fix(ci): relax hosted push-main alerts gate

xiaojiou176 · xiaojiou176 · commit d19b16c0db96 · 2026-04-06T13:24:55.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -272,13 +272,21 @@ jobs:
           CORTEXPILOT_DOC_GATE_MODE: ci-diff
           CORTEXPILOT_DOC_GATE_BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
           CORTEXPILOT_DOC_GATE_HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+          CORTEXPILOT_CI_ROUTE_ID: ${{ needs.ci-trust-boundary.outputs.route_id }}
+          CORTEXPILOT_CI_RUNNER_CLASS: github_hosted
           CORTEXPILOT_HYGIENE_QUICK_PATH: "1"
           GH_TOKEN: ${{ github.token }}
           TRUSTED_ROUTE_ALLOWED: ${{ needs.ci-trust-boundary.outputs.trusted_route_allowed }}
         run: |
           set -euo pipefail
           github_alert_mode="require"
-          if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
+          if [[ "${CORTEXPILOT_CI_RUNNER_CLASS:-}" == "github_hosted" ]]; then
+            case "${CORTEXPILOT_CI_ROUTE_ID:-}" in
+              trusted_pr|untrusted_pr|push_main)
+                github_alert_mode="auto"
+                ;;
+            esac
+          elif [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
             github_alert_mode="auto"
           fi
           export CORTEXPILOT_GITHUB_ALERTS_MODE="${github_alert_mode}"
diff --git a/AGENTS.md b/AGENTS.md
@@ -79,8 +79,9 @@ Work in CortexPilot as a contract-first engineering agent:
   `example.com` contract, preserve `.jsonl` temp-report hints in portable scan
   scratch names, fail closed on tracked direct email/phone markers plus
   forbidden runtime files, fail closed on open GitHub secret/code scanning
-  alerts in local hooks and pre-push while GitHub-hosted `pull_request`
-  Quick Feedback / hosted policy lanes stay advisory under integration-token
+  alerts in local hooks and pre-push while GitHub-hosted `trusted_pr`,
+  `untrusted_pr`, and hosted-first `push_main` Quick Feedback / hosted policy
+  lanes stay advisory under integration-token and first-analysis timing
   limits, keep workflow static security (`actionlint` + `zizmor`), canonical
   secret scanning, and Trivy dependency scanning wired into repo-owned
   entrypoints, and sync the root/docs entrypoints when that hygiene contract
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,8 +24,9 @@ All notable changes to this repository will be documented in this file.
   `security-events: read` plus an explicit `GH_TOKEN` injection, aligning the
   route-report policy test with the grouped `GITHUB_ENV` export block used by
   the current workflow hardening, and teaching hosted `trusted_pr` /
-  `untrusted_pr` repo hygiene to keep the live alerts query advisory when the
-  GitHub integration token still cannot read the alerts APIs
+  `untrusted_pr` / `push_main` repo hygiene plus Quick Feedback to keep the
+  live alerts query advisory when the GitHub integration token still cannot
+  read the alerts APIs or the first hosted analysis has not materialized yet
 - scrubbed maintainer-local path fixtures and raw token-looking literals from
   public orchestrator/security tests, generalized the modules-root ignore rule,
   and documented the same public-fixture hygiene contract across the root AI
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -22,8 +22,9 @@ This file mirrors the root AI entrypoint for tools that prefer `CLAUDE.md`.
   `example.com` contract, preserve `.jsonl` temp-report hints in portable scan
   scratch names, fail closed on tracked direct email/phone markers plus
   forbidden runtime files, fail closed on open GitHub secret/code scanning
-  alerts in local hooks and pre-push while GitHub-hosted `pull_request`
-  Quick Feedback / hosted policy lanes stay advisory under integration-token
+  alerts in local hooks and pre-push while GitHub-hosted `trusted_pr`,
+  `untrusted_pr`, and hosted-first `push_main` Quick Feedback / hosted policy
+  lanes stay advisory under integration-token and first-analysis timing
   limits, keep workflow static security (`actionlint` + `zizmor`), canonical
   secret scanning, and Trivy dependency scanning wired into repo-owned
   entrypoints, and sync the root/docs entrypoints when that contract shifts
diff --git a/README.md b/README.md
@@ -270,11 +270,13 @@ current-tree plus fresh-clone secret scanning
 (`bash scripts/check_secret_scan_closeout.sh --mode both`), while pull
 requests also run the official GitHub Dependency Review action with the
 repo-owned `.github/dependency-review-config.yml` policy.
-GitHub-hosted `pull_request` routes keep the live alerts query in advisory
-mode for both Quick Feedback and the hosted policy slice, because the
-integration token cannot always read the secret/code-scanning alert APIs
-there; the fail-closed contract still holds on local hooks, local repo
-hygiene, pre-push, and other routes that carry authoritative credentials.
+GitHub-hosted `trusted_pr`, `untrusted_pr`, and hosted-first `push_main`
+routes keep the live alerts query in advisory mode for Quick Feedback and the
+hosted policy slice, because the integration token cannot always read the
+secret/code-scanning alert APIs there and a fresh hosted `push_main` route may
+not have CodeQL/secret-scanning analysis materialized yet; the fail-closed
+contract still holds on local hooks, local repo hygiene, pre-push, and other
+routes that carry authoritative credentials.
 
