diff --git a/.github/workflows/blog-autopublish.yml b/.github/workflows/blog-autopublish.yml index 37eb3b4..1941da1 100644 --- a/.github/workflows/blog-autopublish.yml +++ b/.github/workflows/blog-autopublish.yml @@ -46,9 +46,23 @@ jobs: RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} REPO: ${{ github.repository }} steps: + # Mint a token from the PulseEngine Actions Helper App so this job + # can `gh pr create` despite the org policy that disables PR-creation + # for the default GITHUB_TOKEN. The App's installation grants + # contents: write + pull-requests: write + metadata: read on this + # repo only — strictly narrower than what GITHUB_TOKEN would have + # had with the org permission flipped. + - name: Mint App token + id: app_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.ACTIONS_BOT_APP_ID }} + private-key: ${{ secrets.ACTIONS_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 with: fetch-depth: 0 + token: ${{ steps.app_token.outputs.token }} - uses: actions/setup-python@v5 with: @@ -61,7 +75,7 @@ jobs: - name: Ensure labels exist env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app_token.outputs.token }} run: | # `gh label create --force` upserts (creates or updates), so this # step is idempotent and immune to a label being deleted manually. @@ -91,7 +105,7 @@ jobs: id: publish if: steps.scan.outputs.ready_count != '0' env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app_token.outputs.token }} run: | set -euo pipefail published='[]' @@ -146,7 +160,7 @@ jobs: - name: Post / update status comment if: always() env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app_token.outputs.token }} run: | set -euo pipefail @@ -179,7 +193,7 @@ jobs: - name: Open failure issue if: failure() env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app_token.outputs.token }} run: | today=$(date -u +%Y-%m-%d) gh issue create \ diff --git a/content/blog/2026-04-22-overdoing-the-verification-chain.md b/content/blog/2026-04-22-overdoing-the-verification-chain.md index 85ea377..8ee0131 100644 --- a/content/blog/2026-04-22-overdoing-the-verification-chain.md +++ b/content/blog/2026-04-22-overdoing-the-verification-chain.md @@ -2,7 +2,7 @@ title = "Overdoing the verification chain — and mapping it to six safety domains" description = "The prior posts argued for proofs and for traceability. This one shows the full chain, why I chose to overdo rather than undercommit, and where the stack earns credit across six safety domains — with an honest read on what still does not clear the bar." date = 2026-04-29 -draft = true +draft = false [taxonomies] tags = ["verification", "deep-dive"] authors = ["Ralf Anton Beier"] diff --git a/content/blog/2026-04-24-variant-pruning-rust-mcdc.md b/content/blog/2026-04-24-variant-pruning-rust-mcdc.md index 724da71..8b780d9 100644 --- a/content/blog/2026-04-24-variant-pruning-rust-mcdc.md +++ b/content/blog/2026-04-24-variant-pruning-rust-mcdc.md @@ -2,7 +2,7 @@ title = "MC/DC for AI-authored Rust is tractable — the variant-pruning argument" description = "The received wisdom is that Rust's pattern matching makes MC/DC harder than C. Under variant-managed AI-authored code, the opposite is true. Five layers of variant pruning, one oracle per layer, and a certification burden proportional to the single variant you ship — not the combinatorial product." date = 2026-04-30 -draft = true +draft = false [taxonomies] tags = ["verification", "process", "deep-dive"] authors = ["Ralf Anton Beier"] diff --git a/content/blog/2026-05-01-cross-language-lto-three-quiet-barriers.md b/content/blog/2026-05-01-cross-language-lto-three-quiet-barriers.md index 6424357..82e82a5 100644 --- a/content/blog/2026-05-01-cross-language-lto-three-quiet-barriers.md +++ b/content/blog/2026-05-01-cross-language-lto-three-quiet-barriers.md @@ -2,7 +2,7 @@ title = "Cross-language LTO on Cortex-M: three barriers and a wrong prediction" description = "We pushed LLVM cross-language LTO between verified Rust and Zephyr's C kernel. Three barriers nobody documents. Cleared them. Then measured — and the prediction we'd shipped was wrong by a lot. The story of what that taught us, and the framework for picking a regime when the data doesn't dominate." date = 2026-05-01 -draft = true +draft = false [taxonomies] tags = ["verification", "process", "deep-dive"] authors = ["Ralf Anton Beier"]