From f22e5dcc717a2aa1f1f35b8d28535675d84bbebf Mon Sep 17 00:00:00 2001
From: Chris Green <greenc@fnal.gov>
Date: Wed, 17 Jun 2026 15:48:38 -0500
Subject: [PATCH 1/2] Maintenance improvements

- `dependabot-auto-merge` no longer needs `WORKFLOW_PAT`
- `guardrail-audit-alert` to report to Slack on safeguard bypass by
  admins (e.g. push to `main`, merge without approval).
---
 .github/workflows/dependabot-auto-merge.yaml |  4 ++-
 .github/workflows/guardrail-audit-alert.yaml | 32 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/guardrail-audit-alert.yaml

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index adcb4125b..724d3eef0 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -13,8 +13,10 @@ name: Dependabot auto-merge
     types: [completed]
 
 permissions:
+  actions: write
   contents: write
   pull-requests: write
+  repository-projects: write # Required if the token needs to modify repository settings via API
 
 jobs:
   dependabot:
@@ -63,7 +65,7 @@ jobs:
         shell: bash
         env:
           PR_NUMBER: ${{ steps.pr.outputs.number }}
-          GH_TOKEN: ${{ secrets.WORKFLOW_PAT }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Replaced WORKFLOW_PAT with GITHUB_TOKEN
         # yamllint disable rule:line-length
         run: |
           set -o pipefail
diff --git a/.github/workflows/guardrail-audit-alert.yaml b/.github/workflows/guardrail-audit-alert.yaml
new file mode 100644
index 000000000..b503112cd
--- /dev/null
+++ b/.github/workflows/guardrail-audit-alert.yaml
@@ -0,0 +1,32 @@
+name: Guardrail Push Alerts
+on:
+  push:
+    branches: [main]
+
+jobs:
+  slack-alert:
+    runs-on: ubuntu-latest
+    permissions: {} # Explicitly drops all token permissions
+    if: github.actor != 'dependabot[bot]'
+    steps:
+      - name: Process and Format Slack Alert
+        env:
+          SLACK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          # Safely map variables as structured environment inputs
+          COMMIT_MSG: ${{ github.event.head_commit.message }}
+          COMMITTER: ${{ github.event.head_commit.committer.name }}
+          REPO_NAME: ${{ github.repository }}
+          ACTOR: ${{ github.actor }}
+        run: |
+          # If the committer isn't 'GitHub', an admin pushed directly via local CLI.
+          if [ "$COMMITTER" != "GitHub" ]; then
+
+            # Use jq to format a completely safe, escaped JSON object for Slack
+            PAYLOAD=$(jq -n \
+              --arg msg "$COMMIT_MSG" \
+              --arg repo "$REPO_NAME" \
+              --arg actor "$ACTOR" \
+              '{"text": "⚠️ *Direct Push to Main Detected!*\n*Repo:* `\($repo)`\n*Actor:* `@\($actor)`\n*Commit:* `\($msg)`"}')
+
+            curl -X POST -H 'Content-type: application/json' --data "$PAYLOAD" "$SLACK_URL"
+          fi

From 00fb3037b5579b1d485b49b08cb815044a82a51d Mon Sep 17 00:00:00 2001
From: Chris Green <greenc@fnal.gov>
Date: Wed, 17 Jun 2026 15:51:56 -0500
Subject: [PATCH 2/2] Add release automation scripts for action tier detection,
 execution, and dependabot management

---
 scripts/release/detect-action-tiers.sh    | 159 ++++++++++++++++++++++
 scripts/release/execute-action-release.sh |  99 ++++++++++++++
 scripts/release/trigger-dependabot.sh     |  85 ++++++++++++
 scripts/release/view-dependabot-logs.sh   |  37 +++++
 4 files changed, 380 insertions(+)
 create mode 100755 scripts/release/detect-action-tiers.sh
 create mode 100755 scripts/release/execute-action-release.sh
 create mode 100755 scripts/release/trigger-dependabot.sh
 create mode 100755 scripts/release/view-dependabot-logs.sh

diff --git a/scripts/release/detect-action-tiers.sh b/scripts/release/detect-action-tiers.sh
new file mode 100755
index 000000000..c6c1e94de
--- /dev/null
+++ b/scripts/release/detect-action-tiers.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "=================================================="
+echo "ACTION TIER CHANGE DETECTION"
+echo "=================================================="
+
+# 1. Find all action repositories
+ACTION_REPOS=()
+for dir in actions/*; do
+  [ -d "$dir" ] || continue
+  [ -f "$dir/action.yaml" ] || continue
+  ACTION_REPOS+=("${dir#actions/}")
+done
+
+# 2. Determine dependencies for each repo
+declare -A DEPENDENCIES
+declare -A TIERS
+
+for repo in "${ACTION_REPOS[@]}"; do
+  # Extract dependencies on Framework-R-D/action-*
+  # Format: Framework-R-D/action-NAME@SHA # vVERSION
+  # We want the NAME part.
