infra-sre
0b5ac695b1
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 9s
CI / Detect changes (pull_request) Successful in 40s
E2E API Smoke Test / detect-changes (pull_request) Successful in 38s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 41s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 41s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 19s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m35s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m40s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m15s
gate-check-v3 / gate-check (pull_request) Successful in 16s
qa-review / approved (pull_request) Failing after 13s
security-review / approved (pull_request) Failing after 15s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m29s
sop-checklist-gate / gate (pull_request) Successful in 18s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m55s
sop-tier-check / tier-check (pull_request) Successful in 17s
sop-checklist / all-items-acked (pull_request) tier:low compensating success — workflow-only change (REQUIRED_CHECKS sync)
CI / Platform (Go) (pull_request) Successful in 3s
CI / Canvas (Next.js) (pull_request) Successful in 2s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
CI / Python Lint & Test (pull_request) Successful in 2s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 5s
audit-force-merge / audit (pull_request) Successful in 24s
mc#805 drift: REQUIRED_CHECKS listed Secret scan + sop-tier-check (neither enforced on main) while missing the enforced sop-checklist. Correct main branch protection requires: - CI / all-required (pull_request) - sop-checklist / all-items-acked (pull_request) Also trims verbose comments and moves permissions: into the job block to mirror sop-tier-check.yml structure. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
59 lines
2.5 KiB
YAML
59 lines
2.5 KiB
YAML
# audit-force-merge — emit `incident.force_merge` to runner stdout when
|
|
# a PR is merged with required-status-checks not green. Vector picks
|
|
# the JSON line off docker_logs and ships to Loki on
|
|
# molecule-canonical-obs (per `reference_obs_stack_phase1`); query as:
|
|
#
|
|
# {host="operator"} |= "event_type" |= "incident.force_merge" | json
|
|
#
|
|
# Closes the §SOP-6 audit gap (the doc says force-merges write to
|
|
# `structure_events`, but that table lives in the platform DB, not
|
|
# Gitea-side; Loki is the practical equivalent for Gitea Actions
|
|
# events). When the credential / observability stack converges later,
|
|
# this can sync into structure_events from Loki via a backfill job —
|
|
# the structured JSON shape is forward-compatible.
|
|
#
|
|
# Logic in `.gitea/scripts/audit-force-merge.sh` per the same script-
|
|
# extract pattern as sop-tier-check.
|
|
|
|
name: audit-force-merge
|
|
|
|
# pull_request_target loads from the base branch — same security model
|
|
# as sop-tier-check. Without this, an attacker could rewrite the
|
|
# workflow on a PR and skip the audit emission for their own
|
|
# force-merge. See `.gitea/workflows/sop-tier-check.yml` for the full
|
|
# rationale.
|
|
on:
|
|
pull_request_target:
|
|
types: [closed]
|
|
|
|
jobs:
|
|
audit:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: read
|
|
# Skip when PR is closed without merge — saves a runner.
|
|
if: github.event.pull_request.merged == true
|
|
steps:
|
|
- name: Check out base branch (for the script)
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.base.sha }}
|
|
- name: Detect force-merge + emit audit event
|
|
env:
|
|
# Same org-level secret the sop-tier-check workflow uses.
|
|
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
|
GITEA_HOST: git.moleculesai.app
|
|
REPO: ${{ github.repository }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
# Required-status-check contexts to evaluate at merge time.
|
|
# Newline-separated. Mirror this against branch protection
|
|
# (settings → branches → protected branch → required checks).
|
|
# Declared here rather than fetched from /branch_protections
|
|
# because that endpoint requires admin write — sop-tier-bot is
|
|
# read-only by design (least-privilege).
|
|
REQUIRED_CHECKS: |
|
|
CI / all-required (pull_request)
|
|
sop-checklist / all-items-acked (pull_request)
|
|
run: bash .gitea/scripts/audit-force-merge.sh
|