Summary
The scheduled Lock File Maintenance workflow (driven by the shared reusable workflows in this repo) has been failing weekly in three consumer repos, each for a distinct root cause. The lockfiles silently never refresh, and the recurring red runs mask real CI failures.
The three failures
1. platform-api — failure (push to protected main rejected)
reusable-lock-file-poetry.yml refreshes poetry.lock, commits, and pushes directly to main:
remote: error: GH006: Protected branch update failed for refs/heads/main.
! [remote rejected] main -> main (protected branch hook declined)
Only fails on weeks where the lock actually changes (some weeks pass — e.g. 2026-05-29 was green).
Fix: have the reusable open a PR (e.g. peter-evans/create-pull-request) instead of pushing to a protected branch — fixes this class org-wide.
2. ums-portal — failure (missing .nvmrc)
reusable-lock-file-npm.yml uses setup-node with node-version-file: ".nvmrc", but ums-portal has no .nvmrc:
##[error]The specified node version file at: .../.nvmrc does not exist
Fails deterministically every run.
Fix: add a .nvmrc to ums-portal, or change the reusable to node-version-file: 'package.json' / a literal node-version.
3. platform-mcp — startup_failure (caller permissions cap)
Caller .github/workflows/lock-file-maintenance.yml declares permissions: contents: read, but the reusable needs contents: write. A caller can't grant less than the reusable requires → the run never starts. Regressed on 2026-05-05 (commit a2a4bd0 "chore(security): CodeQL 2026-05 remediation" tightened top-level perms; conclusion flipped failure → startup_failure on 2026-05-08).
Fix: set the caller's permissions: contents: write (matching platform-api's caller).
Acceptance criteria
Context
Found while reviewing CI health (2026-06-06). Reusables: reusable-lock-file-poetry.yml, reusable-lock-file-npm.yml (this repo). The PR-based fix for (1) is highest-leverage — it removes the protected-branch failure for any repo using the poetry reusable.
Summary
The scheduled Lock File Maintenance workflow (driven by the shared reusable workflows in this repo) has been failing weekly in three consumer repos, each for a distinct root cause. The lockfiles silently never refresh, and the recurring red runs mask real CI failures.
The three failures
1.
platform-api—failure(push to protectedmainrejected)reusable-lock-file-poetry.ymlrefreshespoetry.lock, commits, and pushes directly tomain:Only fails on weeks where the lock actually changes (some weeks pass — e.g. 2026-05-29 was green).
Fix: have the reusable open a PR (e.g.
peter-evans/create-pull-request) instead of pushing to a protected branch — fixes this class org-wide.2.
ums-portal—failure(missing.nvmrc)reusable-lock-file-npm.ymlusessetup-nodewithnode-version-file: ".nvmrc", but ums-portal has no.nvmrc:Fails deterministically every run.
Fix: add a
.nvmrcto ums-portal, or change the reusable tonode-version-file: 'package.json'/ a literalnode-version.3.
platform-mcp—startup_failure(caller permissions cap)Caller
.github/workflows/lock-file-maintenance.ymldeclarespermissions: contents: read, but the reusable needscontents: write. A caller can't grant less than the reusable requires → the run never starts. Regressed on 2026-05-05 (commita2a4bd0"chore(security): CodeQL 2026-05 remediation" tightened top-level perms; conclusion flippedfailure→startup_failureon 2026-05-08).Fix: set the caller's
permissions: contents: write(matching platform-api's caller).Acceptance criteria
main(PR-based or otherwise green)..nvmrcpresent (or reusable no longer requires it); run green.contents: write; workflow starts and runs green.Context
Found while reviewing CI health (2026-06-06). Reusables:
reusable-lock-file-poetry.yml,reusable-lock-file-npm.yml(this repo). The PR-based fix for (1) is highest-leverage — it removes the protected-branch failure for any repo using the poetry reusable.