-
Notifications
You must be signed in to change notification settings - Fork 0
173 lines (157 loc) · 6.02 KB
/
Copy pathci.yml
File metadata and controls
173 lines (157 loc) · 6.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: CI
on:
pull_request:
push:
branches: [main]
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
prepare-verification:
name: Prepare verification matrix
runs-on: ubuntu-latest
outputs:
steps: ${{ steps.profile.outputs.steps }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
with:
bun-version: "1.3.5"
- id: profile
name: Read full profile from the verification module
run: echo "steps=$(bun scripts/verify.ts full --list-steps)" >> "$GITHUB_OUTPUT"
verify:
name: Verify / ${{ matrix.step }}
needs: prepare-verification
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
step: ${{ fromJSON(needs.prepare-verification.outputs.steps) }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
with:
bun-version: "1.3.5"
- run: bun install --frozen-lockfile
- name: Run verification step
env:
BASE: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
run: bun scripts/verify.ts full --step "${{ matrix.step }}"
policy-surface:
name: Policy surface
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- name: Require [policy] marker when control files change
env:
BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
run: |
set -euo pipefail
# The control plane: deterministic gates and the rules that govern them.
# Editing any of these changes what every other check enforces, so the
# change must be explicit — a [policy] marker in the commit range.
patterns='
.dependency-cruiser.cjs
sgconfig.yml
biome.json
tools/architecture/
.githooks/
.claude/hooks/
.github/workflows/
scripts/lint-changed.sh
scripts/verify.ts
scripts/verify.test.ts
scripts/pr-evidence.ts
scripts/pr-evidence.test.ts
scripts/release/
scripts/setup-githooks.sh
'
base="$BASE_SHA"
# New branch / first push: no usable base; nothing to diff against.
if [ -z "$base" ] || ! git cat-file -e "$base^{commit}" 2>/dev/null; then
echo "No base commit to compare against; skipping policy-surface check."
exit 0
fi
changed=$(git diff --name-only "$base" "$HEAD_SHA")
touched=""
for p in $patterns; do
hit=$(printf '%s\n' "$changed" | grep -F "$p" || true)
if [ -n "$hit" ]; then
touched="$touched$hit"$'\n'
fi
done
if [ -z "$touched" ]; then
echo "No control-plane files changed."
exit 0
fi
echo "Control-plane files changed:"
printf '%s' "$touched" | sed 's/^/ - /'
if git log "$base..$HEAD_SHA" --format=%B | grep -qF '[policy]'; then
echo "Found [policy] marker in commit range. OK."
exit 0
fi
echo "::error::Control-plane files changed without a [policy] marker in any commit message."
echo "Add '[policy]' to a commit message to acknowledge changing the verification harness itself."
exit 1
maintainer-evidence:
name: Maintainer evidence
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
with:
bun-version: "1.3.5"
- name: Require evidence only for high-risk changes
env:
BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
PR_BODY: ${{ github.event.pull_request.body }}
run: bun scripts/pr-evidence.ts
package-compatibility:
name: Package compatibility / Node ${{ matrix.node }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
node: [22, 24]
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
with:
bun-version: "1.3.5"
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: ${{ matrix.node }}
package-manager-cache: false
- run: bun install --frozen-lockfile
- run: bun scripts/verify.ts release --step build-packages
- run: bun scripts/verify.ts release --step package-smoke
gate:
name: Gate
runs-on: ubuntu-latest
needs: [prepare-verification, verify, policy-surface, maintainer-evidence, package-compatibility]
if: always()
steps:
- name: Check results
run: |
if [ "${{ needs.prepare-verification.result }}" != "success" ] || \
[ "${{ needs.verify.result }}" != "success" ] || \
[ "${{ needs.policy-surface.result }}" != "success" ] || \
[ "${{ needs.maintainer-evidence.result }}" != "success" ] || \
[ "${{ needs.package-compatibility.result }}" != "success" ]; then
echo "One or more required checks failed."
exit 1
fi
echo "All checks passed."