ci: clean up workflows and supporting commands

Signed-off-by: Jacob Howard <[email protected]>

Author: xenoscopic

.github/workflows/security-review-changes.yaml

@@ -183,6 +183,11 @@ jobs:
               --jq '.id'
           }
 
+          # Helper to create a slug suitable for check names.
+          slugify() {
+            echo "$1" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g' | sed -E 's/^-+|-+$//g'
+          }
+
           # Create checks for updated pins (differential reviews).
           if [ "${{ steps.updatedpins.outputs.has_targets }}" = "true" ]; then
             while read -r target; do
@@ -191,7 +196,8 @@ jobs:
               old_commit=$(echo "$target" | jq -r '.old_commit')
               new_commit=$(echo "$target" | jq -r '.new_commit')
 
-              check_name="security-review/$agent/pin/$server"
+              server_slug=$(slugify "$server")
+              check_name="security-review/$agent/pin/$server_slug"
               check_id=$(create_pending_check "$check_name" "$server" "differential")
 
               echo "$check_name|$check_id|$server|$project|$new_commit|$old_commit|differential" >> review-output/check-ids.txt
@@ -205,7 +211,8 @@ jobs:
               project=$(echo "$target" | jq -r '.project')
               commit=$(echo "$target" | jq -r '.commit')
 
-              check_name="security-review/$agent/new/$server"
+              server_slug=$(slugify "$server")
+              check_name="security-review/$agent/new/$server_slug"
               check_id=$(create_pending_check "$check_name" "$server" "full")
 
               echo "$check_name|$check_id|$server|$project|$commit||full" >> review-output/check-ids.txt
@@ -356,6 +363,7 @@ jobs:
             if [ "$review_type" = "differential" ]; then
               if [ -z "$base_commit" ] || [ "$base_commit" = "null" ]; then
                 echo "Skipping $server: missing base commit for differential review." >&2
+                skip_check "$check_id" "$server" "missing base commit"
                 return
               fi
               cmd+=(--base "$base_commit")
@@ -426,7 +434,7 @@ jobs:
               "$project" \
               "$head_commit" \
               "$base_commit" \
-              "$review_type"
+              "$review_type" || true
           done < review-output/check-ids.txt
 
       - name: Upload security reports

.github/workflows/security-review-manual.yaml

@@ -74,7 +74,7 @@ jobs:
           REVIEW_MODEL_INPUT: ${{ github.event.inputs.model }}
           REVIEW_TIMEOUT_INPUT: ${{ github.event.inputs.timeout_secs }}
         run: |
-          set -euo pipefail
+          set -uo pipefail
           agent="${REVIEW_AGENT_INPUT:-}"
           if [ -z "$agent" ]; then
             agent="claude"
@@ -115,7 +115,9 @@ jobs:
               cmd+=(--model "$model")
             fi
 
-            "${cmd[@]}"
+            if ! "${cmd[@]}"; then
+              echo "Security review failed for $server" >&2
+            fi
           done < <(jq -c '.[]' "${{ steps.collect.outputs.targets }}")
 
       - name: Upload security reports

.github/workflows/update-pins.yaml

@@ -132,20 +132,22 @@ jobs:
             git fetch origin main
             git reset --hard origin/main
 
-            # If a prior PR exists for this server, fetch it and bail out when
-            # the requested commit is identical (no update required).
+            # Check if we've hit the new PR limit before doing any work.
+            branch_exists=false
             if git ls-remote --exit-code --heads origin "$branch" >/dev/null 2>&1; then
+              branch_exists=true
               git fetch origin "$branch"
               existing_commit=$(git show "origin/${branch}:servers/${server}/server.yaml" 2>/dev/null | awk '/commit:/{print $2}' | tail -n1)
               if [ -n "$existing_commit" ] && [ "$existing_commit" = "$new_commit" ]; then
                 echo "Existing PR for $server already pins ${existing_commit}; skipping."
                 continue
               fi
-            else
-              if [ -n "$new_pr_limit" ] && [ "$new_pr_count" -ge "$new_pr_limit" ]; then
-                echo "New PR quota reached ($new_pr_limit); skipping $server."
-                continue
-              fi
+            fi
+
+            # Check PR limit for new branches only.
+            if [ "$branch_exists" = false ] && [ -n "$new_pr_limit" ] && [ "$new_pr_count" -ge "$new_pr_limit" ]; then
+              echo "New PR quota reached ($new_pr_limit); skipping $server."
+              continue
             fi
 
             # Apply the patch onto a fresh branch for this server.
@@ -163,20 +165,28 @@ jobs:
             # Commit the server YAML change and force-push the automation branch.
             git add "servers/${server}/server.yaml"
             git commit -m "chore: update pin for ${server}"
-            git push --force origin "$branch"
+            if ! git push --force origin "$branch"; then
+              echo "Failed to push branch for $server, skipping." >&2
+              continue
+            fi
 
             # Create or update the PR dedicated to this server.
             if gh pr view --head "$branch" >/dev/null 2>&1; then
-              gh pr edit "$branch" \
+              if ! gh pr edit "$branch" \
                 --title "chore: update pin for ${server}" \
-                --body "Automated commit pin update for ${server}."
+                --body "Automated commit pin update for ${server}." 2>&1; then
+                echo "Failed to update PR for $server" >&2
+              fi
             else
-              gh pr create \
+              if gh pr create \
                 --title "chore: update pin for ${server}" \
                 --body "Automated commit pin update for ${server}." \
                 --base main \
-                --head "$branch"
-              new_pr_count=$((new_pr_count + 1))
+                --head "$branch" 2>&1; then
+                new_pr_count=$((new_pr_count + 1))
+              else
+                echo "Failed to create PR for $server" >&2
+              fi
             fi
           done
 

cmd/ci/compose_pr_summary.go

@@ -128,30 +128,6 @@ func runGitCommand(dir string, args ...string) (string, error) {
 	return string(output), nil
 }
 
-// initGitRepository creates or reuses a git repository rooted at dir with origin set.
-func initGitRepository(dir, remote string) error {
-	if err := os.MkdirAll(dir, 0o755); err != nil {
-		return err
-	}
-	if _, err := runGitCommand(dir, "rev-parse", "--is-inside-work-tree"); err == nil {
-		return nil
-	}
-	if _, err := runGitCommand(dir, "init"); err != nil {
-		return err
-	}
-	if _, err := runGitCommand(dir, "remote", "remove", "origin"); err == nil {
-		// ignore error
-	}
-	_, err := runGitCommand(dir, "remote", "add", "origin", remote)
-	return err
-}
-
-// fetchCommit retrieves a single commit from origin into the repository.
-func fetchCommit(dir, commit string) error {
-	_, err := runGitCommand(dir, "fetch", "--depth", "1", "--no-tags", "origin", commit)
-	return err
-}
-
 // splitList normalizes a delimited string into lowercase server names.
 func splitList(raw string) []string {
 	if raw == "" {

cmd/ci/helpers.go

@@ -19,18 +19,10 @@ func main() {
 	switch cmd {
 	case "collect-updated-pins":
 		err = runCollectUpdatedPins(args)
-	case "prepare-updated-pins":
-		err = runPrepareUpdatedPins(args)
 	case "collect-new-servers":
 		err = runCollectNewServers(args)
-	case "prepare-new-servers":
-		err = runPrepareNewServers(args)
-	case "compose-pr-summary":
-		err = runComposePRSummary(args)
 	case "collect-full-audit":
 		err = runCollectFullAudit(args)
-	case "prepare-full-audit":
-		err = runPrepareFullAudit(args)
 	case "update-pins":
 		err = runUpdatePins(args)
 	default: