Blocker: strict-23 rollout preflight failed (missing external/internal contexts)

[Prekzursil]

Date: March 1, 2026

Summary

• Strict-check rollout preflight failed on main.
• Branch protection is currently not enabled on main.
• Required external contexts and several internal contexts are not being emitted.
• Under no-bypass policy, rollout is paused until these integrations/workflows exist and are green on PR head.

Evidence

• Repo: Prekzursil/WebCoder
• Main SHA checked: 0b35b666ffd1fe0a14967edacd6c1508ab5ec588
• Branch protection query returned no required status checks.

Commands used

gh repo view Prekzursil/WebCoder --json nameWithOwner,defaultBranchRef,url
gh api repos/Prekzursil/WebCoder/branches/main/protection
gh api repos/Prekzursil/WebCoder/commits/main --jq .sha
gh api repos/Prekzursil/WebCoder/commits/<sha>/check-runs?per_page=100
gh api repos/Prekzursil/WebCoder/commits/<sha>/status

Missing canonical strict-check contexts

• applitools-core
• pr-agent
• deep-agent
• audit-pr-evidence
• backend
• backend-postgres
• coverage
• CodeQL
• codecov-analytics
• CodeRabbit
• dependency-review
• compose-smoke
• frontend
• label
• codacy-equivalent-zero
• sonar-branch-zero
• Seer Code Review

Present key contexts (subset)

• Analyze (actions)
• Analyze (javascript-typescript)
• Analyze (python)
• SonarCloud Code Analysis

Required to unblock
2. Add internal workflows to emit missing required contexts with real repo-native verification.
3. Enable strict branch protection on main only after all canonical contexts are emitted and green on PR head.
4. Keep no-bypass policy: no placeholder checks, no check removal, no threshold lowering.

[Prekzursil]

Policy update as of March 2, 2026:

1. Vercel and Vercel Preview Comments are removed from the rollout target and should not be treated as blockers anymore.
2. I propagated non-secret Actions variables from momentstudio to this repo:

• COPILOT_AGENT_FIREWALL_ENABLED
• NEON_PROJECT_ID
• PERCY_AUTO_APPROVE_PR
• PERCY_PR_ENABLED
• ROADMAP_PROJECT_NUMBER
• ROADMAP_PROJECT_OWNER
• SENTRY_ORG
• SENTRY_PROJECT

Open blocker that cannot be automated from GitHub API:

• Secret values are non-readable by design, so I cannot extract and copy momentstudio secrets (for example APPLITOOLS_API_KEY, CODACY_API_TOKEN, CODACY_PROJECT_TOKEN, CODECOV_TOKEN, SONAR_TOKEN, etc.) into this repo unless source values are provided.

Additional note:

• COPILOT_AGENT_FIREWALL_ALLOW_LIST is empty in source and GitHub rejects creating an empty variable value (HTTP 422).

[Prekzursil]

Strict-21 rollout progress update (March 2, 2026):

Completed:

• Applied shared secrets to repo: APPLITOOLS_API_KEY, BROWSERSTACK_ACCESS_KEY, BROWSERSTACK_USERNAME, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN.
• Removed dropped vars from repo: ROADMAP_PROJECT_OWNER, ROADMAP_PROJECT_NUMBER, NEON_PROJECT_ID.
• Policy now excludes Vercel contexts.

Remaining blockers for full strict-21 convergence:

1. CODACY_PROJECT_TOKEN must be project/repo-specific and is still missing.
2. PERCY_TOKEN and SENTRY_AUTH_TOKEN are still unresolved for repo-level workflows that require them.
3. Required strict-21 context emission is still incomplete on PR checks; protection cutover remains blocked until contexts are genuinely emitted and green.

No bypasses were applied.

[Prekzursil]

Strict-21 rollout update (March 2, 2026):\n\nImplemented now:\n- Applied shared quality secrets at repo level: APPLITOOLS_API_KEY, BROWSERSTACK_ACCESS_KEY, BROWSERSTACK_USERNAME, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN.\n- Vercel is out of required-policy target (strict-21 excludes Vercel contexts).\n\nCurrent blocker state on latest main SHA:\n- Required contexts emitted: 4/21\n- Missing contexts: applitools-core, pr-agent, deep-agent, audit-pr-evidence, backend, backend-postgres, coverage, CodeQL, codecov-analytics, CodeRabbit, dependency-review, compose-smoke, frontend, label, codacy-equivalent-zero, sonar-branch-zero, Seer Code Review.\n\nWhat is still needed for this repo to actually go green:\n1. Add/enable workflows that emit the missing internal contexts with exact names.\n2. Install/enable external apps/integrations so provider-native contexts appear: CodeRabbit + Seer Code Review (and CodeQL if not emitting as required context).\n3. Add Codecov/Codacy project linkage for repo-native status publication under this repo slug.\n\nNo branch-protection strict-21 cutover was applied yet because contexts are not fully emitted.

[Prekzursil]

Strict-21 blocker refresh (2026-03-03):

What was validated:

• Vercel contexts are absent on latest PR head SHA.
• No Vercel/NEON_*/ROADMAP_PROJECT_WRITE_TOKEN references remain in repo files.
• Shared quality secrets were synced (APPLITOOLS_API_KEY, BROWSERSTACK_*, CODACY_API_TOKEN, CODECOV_TOKEN, SNYK_TOKEN, SONAR_TOKEN).

Still missing canonical strict-21 contexts on PR #15:

• applitools-core
• pr-agent
• deep-agent
• audit-pr-evidence
• backend
• backend-postgres
• coverage
• codecov-analytics
• dependency-review
• compose-smoke
• frontend
• label
• codacy-equivalent-zero
• sonar-branch-zero
• Seer Code Review

Present contexts now include CodeQL + Analyze lanes + SonarCloud + Codacy Static + strict-21-preflight + verify/build.

Next required actions:

1. Add/align workflows to emit the missing strict-21 context names.
2. Keep checks real (no synthetic placeholder contexts).
3. Only then update main branch protection required checks to exact strict-21 list.