09010212a0
Closes the recurrence path of PR #2556. The data fix realigned 8→4 templates in publish-runtime.yml's TEMPLATES variable, but the underlying drift hazard was unguarded — the next manifest change could silently leave cascade out of sync again. This gate fails any PR that changes manifest.json or publish-runtime.yml in a way that makes the cascade list diverge from manifest workspace_templates (suffix-stripped). Either direction is caught: missing-from-cascade templates that won't auto-rebuild on a new wheel publish (the codex-stuck-on-stale-runtime bug class — PR #2512 added codex to manifest, cascade wasn't updated, codex stayed pinned to its last-built runtime version for weeks). extra-in-cascade cascade dispatches to deprecated templates (the wasted-API-calls + dead-CI-noise class — PR #2536 pruned 5 templates from manifest; cascade kept dispatching to all 8 until PR #2556). Triggers narrowly: only on PRs that touch manifest.json, publish-runtime.yml, or the script itself. Fast (single grep+sed+comm pipeline, no Go build). Surfaced during the RFC #388 prior-art audit; folded in as the structural follow-up to the data fix #2556 promised. Self-tested both failure modes locally before commit: - Drop codex from cascade → script fails with "MISSING: codex" - Add langgraph to cascade → script fails with "EXTRA: langgraph" Refs: https://github.com/Molecule-AI/molecule-controlplane/issues/388 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
name: cascade-list-drift-gate
|
|
|
|
# Structural gate: TEMPLATES list in publish-runtime.yml must match
|
|
# manifest.json's workspace_templates exactly. Closes the recurrence
|
|
# path of PR #2556 (the data fix) and is the first concrete deliverable
|
|
# of RFC #388 PR-3.
|
|
#
|
|
# Why a gate, not just discipline: PR #2536 pruned the manifest, but the
|
|
# cascade list wasn't updated for ~weeks before someone (PR #2556)
|
|
# noticed during an unrelated audit. During that window, codex never
|
|
# rebuilt on a runtime publish. A structural gate catches the drift
|
|
# the same day either file changes.
|
|
#
|
|
# Triggers narrowly to keep CI quiet: only on PRs that actually change
|
|
# one of the two files. The path-filtered split + always-emit-result
|
|
# pattern (memory: "Required check names need a job that always runs")
|
|
# is unnecessary here because the workflow IS the check name and PR
|
|
# branch protection should require it directly. Future-proof: if this
|
|
# becomes a required check, add a no-op aggregator with always() so the
|
|
# name still emits when paths don't match.
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [staging, main]
|
|
paths:
|
|
- manifest.json
|
|
- .github/workflows/publish-runtime.yml
|
|
- scripts/check-cascade-list-vs-manifest.sh
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
- name: Check cascade list matches manifest
|
|
run: bash scripts/check-cascade-list-vs-manifest.sh
|