Blocker: strict-23 rollout preflight failed (missing external/internal contexts)

[Prekzursil]

Date: March 1, 2026

Summary

• Strict-check rollout preflight failed on main.
• Branch protection exists, but required checks are a smaller custom set and not canonical strict-check.
• Required external contexts and multiple internal contexts are missing.
• Under no-bypass policy, rollout is paused until full strict-check emission is available and green.

Evidence

• Repo: Prekzursil/SWFOC-Mod-Menu
• Main SHA checked: e114f2923c45179d15f8087ff94868ba9d766e83
• Current required checks on main: build-test, CodeQL, SonarCloud Code Analysis, Codacy Static Code Analysis, validate-policy-contracts, enforce-pr-evidence.

Commands used

gh repo view Prekzursil/SWFOC-Mod-Menu --json nameWithOwner,defaultBranchRef,url
gh api repos/Prekzursil/SWFOC-Mod-Menu/branches/main/protection
gh api repos/Prekzursil/SWFOC-Mod-Menu/commits/main --jq .sha
gh api repos/Prekzursil/SWFOC-Mod-Menu/commits/<sha>/check-runs?per_page=100
gh api repos/Prekzursil/SWFOC-Mod-Menu/commits/<sha>/status

Missing canonical strict-check contexts

• applitools-core
• pr-agent
• deep-agent
• audit-pr-evidence
• backend
• backend-postgres
• coverage
• codecov-analytics
• Analyze (javascript-typescript)
• CodeRabbit
• dependency-review
• compose-smoke
• frontend
• label
• codacy-equivalent-zero
• sonar-branch-zero
• Seer Code Review

Present key contexts (subset)

• SonarCloud Code Analysis
• Analyze (actions)
• Analyze (python)
• build-test

Required to unblock
2. Add internal workflows to emit missing strict-check context names with real deterministic checks.
3. Update branch protection required checks list to canonical 23 only after PR head proves all are green.
4. Keep no-bypass policy intact.

[Prekzursil]

Policy update as of March 2, 2026:

1. Vercel and Vercel Preview Comments are removed from the rollout target and should not be treated as blockers anymore.
2. I propagated non-secret Actions variables from momentstudio to this repo:

• COPILOT_AGENT_FIREWALL_ENABLED
• NEON_PROJECT_ID
• PERCY_AUTO_APPROVE_PR
• PERCY_PR_ENABLED
• ROADMAP_PROJECT_NUMBER
• ROADMAP_PROJECT_OWNER
• SENTRY_ORG
• SENTRY_PROJECT

Open blocker that cannot be automated from GitHub API:

• Secret values are non-readable by design, so I cannot extract and copy momentstudio secrets (for example APPLITOOLS_API_KEY, CODACY_API_TOKEN, CODACY_PROJECT_TOKEN, CODECOV_TOKEN, SONAR_TOKEN, etc.) into this repo unless source values are provided.

Additional note:

• COPILOT_AGENT_FIREWALL_ALLOW_LIST is empty in source and GitHub rejects creating an empty variable value (HTTP 422).

[Prekzursil]

Strict-21 rollout progress update (March 2, 2026):

Completed:

• Applied shared secrets: APPLITOOLS_API_KEY, BROWSERSTACK_ACCESS_KEY, BROWSERSTACK_USERNAME, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN.
• Removed dropped vars: ROADMAP_PROJECT_OWNER, ROADMAP_PROJECT_NUMBER, NEON_PROJECT_ID.
• Vercel contexts removed from policy baseline.

Remaining blockers:

1. CODACY_PROJECT_TOKEN (repo-specific) remains missing.
2. strict-21 context emission is still incomplete; branch-protection cutover must wait for real green context set.
3. Additional provider wiring may still be needed for full canonical context parity.

No bypasses or placeholder checks were introduced.

[Prekzursil]

Strict-21 rollout update (March 2, 2026):\n\nImplemented now:\n- Applied shared quality secrets at repo level: APPLITOOLS_API_KEY, BROWSERSTACK_ACCESS_KEY, BROWSERSTACK_USERNAME, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN.\n- Vercel removed from policy target; strict-21 excludes Vercel contexts.\n\nCurrent blocker state on latest main SHA:\n- Required contexts emitted: 3/21\n- Missing contexts: applitools-core, pr-agent, deep-agent, audit-pr-evidence, backend, backend-postgres, coverage, CodeQL, codecov-analytics, Analyze (javascript-typescript), CodeRabbit, dependency-review, compose-smoke, frontend, label, codacy-equivalent-zero, sonar-branch-zero, Seer Code Review.\n\nWhat is still needed:\n1. Workflow pack to emit internal strict-21 names exactly.\n2. External app/integration installs for missing provider contexts (CodeRabbit, Seer Code Review).\n3. Codecov/Codacy project binding so coverage and analytics contexts are generated for this repo slug.\n\nNo strict-21 protection cutover was applied yet because required contexts are not all emitted/green.

[Prekzursil]

Strict-21 blocker refresh (2026-03-03):

What was validated:

• Vercel contexts are absent on latest PR head SHA.
• No Vercel/NEON_*/ROADMAP_PROJECT_WRITE_TOKEN references remain in repo files.
• Shared quality secrets were synced (APPLITOOLS_API_KEY, BROWSERSTACK_*, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN).

Still missing canonical strict-21 contexts on PR #96:

• Analyze (javascript-typescript)
• applitools-core
• pr-agent
• deep-agent
• audit-pr-evidence
• backend
• backend-postgres
• coverage
• codecov-analytics
• dependency-review
• compose-smoke
• frontend
• label
• codacy-equivalent-zero
• sonar-branch-zero
• Seer Code Review

Present contexts now include Analyze (actions), Analyze (python), CodeQL, SonarCloud, SonarCloud Code Analysis, Codacy Static, build-test, enforce-pr-evidence, validate-policy-contracts, strict-21-preflight.

Next required actions:

1. Add/align workflows to emit the missing strict-21 context names.
2. Keep checks real (no synthetic placeholder contexts).
3. Only then update main branch protection required checks to exact strict-21 list.