MokoConsulting/MokoCassiopeia
1
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Releases 1 Activity

Update repo_health.yml

Browse Source
This commit is contained in:
Jonathan Miller
2025-12-30 14:45:20 -06:00
parent 946dd8475c
commit fcb8e4f828
1 changed files with 57 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
.github/workflows/repo_health.yml vendored
View File

@@ -25,6 +25,7 @@
# PATH: /.github/workflows/repo_health.yml # PATH: /.github/workflows/repo_health.yml
# VERSION: 03.05.00 # VERSION: 03.05.00
# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts using MokoStandards definition files. # BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts using MokoStandards definition files.
# NOTE: Field is user-managed.
# ============================================================================ # ============================================================================
name: Repo Health name: Repo Health
@@ -103,7 +104,8 @@ jobs:
lines.push(`Allowed: ${allowed}`); lines.push(`Allowed: ${allowed}`);
lines.push(""); lines.push("");
lines.push("Policy: This workflow runs only for users with admin permission on the repository."); lines.push("Policy: This workflow runs only for users with admin permission on the repository.");
await core.summary.addRaw(lines.join("\n")).write(); await core.summary.addRaw(lines.join("
")).write();
- name: Deny execution when not permitted - name: Deny execution when not permitted
if: ${{ steps.perm.outputs.allowed != 'true' }} if: ${{ steps.perm.outputs.allowed != 'true' }}
@@ -212,10 +214,10 @@ PY
opt=() opt=()
if [ -n "${GUARDRAILS_RELEASE_OPTIONAL_SECRETS:-}" ]; then if [ -n "${GUARDRAILS_RELEASE_OPTIONAL_SECRETS:-}" ]; then
while IFS= read -r v; do [ -n "${v}" ] && opt+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_RELEASE_OPTIONAL_SECRETS}") while IFS= read -r v; do [ -n "${v}" ] && opt+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_RELEASE_OPTIONAL_SECRETS}" | sed '/^$/d')
fi fi
if [ -n "${GUARDRAILS_RELEASE_OPTIONAL_VARS:-}" ]; then if [ -n "${GUARDRAILS_RELEASE_OPTIONAL_VARS:-}" ]; then
while IFS= read -r v; do [ -n "${v}" ] && opt+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_RELEASE_OPTIONAL_VARS}") while IFS= read -r v; do [ -n "${v}" ] && opt+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_RELEASE_OPTIONAL_VARS}" | sed '/^$/d')
fi fi
if [ "${#opt[@]}" -gt 0 ]; then if [ "${#opt[@]}" -gt 0 ]; then
optional=("${opt[@]}") optional=("${opt[@]}")
@@ -310,7 +312,9 @@ PY
echo "Attempting non-destructive SFTP session" >> "${GITHUB_STEP_SUMMARY}" echo "Attempting non-destructive SFTP session" >> "${GITHUB_STEP_SUMMARY}"
set +e set +e
printf 'pwd\nbye\n' | sftp -oBatchMode=yes -oStrictHostKeyChecking=no -P "${port}" -i "${key_file}" "${FTP_USER}@${FTP_HOST}" >/tmp/sftp_check.log 2>&1 printf 'pwd
bye
' | sftp -oBatchMode=yes -oStrictHostKeyChecking=no -P "${port}" -i "${key_file}" "${FTP_USER}@${FTP_HOST}" >/tmp/sftp_check.log 2>&1
sftp_rc=$? sftp_rc=$?
set -e set -e
@@ -327,7 +331,7 @@ PY
exit 1 exit 1
scripts_config: scripts_config:
name: Scripts and tooling name: Scripts governance
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15 timeout-minutes: 15
needs: [access_check] needs: [access_check]
@@ -387,7 +391,7 @@ with open(env_path, "a", encoding="utf-8") as w:
print("Guardrails definition loaded") print("Guardrails definition loaded")
PY PY
- name: Guardrails scripts folder governance - name: Scripts folder governance
env: env:
PROFILE_RAW: "${{ github.event.inputs.profile }}" PROFILE_RAW: "${{ github.event.inputs.profile }}"
run: | run: |
@@ -413,46 +417,28 @@ PY
exit 0 exit 0
fi fi
required_script_dirs=("scripts/fix" "scripts/lib" "scripts/release" "scripts/run" "scripts/validate") recommended_dirs=("scripts/fix" "scripts/lib" "scripts/release" "scripts/run" "scripts/validate")