+  DEPS=$(grep "uses: Framework-R-D/action-" "actions/$repo/action.yaml" | sed -E 's/.*Framework-R-D\/action-([^@ ]+).*/\1/' || true)
+  DEPENDENCIES["$repo"]="$DEPS"
+done
+
+# 3. Iteratively assign tiers
+UNASSIGNED=("${ACTION_REPOS[@]}")
+CURRENT_TIER=1
+
+while [ ${#UNASSIGNED[@]} -gt 0 ]; do
+  TIER_REPOS=()
+  STILL_UNASSIGNED=()
+
+  for repo in "${UNASSIGNED[@]}"; do
+    CAN_ASSIGN=true
+    for dep in ${DEPENDENCIES["$repo"]}; do
+      # If dep is an action repo and not yet assigned a tier, we can't assign this repo yet
+      if [[ " ${ACTION_REPOS[*]} " == *" $dep "* ]] && [ -z "${TIERS["$dep"]:-}" ]; then
+        CAN_ASSIGN=false
+        break
+      fi
+    done
+
+    if [ "$CAN_ASSIGN" = true ]; then
+      TIER_REPOS+=("$repo")
+    else
+      STILL_UNASSIGNED+=("$repo")
+    fi
+  done
+
+  if [ ${#TIER_REPOS[@]} -eq 0 ]; then
+    echo "❌ Error: Circular dependency detected among: ${STILL_UNASSIGNED[*]}"
+    exit 1
+  fi
+
+  for repo in "${TIER_REPOS[@]}"; do
+    TIERS["$repo"]=$CURRENT_TIER
+  done
+
+  UNASSIGNED=("${STILL_UNASSIGNED[@]}")
+  ((CURRENT_TIER++))
+done
+
+# Pre-calculate latest tags and change status for all action repos to avoid redundant git calls
+declare -A LATEST_TAGS
+declare -A HAS_CHANGES
+declare -A UNCOMMITTED
+
+for repo in "${ACTION_REPOS[@]}"; do
+  (
+    cd "actions/$repo" || exit 1
+    git fetch --tags -q
+    TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "NONE")
+    echo "TAG=$TAG"
+    if [ "$TAG" != "NONE" ]; then
+      CHANGES=$(git log "${TAG}..HEAD" --oneline -- action.yaml 2>/dev/null || echo "")
+      if [ -n "$CHANGES" ]; then
+        echo "CHANGES=YES"
+      else
+        echo "CHANGES=NO"
+      fi
+    else
+      echo "CHANGES=NONE"
+    fi
+
+    UNCOMMITTED_STATUS=$(git status --porcelain 2>/dev/null || echo "")
+    if [ -n "$UNCOMMITTED_STATUS" ]; then
+      echo "UNCOMMITTED=YES"
+    else
+      echo "UNCOMMITTED=NO"
+    fi
+  ) > "actions/.tmp_${repo}_status"
+done
+
+# Load the pre-calculated data
+for repo in "${ACTION_REPOS[@]}"; do
+  source "actions/.tmp_${repo}_status"
+  LATEST_TAGS["$repo"]=$TAG
+  HAS_CHANGES["$repo"]=$CHANGES
+  UNCOMMITTED["$repo"]=$UNCOMMITTED
+  rm "actions/.tmp_${repo}_status"
+done
+
+# 4. Analyze each tier
+for ((tier=1; tier < CURRENT_TIER; tier++)); do
+  echo "--- Tier $tier ---"
+
+  for repo in "${ACTION_REPOS[@]}"; do
+    if [ "${TIERS["$repo"]:-}" -eq "$tier" ]; then
+      TAG=${LATEST_TAGS["$repo"]}
+      CHANGE_STATUS=${HAS_CHANGES["$repo"]}
+
+      if [ "$TAG" = "NONE" ]; then
+        echo "📌 REPO: $repo (No tags found)"
+      elif [ "$CHANGE_STATUS" = "YES" ]; then
+        echo "🔥 REPO: $repo has unreleased changes since $TAG:"
+        ( cd "actions/$repo" && git log "${TAG}..HEAD" --oneline -- action.yaml ) | sed 's/^/   - /'
+      else
+        echo "✅ REPO: $repo is clean ($TAG matches HEAD)"
+      fi
+
+      if [ "${UNCOMMITTED["$repo"]:-}" = "YES" ]; then
+        echo "   ⚠️  REPO: $repo has uncommitted changes!"
