From fa9f4ce91698e3d1a86d28ed3f36a3078572b957 Mon Sep 17 00:00:00 2001
From: BenjaminLangenakenSF <benjamin.langenaken@silverfin.com>
Date: Fri, 27 Mar 2026 09:53:36 +0100
Subject: [PATCH 1/3] Pass SF_API_CLIENT_ID and SF_API_SECRET into
 check-dependencies job

silverfin-cli now requires API credentials at startup (including -V).
Caller repos should use secrets: inherit when calling this workflow.

Made-with: Cursor
---
 .github/workflows/check_dependencies.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml
index ef1c532..71fd156 100644
--- a/.github/workflows/check_dependencies.yml
+++ b/.github/workflows/check_dependencies.yml
@@ -3,8 +3,8 @@
 # Reusable workflow: call from a consumer repo with pull_request (labeled) and/or workflow_dispatch.
 #
 # Does not run check_auth: that job updates CONFIG_JSON via gh secret set, which notifies
-# repo/org admins by email. The CLI check-dependencies command only scans local Liquid Test
-# YAML files and does not need API credentials.
+# repo/org admins by email. The silverfin-cli still requires SF_API_CLIENT_ID / SF_API_SECRET
+# in the environment to start (even for check-dependencies / version).
 name: Check dependencies
 run-name: Check dependencies for changed reconciliation templates
 on:
@@ -25,6 +25,8 @@ jobs:
       pull-requests: write
     env:
       WORKFLOW_CALL_PR_NUMBER: ${{ inputs.pull_request_number }}
+      SF_API_CLIENT_ID: ${{ secrets.SF_API_CLIENT_ID }}
+      SF_API_SECRET: ${{ secrets.SF_API_SECRET }}
     steps:
       # Resolve PR base and head SHAs (head used for checkout so scans match the PR branch)
       - name: Get PR details

From 83ff0c8d30beac1ab0e65ad0879a820ce39d237d Mon Sep 17 00:00:00 2001
From: BenjaminLangenakenSF <benjamin.langenaken@silverfin.com>
Date: Fri, 27 Mar 2026 10:20:37 +0100
Subject: [PATCH 2/3] refactor(ci): remove extra CLI version call in
 check-dependencies

Drop the unnecessary  execution from setup and keep only installation before running check-dependencies.

Made-with: Cursor
---
 .github/workflows/check_dependencies.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml
index 71fd156..24f8def 100644
--- a/.github/workflows/check_dependencies.yml
+++ b/.github/workflows/check_dependencies.yml
@@ -3,8 +3,7 @@
 # Reusable workflow: call from a consumer repo with pull_request (labeled) and/or workflow_dispatch.
 #
 # Does not run check_auth: that job updates CONFIG_JSON via gh secret set, which notifies
-# repo/org admins by email. The silverfin-cli still requires SF_API_CLIENT_ID / SF_API_SECRET
-# in the environment to start (even for check-dependencies / version).
+# repo/org admins by email. check-dependencies only scans local Liquid Test YAML files.
 name: Check dependencies
 run-name: Check dependencies for changed reconciliation templates
 on:
@@ -25,8 +24,6 @@ jobs:
       pull-requests: write
     env:
       WORKFLOW_CALL_PR_NUMBER: ${{ inputs.pull_request_number }}
-      SF_API_CLIENT_ID: ${{ secrets.SF_API_CLIENT_ID }}
-      SF_API_SECRET: ${{ secrets.SF_API_SECRET }}
     steps:
       # Resolve PR base and head SHAs (head used for checkout so scans match the PR branch)
       - name: Get PR details
@@ -146,7 +143,6 @@ jobs:
         if: steps.handles.outputs.handles_json != '[]'
         run: |
           npm install https://github.com/silverfin/silverfin-cli.git
-          node ./node_modules/silverfin-cli/bin/cli.js -V
 
       # Run check-dependencies for each handle and collect results
       - name: Run check-dependencies per handle

From ce818ba7af651a7f39063ef3be28319d799419de Mon Sep 17 00:00:00 2001
From: BenjaminLangenakenSF <benjamin.langenaken@silverfin.com>
Date: Fri, 27 Mar 2026 11:00:29 +0100
Subject: [PATCH 3/3] refactor(ci): inline silverfin-cli install into
 check-dependencies step

Remove the separate setup step; npm install must still run before cli.js.

Made-with: Cursor
---
 .github/workflows/check_dependencies.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml
index 24f8def..9fd856a 100644
--- a/.github/workflows/check_dependencies.yml
+++ b/.github/workflows/check_dependencies.yml
@@ -139,11 +139,6 @@ jobs:
               });
             }
 
-      - name: Setup Node and Silverfin CLI
-        if: steps.handles.outputs.handles_json != '[]'
-        run: |
-          npm install https://github.com/silverfin/silverfin-cli.git
-
       # Run check-dependencies for each handle and collect results
       - name: Run check-dependencies per handle
         id: run-check
@@ -151,6 +146,7 @@ jobs:
         env:
           HANDLES_JSON: ${{ steps.handles.outputs.handles_json }}
         run: |
+          npm install https://github.com/silverfin/silverfin-cli.git
           job_failed=0
           : > check_results.txt
           while IFS= read -r handle; do