optional_script_dirs=("scripts/config" "scripts/tools" "scripts/docs") allowed_dirs=("scripts" "scripts/fix" "scripts/lib" "scripts/release" "scripts/run" "scripts/validate")
allowed_script_dirs=(
"scripts"
"scripts/fix"
"scripts/lib"
"scripts/release"
"scripts/run"
"scripts/validate"
"scripts/config"
"scripts/tools"
"scripts/docs"
)
if [ "${GUARDRAILS_LOADED:-false}" = "true" ] && [ -n "${GUARDRAILS_SCRIPTS_RECOMMENDED_DIRS:-}" ]; then if [ "${GUARDRAILS_LOADED:-false}" = "true" ]; then
rec=() if [ -n "${GUARDRAILS_SCRIPTS_RECOMMENDED_DIRS:-}" ]; then
while IFS= read -r v; do [ -n "${v}" ] && rec+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_SCRIPTS_RECOMMENDED_DIRS}") mapfile -t recommended_dirs < <(printf '%s\n' "${GUARDRAILS_SCRIPTS_RECOMMENDED_DIRS}" | sed '/^$/d')
if [ "${#rec[@]}" -gt 0 ]; then
required_script_dirs=("${rec[@]}")
fi fi
fi if [ -n "${GUARDRAILS_SCRIPTS_ALLOWED_DIRS:-}" ]; then
mapfile -t allowed_dirs < <(printf '%s\n' "${GUARDRAILS_SCRIPTS_ALLOWED_DIRS}" | sed '/^$/d')
if [ "${GUARDRAILS_LOADED:-false}" = "true" ] && [ -n "${GUARDRAILS_SCRIPTS_ALLOWED_DIRS:-}" ]; then
al=()
while IFS= read -r v; do [ -n "${v}" ] && al+=("${v}"); done < <(printf '%s\n' "${GUARDRAILS_SCRIPTS_ALLOWED_DIRS}")
if [ "${#al[@]}" -gt 0 ]; then
allowed_script_dirs=("${al[@]}")
fi fi
fi fi
missing_dirs=() missing_dirs=()
unapproved_dirs=() unapproved_dirs=()
for d in "${required_script_dirs[@]}"; do for d in "${recommended_dirs[@]}"; do
[ ! -d "${d}" ] && missing_dirs+=("${d}/") [ ! -d "${d}" ] && missing_dirs+=("${d}/")
done done
while IFS= read -r d; do while IFS= read -r d; do
allowed=false allowed=false
for a in "${allowed_script_dirs[@]}"; do for a in "${allowed_dirs[@]}"; do
[ "${d}" = "${a}" ] && allowed=true [ "${d}" = "${a}" ] && allowed=true
done done
[ "${allowed}" = false ] && unapproved_dirs+=("${d}/") [ "${allowed}" = false ] && unapproved_dirs+=("${d}/")
@@ -695,29 +681,45 @@ print(json.dumps(out, indent=2))
PY PY
)" )"
{ {
printf "### Guardrails repository health\n\n" printf '%s\n' "### Guardrails repository health"
printf "### Guardrails report (JSON)\n" printf '\n'
printf "```json\n" printf '%s\n' "### Guardrails report (JSON)"
printf "%s\n" "${report_json}" printf '%s\n' '```json'
printf "```\n" printf '%s\n' "${report_json}"
} >> "${GITHUB_STEP_SUMMARY}" printf '%s\n' '```'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
if [ "${#missing_required[@]}" -gt 0 ]; then if [ "${#missing_required[@]}" -gt 0 ]; then
echo "### Missing required repo artifacts" >> "${GITHUB_STEP_SUMMARY}" {
for m in "${missing_required[@]}"; do echo "- ${m}" >> "${GITHUB_STEP_SUMMARY}"; done printf '%s\n' "### Missing required repo artifacts"
echo "ERROR: Guardrails failed. Missing required repository artifacts." >> "${GITHUB_STEP_SUMMARY}" for m in "${missing_required[@]}"; do
exit 1 printf '%s\n' "- ${m}"
fi done
printf '%s\n' "ERROR: Guardrails failed. Missing required repository artifacts."
} >> "${GITHUB_STEP_SUMMARY}"
exit 1
fi
if [ "${#missing_optional[@]}" -gt 0 ]; then if [ "${#missing_optional[@]}" -gt 0 ]; then
echo "### Missing optional repo artifacts" >> "${GITHUB_STEP_SUMMARY}" {
for m in "${missing_optional[@]}"; do echo "- ${m}" >> "${GITHUB_STEP_SUMMARY}"; done printf '%s\n' "### Missing optional repo artifacts"
fi for m in "${missing_optional[@]}"; do
printf '%s\n' "- ${m}"
done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
if [ "${#content_warnings[@]}" -gt 0 ]; then if [ "${#content_warnings[@]}" -gt 0 ]; then
echo "### Repo content warnings" >> "${GITHUB_STEP_SUMMARY}" {
for m in "${content_warnings[@]}"; do echo "- ${m}" >> "${GITHUB_STEP_SUMMARY}"; done printf '%s\n' "### Repo content warnings"
fi for m in "${content_warnings[@]}"; do
printf '%s\n' "- ${m}"
done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
echo "Repository health guardrails passed." >> "${GITHUB_STEP_SUMMARY}" printf '%s\n' "Repository health guardrails passed." >> "${GITHUB_STEP_SUMMARY}"