tobin 6abc27773c
Cache scan verdicts and drop policy-failing entries from bump PRs
Three changes that together let the nightly bump clear any backlog in a
single run without blocking on a single bad upstream or re-burning Claude
time on already-scanned SHAs:

- bump-plugin-shas.yml: raise max-bumps default 20 -> 130 (above the
  external entry count, so a single run can clear a full backlog) and add
  an explicit 60-min job timeout. The cap was the only thing bounding the
  blast radius of a single policy failure; the changes below take over
  that role so the cap can be lifted.

- scan-plugins.yml: add a verdict cache keyed on (plugin, sha, policy
  hash). The bump action force-resets bump/plugin-shas every night, which
  makes the same SHAs reappear in the diff on consecutive nights — without
  the cache the scan would re-burn ~90s of Claude time per entry per
  night. Cached verdicts (pass and fail) are served from disk; only
  uncached SHAs are scanned. The job still fails on cached failures so
  the required check stays honest.

- revert-failed-bumps.yml (new): after a Scan Plugins workflow_run on
  bump/plugin-shas concludes with a failure, drop just the failing
  entries' source.sha back to main's pin via a follow-up signed commit
  and re-dispatch the scan. The re-dispatch finds only cached-pass
  entries and goes green in seconds. Bounded at 3 passes/night, restricted
  to SHA-only diffs, and aborts if the bump branch was tampered with.
2026-05-18 18:58:06 +00:00
..