+      fi
+
+      # Check dependencies for annotations
+      for dep in ${DEPENDENCIES["$repo"]}; do
+        if [[ " ${ACTION_REPOS[*]} " == *" $dep "* ]]; then
+          # 1. Check if dep has changes
+          DEP_CHANGE_STATUS=${HAS_CHANGES["$dep"]}
+          if [ "$DEP_CHANGE_STATUS" = "YES" ]; then
+            echo "   ⚠️  Dependency $dep has unreleased changes!"
+          fi
+
+          # 2. Check for version mismatch
+          DEP_TAG=${LATEST_TAGS["$dep"]}
+          REF_VERSION=$(grep "uses: Framework-R-D/action-$dep" "actions/$repo/action.yaml" | sed -E 's/.*# ([^ ]+).*/\1/' | head -n 1 || true)
+          if [ -n "$REF_VERSION" ] && [ "$DEP_TAG" != "NONE" ]; then
+            if [ "$(printf '%s\n%s' "$REF_VERSION" "$DEP_TAG" | sort -V | tail -n 1)" != "$REF_VERSION" ]; then
+               echo "   ⚠️  Dependency $dep is at version $DEP_TAG, but $repo refers to $REF_VERSION"
+            fi
+          fi
+        fi
+      done
+    fi
+  done
+done
+
+echo ""
+echo "=================================================="
+echo "CHANGELOGS TO UPDATE"
+echo "=================================================="
+for repo in "${ACTION_REPOS[@]}"; do
+  if [ "${HAS_CHANGES["$repo"]:-}" = "YES" ]; then
+    echo "actions/$repo/CHANGELOG.md"
+  fi
+done
diff --git a/scripts/release/execute-action-release.sh b/scripts/release/execute-action-release.sh
new file mode 100755
index 000000000..b0d6a526a
--- /dev/null
+++ b/scripts/release/execute-action-release.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_DIR="${1:-}"
+if [ -z "$REPO_DIR" ] || [ ! -d "$REPO_DIR" ]; then
+  echo "Error: Pass a valid local repository directory name."
+  exit 1
+fi
+
+cd "$REPO_DIR"
+echo "=================================================="
+echo "EXECUTING AUTOMATED RELEASE FOR: $REPO_DIR"
+echo "=================================================="
+
+# Ensure workspace tree is clean and synchronized
+git fetch upstream main -q
+git checkout main -q
+git pull --ff-only upstream main -q
+
+# Ensure CHANGELOG.md is committed before tagging
+if ! git diff --quiet CHANGELOG.md; then
+  echo "❌ ERROR: Uncommitted changes detected in CHANGELOG.md."
+  echo "Please commit your changelog updates before running the release script."
+  exit 1
+fi
+
+# Step 1: Determine target version from CHANGELOG.md
+echo "-> Determining target version from CHANGELOG.md..."
+TARGET_VERSION=""
+
+# Iterate through version headers in CHANGELOG.md in order of appearance
+while read -r line; do
+  VERSION=$(echo "$line" | sed 's/^## //; s/ --- .*//')
+
+  # A version is pending if:
+  # 1. The tag doesn't exist yet.
+  # 2. The tag exists, but the README hasn't been pinned to this version.
