aios PR merge order.
- Fix -f → -F on gh api PATCH so the file is read, not sent literally
- Prepend <!-- autodoc-report --> marker in finalize before posting so
  idempotent edit lookup works (marker was not in the report itself)
- Add --paginate to comment lookup to search beyond the first page
- Use jq first // empty instead of | head -1 to avoid SIGPIPE
- Fix urlTitle awk to use sub() consistent with title/tags/seoDescription
- Remove -k (TLS bypass); add --fail-with-body to dotCMS curl calls
- Add comment clarifying AUTODOC_DOTCMS_API_TOKEN_AISEARCH is used by
  the Claude subprocess via burlap.txt, not directly by a workflow step
- Make git push conditional on commit succeeding (|| true was causing
  unconditional push even when there was nothing new to commit)
- Add git push origin HEAD for explicit branch targeting
- Validate urlTitle is a URL slug before interpolating into JSON query
  (non-slug chars would break the shell-built -d payload)
- Validate IDENTIFIER matches UUID format before placing in URL
- Add comment on unpinned npm install explaining the tradeoff
@jdcmsd

jdcmsd commented Jun 24, 2026

Copy link
Copy Markdown
Member Author

Claude's roasting this bedrock review:

This one is the reviewer losing track of its own state, not new problems.

Look at the "Resolved" section — it correctly acknowledges that URL_TITLE and IDENTIFIER validation were fixed. Then in "New Issues" it flags the exact same concerns at lines 218 and 225, which are just the shifted line numbers of the same curl command and the same UUID check — both of which now sit after the validation guards we added. The reviewer saw the guards fix the old line numbers (249/266 → resolved) but then re-flagged the code they guard as if it were fresh unprotected code.

Same story for git push: we changed || true + unconditional push to a conditional if git commit; then git push origin HEAD; fi. The reviewer marks both the || true and the branch-spec concerns as "existing" — i.e. it doesn't recognize the fix — while simultaneously flagging them as new. It's reading the file inconsistently across the two passes.

The "git push without timeout/retry → repo corruption" finding has always been noise. A failed git push fails the step. Nothing corrupts.

Nothing in this report requires a code change. The only open item across all the reviews is npm version pinning, which we consciously chose to address with a comment rather than pinning to a stale version. If the team has a formal policy requiring pinned versions in workflow files, that's the one thing worth revisiting — but it's a policy call, not a bug.

jdcmsd added a commit to dotCMS/core-workflow-test that referenced this pull request Jun 24, 2026
Rewrites the `issue_autodoc.yml` workflow to eliminate the `uv` /
Python-script dependency, making it self-contained.

**What changed:**
- Removed: `Set up uv`, `Install autodoc dependencies`, `uv run python
finalize.py` steps
- Build eval context: Python3 stdlib + `gh` CLI in a heredoc (no pip, no
venv)
- Run Claude: unchanged — `claude --print --allowedTools Bash,Write <
/tmp/eval_context.md`
- Finalize: pure shell + inline Python3 heredocs for JSON payloads; `gh
issue comment` for posting; `curl` for dotCMS EDIT/NEW; `git push` for
committing
- Fixed jq null-parent bug in preflight guard
- Reads `prompts/burlap.txt` directly (no YAML parsing)

This mirrors the change in `dotCMS/core` PR dotCMS#36294 and resolves the
ordering dependency on the dotcms-aios PR.
Report lives as an issue comment — the repo copy is redundant.
Removing the push also drops the write-scope requirement on AUTODOC_AIOS_CI.
Embed burlap.txt content directly in the workflow as a heredoc step.
Update report path to /tmp — report is ephemeral, lives as issue comment.
dotcms-aios checkout now solely serves vault epic context lookup.
- Replace label check for Epic with issue type check (github.event.issue.type.name)
- Update GraphQL parent lookup to use issueType { name } instead of labels
- Add id-token: write permission for Bedrock OIDC
- Replace npm install + claude --print with anthropics/claude-code-action@v1;
  model and Bedrock role sourced from vars.BEDROCK_MODEL_ID / vars.BEDROCK_ROLE_ARN
- Split finalize into three discrete steps for easier auditing:
  Post report comment / Apply doc update to dotCMS / Apply doc create to dotCMS
…tcms-aios checkout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@dotCMS dotCMS deleted a comment from github-actions Bot Jun 27, 2026
@github-actions

github-actions Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

🤖 dotBot Review (Bedrock)

Reviewed 3 file(s); 6 candidate(s) → 1 confirmed, 0 uncertain (unverified, kept for review).

Confirmed findings

  • 🟠 High .github/workflows/issue_autodoc.yml:12 — Incorrect label name in GitHub Actions workflow
    The workflow checks for the label 'Doc : Needs Doc' with an extra space after the colon. Repository labels typically use 'Doc: Needs Doc' without the space. This mismatch prevents the automation from triggering correctly, as the label name does not exist with the space. Evidence: The line if: contains(github.event.issue.labels.*.name, 'Doc : Needs Doc') in .github/workflows/issue_autodoc.yml shows the incorrect spacing.

us.deepseek.r1-v1:0 · Run: #28389870970 · tokens: in: 21462 · out: 11651 · total: 33113 · calls: 10 · est. ~$0.092

@github-actions github-actions Bot added Area : Backend PR changes Java/Maven backend code and removed AI: Safe To Rollback labels Jun 29, 2026
@jdcmsd

jdcmsd commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

PR includes two minuscule doc changes: one fixes a typo in a label, the other fixes an error in the Javadocs.

name: Determine whether to run
if: |
github.event.issue.type.name == 'Epic' ||
contains(github.event.issue.labels.*.name, 'Doc : Needs Doc') ||

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [High] Incorrect label name in GitHub Actions workflow

The workflow checks for the label 'Doc : Needs Doc' with an extra space after the colon. Repository labels typically use 'Doc: Needs Doc' without the space. This mismatch prevents the automation from triggering correctly, as the label name does not exist with the space. Evidence: The line if: contains(github.event.issue.labels.*.name, 'Doc : Needs Doc') in .github/workflows/issue_autodoc.yml shows the incorrect spacing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI: Safe To Rollback Area : Backend PR changes Java/Maven backend code Area : CI/CD PR changes GitHub Actions/workflows

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

Add autodoc CI automation

3 participants