6171f95c19
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
core-devops
|
d57ed520f0 |
feat(ci)(hard-gate): lint-workflow-yaml catches Gitea-1.22.6-hostile shapes
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 9s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
CI / Detect changes (pull_request) Successful in 20s
E2E API Smoke Test / detect-changes (pull_request) Successful in 19s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 21s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 20s
gate-check-v3 / gate-check (pull_request) Successful in 21s
qa-review / approved (pull_request) Failing after 13s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 23s
CI / Platform (Go) (pull_request) Successful in 6s
security-review / approved (pull_request) Failing after 12s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
sop-tier-check / tier-check (pull_request) Successful in 13s
CI / Canvas (Next.js) (pull_request) Successful in 7s
CI / Python Lint & Test (pull_request) Successful in 6s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 4s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Failing after 1m7s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m12s
audit-force-merge / audit (pull_request) Successful in 3s
Tier-2 hardening per RFC internal#219 §1 + charter §SOP-N rule (m). New
CI lint that scans .gitea/workflows/*.yml for six structurally-hostile
shapes that Gitea 1.22.6 silently rejects or ambiguously parses, BEFORE
they reach main.
Rules (4 fatal + 1 fatal cross-file + 1 heuristic-warn):
1. on.workflow_dispatch.inputs — Gitea 1.22.6 mis-parses inputs.X as
sibling event types and rejects the entire workflow with
[W] ignore invalid workflow ... unknown on type. Memory:
feedback_gitea_workflow_dispatch_inputs_unsupported. Origin:
2026-05-11 publish-runtime-v1.0.0 silent freeze, ~24h PyPI lag.
2. on: workflow_run — not enumerated in Gitea 1.22.6 event types
(verified via modules/actions/workflows.go; task #81). Workflow
registers, fires for zero events.
3. workflow name: containing / — breaks the commit-status convention
<workflow> / <job> (<event>) used by sop-tier-check + status-reaper
to tokenize context strings.
4. cross-file name: collision — status-routing is by name; collision
yields undefined commit-status updates (status-reaper rev1 class).
5. cross-repo uses: org/repo/subpath@ref — DEFAULT_ACTIONS_URL=github
resolves to github.com/<org-suspended>/... and 404s. Memory:
feedback_gitea_cross_repo_uses_blocked. Cross-link: task #109.
6. (WARN, heuristic) api.github.com refs without workflow-level
env.GITHUB_SERVER_URL. Memory: feedback_act_runner_github_server_url.
Per halt-condition 3: downgraded to warn-not-fail to avoid the 3
known benign hits on current main (OCI source label + jq-release
pin) which use https://github.com/... not https://api.github.com/.
Empirical history this hardens against:
- status-reaper rev1 caught rule-4 (name-collision) class fail-loud
- sop-tier-refire DOA-d on rule-2 (workflow_run partial)
- #319 bootstrap-paradox (chained-defect class, related)
- internal#329 dispatcher race (adjacent)
- 2026-05-11 publish-runtime: rule-1, 24h PyPI freeze on
runtime-v1.0.0 publish
Triggers:
- pull_request — pre-merge gate
- push to main/staging — post-merge regression catch even if the PR
gate is bypassed by branch-protection drift
Per RFC #219 §1 contract: continue-on-error: true on the job during the
surface-broken-shapes phase. Follow-up PR flips off after the 3 existing
rule-2 violations on main are migrated to a supported trigger.
Existing-on-main violations surfaced by this lint (3, informational, NOT
auto-fixed per halt-condition 2):
- .gitea/workflows/redeploy-tenants-on-main.yml — rule 2
- .gitea/workflows/redeploy-tenants-on-staging.yml — rule 2
- .gitea/workflows/staging-verify.yml — rule 2
All three have on: workflow_run: triggers that will fire for zero
events. Fix path: replace with cron or with push+paths:[upstream-yml]
gate. Tracked separately (do not block this PR).
Tests:
tests/test_lint_workflow_yaml.py — 15 pytest cases:
- 6 × per-rule violation-detected (rules 1-3,5 + rule 4 cross-file
+ rule 6 heuristic-warn)
- 6 × per-rule clean-passes
- 1 × cross-file collision detected
- 1 × all-violations-aggregated single file
- 1 × empty workflow dir = exit 0
- 1 × vendor-truth: the exact 2026-05-11 publish-runtime YAML shape
from feedback_gitea_workflow_dispatch_inputs_unsupported is caught
(per feedback_smoke_test_vendor_truth_not_shape_match: fixtures
mirror real Gitea 1.22.6 semantics, not yaml-parser quirks)
15/15 tests pass locally. Lint exits 1 against current .gitea/workflows/
because of the 3 existing rule-2 violations above; that is the gate
working as intended (and continue-on-error keeps the PR-status soft
until the violations are migrated).
|