+  if ! git rev-parse "$VERSION" >/dev/null 2>&1 || ! grep -q " # ${VERSION}$" README.md; then
+    TARGET_VERSION="$VERSION"
+    break
+  fi
+done < <(grep "^## v[0-9]*" CHANGELOG.md)
+
+if [ -z "$TARGET_VERSION" ]; then
+  echo "❌ ERROR: No pending versions found in CHANGELOG.md (all versions tagged and pinned)."
+  exit 1
+fi
+
+NEXT_VERSION="$TARGET_VERSION"
+echo "-> Target version identified: $NEXT_VERSION"
+
+# Step 2: Build and push the Annotated Tag
+if ! git rev-parse "$NEXT_VERSION" >/dev/null 2>&1; then
+  echo "-> Injecting annotated metadata tag..."
+  git tag "$NEXT_VERSION" -m "$NEXT_VERSION - automated dependency cycle release"
+  git push upstream "$NEXT_VERSION" -q
+else
+  echo "-> Tag $NEXT_VERSION already exists. Skipping."
+fi
+
+# Step 3: Construct server-side Release notes wrapper
+if ! gh release view "$NEXT_VERSION" >/dev/null 2>&1; then
+  echo "-> Publishing GitHub Release notes configuration..."
+  gh release create "$NEXT_VERSION" \
+    --title "$NEXT_VERSION - updates" \
+    --generate-notes
+else
+  echo "-> GitHub Release $NEXT_VERSION already exists. Skipping."
+fi
+
+# Step 4: Update README.md usage example block automatically
+echo "-> Calculating immutable SHA signatures..."
+NEW_SHA=$(gh api "repos/{owner}/{repo}/git/ref/tags/${NEXT_VERSION}" --jq .object.sha)
+TYPE=$(gh api "repos/{owner}/{repo}/git/ref/tags/${NEXT_VERSION}" --jq .object.type)
+
+if [ "$TYPE" = "tag" ]; then
+  NEW_SHA=$(gh api "repos/{owner}/{repo}/git/tags/${NEW_SHA}" --jq .object.sha)
+fi
+
+REPO_FULL_NAME=$(gh repo view --json nameWithOwner --jq '.nameWithOwnership')
+
+echo "-> Found Target Release SHA: $NEW_SHA"
+echo "-> Modifying local README string tokens..."
+
+OLD_PATTERN="${REPO_FULL_NAME}@[0-9a-f]\{40\} # v[0-9]*"
+NEW_STRING="${REPO_FULL_NAME}@${NEW_SHA} # ${NEXT_VERSION}"
+
+if grep -q "$NEW_STRING" README.md; then
+  echo "-> README already pinned to $NEXT_VERSION. Skipping commit."
+else
+  sed -i "s|${OLD_PATTERN}|${NEW_STRING}|" README.md
+
+  # Commit the updated documentation pin back to main
+  git add README.md
+  git commit -m "docs: pin README usage example to ${NEXT_VERSION} SHA" -q
+  git push upstream main -q
+fi
+
+echo "🚀 SUCCESS: $NEXT_VERSION is complete and pinned!"
diff --git a/scripts/release/trigger-dependabot.sh b/scripts/release/trigger-dependabot.sh
new file mode 100755
index 000000000..da03268a6
--- /dev/null
+++ b/scripts/release/trigger-dependabot.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "=================================================="
+echo "Cascading Dependabot Check via Dynamic Header PR"
+echo "=================================================="
+
+if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  echo "❌ Error: This folder is not a git repository."
+  exit 1
+fi
+
+if [ ! -f ".github/dependabot.yml" ]; then
+  echo "❌ Error: .github/dependabot.yml missing. Cannot scan."
+  exit 1
+fi
+
+# 1. Dynamically resolve the real remote tracking name (handles upstream vs origin)
+echo "--> Resolving active tracking remote name..."
+REMOTE_NAME=$(git config --get branch."$(git branch --show-current)".remote || true)
+if [ -z "$REMOTE_NAME" ]; then
+  REMOTE_NAME=$(git config --get branch.main.remote || true)
+fi
+if [ -z "$REMOTE_NAME" ]; then
+  REMOTE_NAME=$(git remote | head -n 1)
+fi
+if [ -z "$REMOTE_NAME" ]; then
+  echo "❌ ERROR: No git remotes configured in this repository."
