[policy] feat(maintainers): add risk-based PR evidence gate #73
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| prepare-verification: | |
| name: Prepare verification matrix | |
| runs-on: ubuntu-latest | |
| outputs: | |
| steps: ${{ steps.profile.outputs.steps }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 | |
| with: | |
| bun-version: "1.3.5" | |
| - id: profile | |
| name: Read full profile from the verification module | |
| run: echo "steps=$(bun scripts/verify.ts full --list-steps)" >> "$GITHUB_OUTPUT" | |
| verify: | |
| name: Verify / ${{ matrix.step }} | |
| needs: prepare-verification | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| step: ${{ fromJSON(needs.prepare-verification.outputs.steps) }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 | |
| with: | |
| bun-version: "1.3.5" | |
| - run: bun install --frozen-lockfile | |
| - name: Run verification step | |
| env: | |
| BASE: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| run: bun scripts/verify.ts full --step "${{ matrix.step }}" | |
| policy-surface: | |
| name: Policy surface | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Require [policy] marker when control files change | |
| env: | |
| BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| run: | | |
| set -euo pipefail | |
| # The control plane: deterministic gates and the rules that govern them. | |
| # Editing any of these changes what every other check enforces, so the | |
| # change must be explicit — a [policy] marker in the commit range. | |
| patterns=' | |
| .dependency-cruiser.cjs | |
| sgconfig.yml | |
| biome.json | |
| tools/architecture/ | |
| .githooks/ | |
| .claude/hooks/ | |
| .github/workflows/ | |
| scripts/lint-changed.sh | |
| scripts/verify.ts | |
| scripts/verify.test.ts | |
| scripts/pr-evidence.ts | |
| scripts/pr-evidence.test.ts | |
| scripts/release/ | |
| scripts/setup-githooks.sh | |
| ' | |
| base="$BASE_SHA" | |
| # New branch / first push: no usable base; nothing to diff against. | |
| if [ -z "$base" ] || ! git cat-file -e "$base^{commit}" 2>/dev/null; then | |
| echo "No base commit to compare against; skipping policy-surface check." | |
| exit 0 | |
| fi | |
| changed=$(git diff --name-only "$base" "$HEAD_SHA") | |
| touched="" | |
| for p in $patterns; do | |
| hit=$(printf '%s\n' "$changed" | grep -F "$p" || true) | |
| if [ -n "$hit" ]; then | |
| touched="$touched$hit"$'\n' | |
| fi | |
| done | |
| if [ -z "$touched" ]; then | |
| echo "No control-plane files changed." | |
| exit 0 | |
| fi | |
| echo "Control-plane files changed:" | |
| printf '%s' "$touched" | sed 's/^/ - /' | |
| if git log "$base..$HEAD_SHA" --format=%B | grep -qF '[policy]'; then | |
| echo "Found [policy] marker in commit range. OK." | |
| exit 0 | |
| fi | |
| echo "::error::Control-plane files changed without a [policy] marker in any commit message." | |
| echo "Add '[policy]' to a commit message to acknowledge changing the verification harness itself." | |
| exit 1 | |
| maintainer-evidence: | |
| name: Maintainer evidence | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 | |
| with: | |
| bun-version: "1.3.5" | |
| - name: Require evidence only for high-risk changes | |
| env: | |
| BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| PR_BODY: ${{ github.event.pull_request.body }} | |
| run: bun scripts/pr-evidence.ts | |
| package-compatibility: | |
| name: Package compatibility / Node ${{ matrix.node }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: [22, 24] | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 | |
| with: | |
| bun-version: "1.3.5" | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| package-manager-cache: false | |
| - run: bun install --frozen-lockfile | |
| - run: bun scripts/verify.ts release --step build-packages | |
| - run: bun scripts/verify.ts release --step package-smoke | |
| gate: | |
| name: Gate | |
| runs-on: ubuntu-latest | |
| needs: [prepare-verification, verify, policy-surface, maintainer-evidence, package-compatibility] | |
| if: always() | |
| steps: | |
| - name: Check results | |
| run: | | |
| if [ "${{ needs.prepare-verification.result }}" != "success" ] || \ | |
| [ "${{ needs.verify.result }}" != "success" ] || \ | |
| [ "${{ needs.policy-surface.result }}" != "success" ] || \ | |
| [ "${{ needs.maintainer-evidence.result }}" != "success" ] || \ | |
| [ "${{ needs.package-compatibility.result }}" != "success" ]; then | |
| echo "One or more required checks failed." | |
| exit 1 | |
| fi | |
| echo "All checks passed." |