Skip to content

Make GitHub the sole hosted Git and review surface#17

Merged
hudsonaikins merged 6 commits into
mainfrom
codex/github-code-boundary
Jul 15, 2026
Merged

Make GitHub the sole hosted Git and review surface#17
hudsonaikins merged 6 commits into
mainfrom
codex/github-code-boundary

Conversation

@hudsonaikins

@hudsonaikins hudsonaikins commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

What changed

  • Make GitHub the sole hosted Git and review service.
  • Keep public code and thin pull requests on GitHub origin.
  • Use the private IntelIP/Tabellio-control GitHub repository for review, validation, and Entire control refs.
  • Remove the legacy self-hosted provider, CLI, local lab infrastructure, package metadata, tests, examples, and active documentation.
  • Remove the generic change-request provider abstraction; GitHubProvider is now the concrete integration.
  • Move review cycles to tabellio-review-cycle/v0.2 with GitHub provider identity and GITHUB_TOKEN authentication.
  • Add dry-run-first, atomic v0.1-to-v0.2 migration with explicit legacy and target PR numbers, plus an explicit recovery gate for remapping a current v0.2 cycle.
  • Migrate the three live review cycles to their actual GitHub PRs: 14, 15, and 16. Resync provider-owned state from GitHub and publish the exact review ref to the private control repository.
  • Ignore exact-commit validation results belonging to another repository identity during review sync.
  • Add required Tests, Fallow changed-code, and Package dry-run GitHub checks on protected main.
  • Remove 15 unused exports and consolidate provider subprocess handling without deleting runtime interface methods.

Why

The repository still carried self-hosted and provider-neutral surfaces after the product boundary moved to GitHub. This change aligns implementation, package contents, examples, docs, live control state, and branch protection with one supported hosted Git and review service.

Private control state remains separate from the public code repository, but its supported destination is now another private GitHub repository rather than an alternative host.

Developer impact

  • tabellio-review sync uses --remote-repo plus either --token-file or GITHUB_TOKEN.
  • GitHub Enterprise Server can use --api-url or GITHUB_API_URL.
  • tabellio-review migrate previews by default; --apply true performs the compare-and-swap ledger move.
  • --number identifies the source cycle; --target-number identifies the corresponding GitHub PR.
  • --remap-current true is additionally required to move an already-migrated v0.2 cycle.
  • --legacy-repo-id, --legacy-owner, and --legacy-remote-repo map renamed or moved source repositories to their GitHub target.
  • Platform config requires workflow.controlProvider = "github" and workflow.controlRemoteName = "control".

Validation

  • npm run check: 74 tests passed plus every bundled contract/example check.
  • Fallow audit --base origin/main --gate new-only: pass.
    • introduced dead code: 0
    • introduced complexity: 0
    • introduced duplication: 0
  • Fallow whole-repo health: 88.2/A.
  • Fallow dead code: 34 inherited public interface/injected-method findings; 0 unused files, exports, or dependencies.
  • npm pack --dry-run --json: 101 entries; no removed-provider file paths.
  • Final review ledger: v0.2 GitHub cycles at PRs 14 through 17; PRs 14, 15, and 17 are merged, superseded PR 16 is closed, and no legacy or incorrectly numbered paths remain.
  • Private control verification: local and remote refs/tabellio/reviews both resolve to 55a7566a72277370868b8285f9fad4cb7dafc122.