 Hosted-first `push_main` follows the same external-truth boundary as PR routes:
 protected upstream/provider smoke stays a manual closeout concern, so the
diff --git a/docs/README.md b/docs/README.md
@@ -34,9 +34,10 @@ owns the repo-wide Trivy filesystem/dependency lane, and
 secret scanning against the current tree or a fresh clone. Pull requests also
 run the official GitHub Dependency Review action under the repo-owned
 `.github/dependency-review-config.yml` policy file. On GitHub-hosted
-`pull_request` routes the live alerts query stays advisory for both Quick
-Feedback and the hosted policy slice because the integration token may not be
-allowed to read the alerts APIs there.
+`trusted_pr`, `untrusted_pr`, and hosted-first `push_main` routes the live
+alerts query stays advisory for both Quick Feedback and the hosted policy
+slice because the integration token may not be allowed to read the alerts APIs
+there and a fresh hosted `push_main` route may not have live analysis yet.
 
 ## Repository Entry
 
diff --git a/scripts/README.md b/scripts/README.md
@@ -156,12 +156,13 @@ user's ambient Python environment.
   repo hygiene, the host-compatible pre-commit quality gate, a dedicated
   pre-commit hook, pre-push, and Quick Feedback so cloud-side security
   regressions cannot hide behind a locally clean worktree. GitHub-hosted
-  `pull_request` routes keep this query advisory-only in Quick Feedback and
-  the hosted policy slice because the integration token may not be able to
-  read the alerts APIs there. The gate now queries the GitHub REST API
-  directly from `GH_TOKEN` / `GITHUB_TOKEN` and only falls back to
-  `gh auth token` for local token discovery, so containerized CI lanes do not
-  depend on a `gh` binary being installed.
+  `trusted_pr`, `untrusted_pr`, and hosted-first `push_main` routes keep this
+  query advisory-only in Quick Feedback and the hosted policy slice because
+  the integration token may not be able to read the alerts APIs there and a
+  fresh hosted `push_main` route may not have live analysis yet. The gate now
+  queries the GitHub REST API directly from `GH_TOKEN` / `GITHUB_TOKEN` and
+  only falls back to `gh auth token` for local token discovery, so
+  containerized CI lanes do not depend on a `gh` binary being installed.
 - `check_workflow_static_security.sh` is the repo-owned GitHub Actions static
   security gate. It bootstraps pinned `actionlint` + `zizmor` binaries through
   `scripts/lib/release_tool_helpers.sh`, then runs both scanners fail-closed
diff --git a/scripts/check_repo_hygiene.sh b/scripts/check_repo_hygiene.sh
@@ -7,10 +7,12 @@ INCLUDE_EXTERNAL_TRUTH="${CORTEXPILOT_HYGIENE_INCLUDE_EXTERNAL:-0}"
 QUICK_PATH="${CORTEXPILOT_HYGIENE_QUICK_PATH:-0}"
 if [[ -n "${CORTEXPILOT_GITHUB_ALERTS_MODE:-}" ]]; then
   GITHUB_ALERTS_MODE="${CORTEXPILOT_GITHUB_ALERTS_MODE}"
-elif [[ "${CORTEXPILOT_CI_RUNNER_CLASS:-}" == "github_hosted" && ( "${CORTEXPILOT_CI_ROUTE_ID:-}" == "trusted_pr" || "${CORTEXPILOT_CI_ROUTE_ID:-}" == "untrusted_pr" ) ]]; then
-  # GitHub-hosted PR integration tokens cannot reliably read the alerts APIs.
-  # Keep local / repo-owned gates fail-closed, but avoid blocking hosted PR
-  # slices on a permission model they cannot satisfy.
+elif [[ "${CORTEXPILOT_CI_RUNNER_CLASS:-}" == "github_hosted" && ( "${CORTEXPILOT_CI_ROUTE_ID:-}" == "trusted_pr" || "${CORTEXPILOT_CI_ROUTE_ID:-}" == "untrusted_pr" || "${CORTEXPILOT_CI_ROUTE_ID:-}" == "push_main" ) ]]; then
+  # GitHub-hosted integration tokens cannot reliably read the alerts APIs, and
+  # fresh hosted-first push_main routes may not have CodeQL/secret-scanning
+  # analysis materialized yet. Keep local / repo-owned gates fail-closed, but
+  # avoid blocking hosted routes on a permission/timing model they cannot
+  # satisfy.
   GITHUB_ALERTS_MODE="auto"
 else
   GITHUB_ALERTS_MODE="require"