+  exit 1
+fi
+echo "    Found Remote Tracking Target: $REMOTE_NAME"
+
+# 2. Dynamically resolve the default branch name BEFORE checking out feature branch
+# This guarantees $DEFAULT_BRANCH is bound and available for the final sync step.
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/"$REMOTE_NAME"/HEAD 2>/dev/null | sed "s|refs/remotes/$REMOTE_NAME/||" || echo "main")
+echo "    Found Default Branch Target: $DEFAULT_BRANCH"
+
+# 3. Check out a temporary branch specifically for the trigger
+echo "--> Creating local trigger branch..."
+TRIGGER_BRANCH="automation/trigger-dependabot-$(date +%s)"
+git checkout -b "$TRIGGER_BRANCH" -q
+
+# 4. Inject a dynamic timestamp comment at the top of dependabot.yml
+echo "--> Injecting fresh timestamp cache key to dependabot.yml header..."
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+# Write the new timestamp comment as line 1, then append the original file contents
+{
+  echo "# Triggered via automation release cycle at: ${TIMESTAMP}"
+  cat .github/dependabot.yml
+} > .github/dependabot.yml.tmp
+
+mv .github/dependabot.yml.tmp .github/dependabot.yml
+
+# 5. Commit bypassing pre-commit hooks and GPG code-signing requirements
+git add .github/dependabot.yml
+git commit \
+  --no-verify \
+  --no-gpg-sign \
+  -m "chore: force-trigger contemporaneous dependabot evaluation" -q
+
+# 6. Push the feature branch to the dynamically identified remote
+git push "$REMOTE_NAME" "$TRIGGER_BRANCH" -q
+
+# 7. Open a temporary Pull Request to force GitHub's backend to process the file change
+echo "--> Opening short-lived activation Pull Request..."
+PR_URL=$(gh pr create \
+  --title "chore: dynamic version check sweep" \
+  --body "Automated system trigger. Safe to delete." \
+  --head "$TRIGGER_BRANCH")
+
+PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$')
+echo "    PR Opened: #$PR_NUMBER"
+
+# 8. Close the PR and delete the remote/local branches instantly
+echo "--> Closing PR and cleaning up remote branch..."
+# gh handles deleting the remote branch and checking back out into your local workspace tracking branch
+gh pr close "$PR_NUMBER" --delete-branch
+
+# 9. Sync your default branch cleanly to ensure local tracking matches remote tip
+echo "--> Synchronizing local default branch workspace..."
+git checkout "$DEFAULT_BRANCH" -q
+git pull --ff-only "$REMOTE_NAME" "$DEFAULT_BRANCH" -q
+
+echo "⚡ SUCCESS: Dependabot has initialized an immediate version check cycle cleanly!"
diff --git a/scripts/release/view-dependabot-logs.sh b/scripts/release/view-dependabot-logs.sh
new file mode 100755
index 000000000..9bc02bc2f
--- /dev/null
+++ b/scripts/release/view-dependabot-logs.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "=================================================="
+echo "Opening Dependabot Management UI"
+echo "=================================================="
+
+if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  echo "❌ Error: This folder is not a git repository."
+  exit 1
+fi
+
+# 1. Fetch the absolute repository web URL from the GitHub CLI metadata
+REPO_URL=$(gh repo view --json url --jq '.url')
+
+# 2. Construct the direct deep-link target path for Dependabot logs
+# On GitHub, this route lives under: /network/updates
+TARGET_LOG_PAGE="${REPO_URL}/network/updates"
+
+echo "--> Target URL: $TARGET_LOG_PAGE"
+echo "--> Launching your browser..."
+
+# 3. Detect operating system environment and trigger the native window engine
+if command -v xdg-open >/dev/null 2>&1; then
+  # Linux environment handler
+  xdg-open "$TARGET_LOG_PAGE" 2>/dev/null
+elif command -v open >/dev/null 2>&1; then
+  # macOS environment handler
+  open "$TARGET_LOG_PAGE"
+else
+  echo "❌ Error: Could not detect a desktop environment opener utility (xdg-open or open)."
+  echo "          Please open this link manually instead:"
+  echo "          $TARGET_LOG_PAGE"
+  exit 1
+fi
+
+echo "⚡ Success: Browser session initialized."