@@ -273,6 +273,45 @@ jobs:
273273name : Run tests
274274 run : python -m pytest tests/ -v --tb=short
275275
276+ # ---------------------------------------------------------------------------
277+ # Downstream dispatch — notify private repo when parser-core changes on main
278+ # Fires only on push to main (not PRs), only when parser-core files changed,
279+ # and only after test-core passes.
280+ #
281+ # Security:
282+ # - Gated on push to main + test-core success — PRs never trigger this
283+ # - DOWNSTREAM_DISPATCH_TOKEN must be a fine-grained PAT scoped to
284+ # longieirl/bankstatements only, with Contents: write permission
285+ # - The private repo validates the run_url payload origin before running
286+ # ---------------------------------------------------------------------------
287+ dispatch-downstream :
288+ name : Dispatch downstream CI (bankstatements)
289+ runs-on : ubuntu-latest
290+ needs : test-core
291+ if : github.event_name == 'push' && github.ref == 'refs/heads/main'
292+ steps :
293+ - name : Check if parser-core changed
294+ id : changes
295+ uses : dorny/paths-filter@v3
296+ with :
297+ filters : |
298+ core:
299+ - 'packages/parser-core/**'
300+
301+ name : Trigger downstream CI in bankstatements
302+ if : steps.changes.outputs.core == 'true'
303+ uses : peter-evans/repository-dispatch@v3
304+ with :
305+ token : ${{ secrets.DOWNSTREAM_DISPATCH_TOKEN }}
306+ repository : longieirl/bankstatements
307+ event-type : core-updated
308+ client-payload : |
309+ {
310+ "sha": "${{ github.sha }}",
311+ "ref": "${{ github.ref }}",
312+ "run_url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
313+ }
314+
276315# ---------------------------------------------------------------------------
277316 # Summary gate — required status check for branch protection
278317 # Always runs so docs-only PRs (which skip the workflow) are handled by
0 commit comments