chore(tailor): fit project with community health files

[flexiondotorg]

No description provided.

[cubic-dev-ai]

5 issues found across 12 files

Confidence score: 3/5

• There is concrete workflow risk: in .github/workflows/tailor.yml, both update-flake-lock and create-pull-request may use the default GITHUB_TOKEN, which can prevent generated PRs from triggering normal PR/push checks.
• .tailor.yml is missing auto-merge enablement, so the generated tailor-automerge.yml cannot actually switch PRs to auto-merge; this weakens the intended automation flow.
• CODE_OF_CONDUCT.md still has a reporting placeholder instead of a private contact, and SUPPORT.md has broken root-level links (../../), which are user-facing governance/support quality issues even if not runtime-breaking.
• Pay close attention to .github/workflows/tailor.yml, .tailor.yml, CODE_OF_CONDUCT.md, and SUPPORT.md - automation may not behave as intended and community/support paths are currently misconfigured.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="CODE_OF_CONDUCT.md">

<violation number="1" location="CODE_OF_CONDUCT.md:49">
P1: This Code of Conduct still uses a template placeholder for reporting and does not provide an actual private contact for violations.</violation>
</file>

<file name=".tailor.yml">

<violation number="1" location=".tailor.yml:20">
P2: Enable repository auto-merge here, otherwise the generated `tailor-automerge.yml` workflow cannot turn on PR auto-merge.</violation>
</file>

<file name=".github/workflows/tailor.yml">

<violation number="1" location=".github/workflows/tailor.yml:23">
P2: Pass the configured `GH_TOKEN` to `create-pull-request`; otherwise the step falls back to the default `GITHUB_TOKEN` and the generated PR won't trigger normal PR/push workflows.</violation>

<violation number="2" location=".github/workflows/tailor.yml:50">
P2: Provide a PAT/App token to `update-flake-lock`; with the default GitHub Actions identity, the generated PR will not trigger this repository's normal PR checks.</violation>
</file>

<file name="SUPPORT.md">

<violation number="1" location="SUPPORT.md:7">
P2: These links use `../../` as if `SUPPORT.md` were nested, so from the repository root they won't point to this repo's README/issues/discussions pages. Use repo-root-relative paths (for example `/issues`) or same-directory links instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Provide a PAT/App token to update-flake-lock; with the default GitHub Actions identity, the generated PR will not trigger this repository's normal PR checks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tailor.yml, line 50:

<comment>Provide a PAT/App token to `update-flake-lock`; with the default GitHub Actions identity, the generated PR will not trigger this repository's normal PR checks.</comment>

<file context>
@@ -0,0 +1,52 @@
+
+      - name: Update flake.lock
+        if: steps.check.outputs.found == 'true'
+        uses: DeterminateSystems/update-flake-lock@v28
+        with:
+          pr-title: "chore: update flake.lock"
</file context>

[cubic-dev-ai]

P2: Pass the configured GH_TOKEN to create-pull-request; otherwise the step falls back to the default GITHUB_TOKEN and the generated PR won't trigger normal PR/push workflows.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tailor.yml, line 23:

<comment>Pass the configured `GH_TOKEN` to `create-pull-request`; otherwise the step falls back to the default `GITHUB_TOKEN` and the generated PR won't trigger normal PR/push workflows.</comment>

<file context>
@@ -0,0 +1,52 @@
+
+      - name: Tailor
+        uses: wimpysworld/tailor@v0
+        with:
+          alter: true
+
</file context>

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/tailor-automerge.yml">

<violation number="1" location=".github/workflows/tailor-automerge.yml:68">
P1: The manual `workflow_dispatch` path bypasses the patch/minor-only guard and will merge any open Dependabot PR, including major version bumps.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: The manual workflow_dispatch path bypasses the patch/minor-only guard and will merge any open Dependabot PR, including major version bumps.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tailor-automerge.yml, line 68:

<comment>The manual `workflow_dispatch` path bypasses the patch/minor-only guard and will merge any open Dependabot PR, including major version bumps.</comment>

<file context>
@@ -0,0 +1,76 @@
+            --jq '.[].url' |
+          while read -r pr_url; do
+            echo "::group::Merging $pr_url"
+            if gh pr merge --squash "$pr_url"; then
+              echo "Merged $pr_url"
+            else
</file context>