You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Public PII gate caller workflow fails in 0 seconds with no jobs on every PR in every repo that adopted it, since 2026-06-17. The reusable workflow it references does not exist on `tracebloc/.github@main`.
The per-repo callers reference it at `tracebloc/.github/.github/workflows/public-pii-gate.yml@main`.
Because the file is absent on `main`, GitHub cannot resolve the reusable workflow → the run ends immediately as a startup failure (REST conclusion `failure`, 0 jobs). Example: cli run 27747191356 → `total_count: 0`.
Ruled out: org reusable-workflow access policy (other `@main` callers such as `fr-gate` run green from these same public repos) and YAML syntax (file is valid; it simply isn't on main).
Security impact
This gate is meant to block PRs whose title/body/commits contain denylisted customer/partner names or known secrets on public repos. Because it errors out instead of running, PII scanning is non-operational on every adopting repo.
Affected repos (callers reference the missing `@main` workflow)
Confirm the gate runs green on a test PR in `tracebloc/cli`.
Follow-ups
Verify the org Actions secret `PII_DENYLIST` is set (`--visibility all`). If unset, the gate runs but exits 0 as INACTIVE (warns, does not block) — PII protection still won't enforce. Requires org admin.
Re-trigger the currently-red open PRs in cli so their check turns green.
Summary
The Public PII gate caller workflow fails in 0 seconds with no jobs on every PR in every repo that adopted it, since 2026-06-17. The reusable workflow it references does not exist on `tracebloc/.github@main`.
Root cause
Ruled out: org reusable-workflow access policy (other `@main` callers such as `fr-gate` run green from these same public repos) and YAML syntax (file is valid; it simply isn't on main).
Security impact
This gate is meant to block PRs whose title/body/commits contain denylisted customer/partner names or known secrets on public repos. Because it errors out instead of running, PII scanning is non-operational on every adopting repo.
Affected repos (callers reference the missing `@main` workflow)
Fix
Follow-ups
Refs: PR #60 (tracebloc/.github), tracebloc/cli#81.