From dbef02739327226458e2b6587fea63c1d245a603 Mon Sep 17 00:00:00 2001
From: NagyVikt <nagy.viktordp@gmail.com>
Date: Tue, 21 Apr 2026 13:04:51 +0200
Subject: [PATCH] Avoid red mirror-sync runs when the mirror PAT is not
 configured

The frontend mirror workflow is optional infrastructure around the canonical
frontend repo. A missing PAT should leave a clear skip message instead of
failing main-branch automation for otherwise valid repo changes.

Constraint: Cross-repo pushes still require a dedicated PAT with contents:write access
Rejected: Falling back to GITHUB_TOKEN for mirror pushes | default workflow token cannot reliably push to another repository
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep gating on env.SYNC_TOKEN rather than direct secrets.* expressions so workflow parsing stays consistent with other secret-optional jobs
Tested: node --test test/metadata.test.js
Not-tested: Live mirror push with a configured GUARDEX_FRONTEND_MIRROR_PAT
---
 .github/workflows/sync-frontend-mirror.yml             |  6 ++++++
 .../.openspec.yaml                                     |  2 ++
 .../notes.md                                           |  5 +++++
 test/metadata.test.js                                  | 10 ++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml
 create mode 100644 openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md

diff --git a/.github/workflows/sync-frontend-mirror.yml b/.github/workflows/sync-frontend-mirror.yml
index 6779d5e..5c1a707 100644
--- a/.github/workflows/sync-frontend-mirror.yml
+++ b/.github/workflows/sync-frontend-mirror.yml
@@ -26,10 +26,16 @@ jobs:
       SOURCE_PREFIX: frontend
       SYNC_TOKEN: ${{ secrets.GUARDEX_FRONTEND_MIRROR_PAT }}
     steps:
+      - name: Skip when mirror PAT is missing
+        if: ${{ env.SYNC_TOKEN == '' }}
+        run: echo "GUARDEX_FRONTEND_MIRROR_PAT is not configured; skipping frontend mirror sync."
+
       - name: Checkout
+        if: ${{ env.SYNC_TOKEN != '' }}
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Sync frontend subtree to mirror repo
+        if: ${{ env.SYNC_TOKEN != '' }}
         run: bash scripts/sync-frontend-mirror.sh
diff --git a/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml
new file mode 100644
index 0000000..4b8c565
--- /dev/null
+++ b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-21
diff --git a/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md
new file mode 100644
index 0000000..8bea3e8
--- /dev/null
+++ b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md
@@ -0,0 +1,5 @@
+# T1 Notes
+
+- Make the frontend mirror workflow skip cleanly when `GUARDEX_FRONTEND_MIRROR_PAT` is unset instead of failing the whole job.
+- Keep the secret wired through `env.SYNC_TOKEN` and gate workflow steps on `env` checks rather than direct `secrets.*` expressions.
+- Add a metadata regression so future mirror-link changes keep the skip behavior and the canonical mirror token wiring aligned.
diff --git a/test/metadata.test.js b/test/metadata.test.js
index a293d07..667fabf 100644
--- a/test/metadata.test.js
+++ b/test/metadata.test.js
@@ -75,6 +75,16 @@ test('code review workflow does not gate startup on secrets context', () => {
   assert.match(workflow, /if:\s+\$\{\{\s*env\.OPENAI_API_KEY != ''\s*\}\}/);
 });
 
+test('frontend mirror workflow skips cleanly when the mirror PAT is missing', () => {
+  const workflowPath = path.join(repoRoot, '.github', 'workflows', 'sync-frontend-mirror.yml');
+  const workflow = fs.readFileSync(workflowPath, 'utf8');
+  assert.doesNotMatch(workflow, /if:\s+\$\{\{\s*secrets\.GUARDEX_FRONTEND_MIRROR_PAT/);
+  assert.match(workflow, /SYNC_TOKEN:\s+\$\{\{\s*secrets\.GUARDEX_FRONTEND_MIRROR_PAT\s*\}\}/);
+  assert.match(workflow, /name:\s+Skip when mirror PAT is missing/);
+  assert.match(workflow, /if:\s+\$\{\{\s*env\.SYNC_TOKEN == ''\s*\}\}/);
+  assert.match(workflow, /if:\s+\$\{\{\s*env\.SYNC_TOKEN != ''\s*\}\}/);
+});
+
 test('critical runtime helper scripts stay in sync with templates', () => {
   const pairs = [
     ['templates/scripts/codex-agent.sh', 'scripts/codex-agent.sh'],