@hudsonaikins hudsonaikins changed the title Make GitHub the sole code-storage surface Make GitHub the sole hosted Git and review surface Jul 15, 2026
Add a dry-run-first atomic migration command with source-to-target identity mapping, migrate the live review ledger, and reduce the inherited Fallow baseline without deleting runtime interface methods.
@hudsonaikins

Copy link
Copy Markdown
Contributor Author

@codex review

@hudsonaikins hudsonaikins marked this pull request as ready for review July 15, 2026 15:23
@hudsonaikins

Copy link
Copy Markdown
Contributor Author

@codex review

@hudsonaikins hudsonaikins merged commit 24cf171 into main Jul 15, 2026
3 checks passed
@hudsonaikins hudsonaikins deleted the codex/github-code-boundary branch July 15, 2026 15:48

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 99d6a69f70

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

const CONTROL_REFS = [
"refs/tabellio/reviews",
"refs/tabellio/validations",
"refs/heads/entire/checkpoints/v1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Align checkpoint refs with the canonical control ref

With platform/control refs now declaring Entire checkpoints at refs/heads/entire/checkpoints/v1, the Entire context adapter still emits ref: "entire/checkpoints/v1" for each checkpoint in scripts/providers/entire-ledger-provider.mjs, so context/evidence produced after this change points at a ref that the new control-ref transport will never publish or fetch. Consumers following checkpoint refs from context packets will fail to resolve them; align the adapter/tests/examples with the canonical ref.

Useful? React with 👍 / 👎.

line: firstInteger(comment.line, comment.original_line, comment.position),
commit: nullableString(firstPresent(comment.commit_id, comment.original_commit_id)),
author: nullableLogin(comment.user, "reviewComment.user"),
resolvedBy: null,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve resolved GitHub review threads

For GitHub PRs with an already-resolved review thread, this hard-codes every inline comment as unresolved; reviewCommentFeedback maps resolvedBy: null to providerState: "open" and disposition: "pending", so a resolved GitHub conversation still creates a needs_triage blocker on first sync. The provider needs to source thread resolution from GitHub rather than forcing null.

Useful? React with 👍 / 👎.

Comment on lines +178 to +179
dismissed: state === "dismissed",
stale: false,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Treat dismissed GitHub reviews as inactive

When GitHub returns a review with state DISMISSED, this leaves it non-stale even though dismissed is set; reviewFeedback only checks stale, then treats non-approved/non-change-request states as pending feedback, so a dismissed review becomes a new triage blocker instead of being ignored as inactive. Mark dismissed reviews stale/resolved or teach reviewFeedback to honor dismissed.

Useful? React with 👍 / 👎.

title: requiredValue(changeRequest.title, "changeRequest.title"),
state: changeRequestState(changeRequest),
draft: changeRequest.draft === true,
mergeable: nullableBoolean(changeRequest.mergeable),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Wait for GitHub to finish computing mergeability

When GitHub returns mergeable: null while its background mergeability job is still running, this preserves the unknown state, but deriveStatus only blocks false and can mark a no-feedback PR with successful checks as ready before GitHub has determined whether it can merge. Treat null as validating/blocked or retry until a non-null value is available.

Useful? React with 👍 / 👎.

} catch (error) {
const safeError = new StackOperationExecutionError(intent.operation, error, [
this.#env.FORGEJO_TOKEN,
this.#env.GITHUB_TOKEN,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Redact inherited GitHub tokens from stack failures

When a stack operation relies on GITHUB_TOKEN already present in the environment instead of --token-file, runExternalCommand still passes that token through process.env, but this sanitizer only redacts this.#env.GITHUB_TOKEN. If git-spice or a credential helper echoes the inherited token in stderr, the failed receipt and CLI error can persist it despite the token-redaction guarantee; include process.env.GITHUB_TOKEN in the secret list or avoid passing it implicitly.

Useful? React with 👍 / 👎.


async listReviews({ owner, repo, number }) {
positiveInteger(number, "number");
const values = await this.#paginate(`${repoPath(owner, repo)}/pulls/${number}/reviews`);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Ignore superseded GitHub change requests

When a reviewer requests changes and later approves the same PR, GitHub keeps both review records in this reviews feed. Sync imports every record, and reviewFeedback treats every changes_requested review as actionable, so the old superseded request can keep the cycle in changes_requested even though GitHub no longer blocks on it. Collapse reviews to the latest effective state or mark superseded reviews stale.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant