Register 3 cubes + importlib fix + entry-auto-merge proposal (doc-truth) #73
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Quick Check | |
| on: | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| # ── Job 1: Ownership check ──────────────────────────────────────────────── | |
| ownership-check: | |
| name: ownership-check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout PR branch | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 | |
| with: | |
| fetch-depth: 0 # need full history for git show origin/main | |
| - name: Fetch origin/main | |
| run: git fetch origin main | |
| - name: Set up Python | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.3.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: pip install pyyaml | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 | |
| with: | |
| separator: " " | |
| - name: Run ownership check | |
| run: | | |
| # Pass changed-files unquoted so the shell word-splits into individual args. | |
| # Path-traversal and handle-format defences live in ownership_check.py itself. | |
| python scripts/ownership_check.py \ | |
| --pr-author "${{ github.event.pull_request.user.login }}" \ | |
| --changed-files ${{ steps.changed-files.outputs.all_changed_files }} | |
| # ── Job 2: Quick compliance check ──────────────────────────────────────── | |
| quick-compliance: | |
| name: quick-compliance | |
| runs-on: ubuntu-latest | |
| # IMPORTANT: No cloud credentials injected here (security boundary). | |
| # Package install and import run inside a throwaway Docker container. | |
| needs: ownership-check | |
| steps: | |
| - name: Checkout PR branch | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 | |
| - name: Get changed entry files | |
| id: changed-entries | |
| uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 | |
| with: | |
| files: "entries/*.yaml" | |
| separator: "\n" | |
| - name: Skip if no entry files changed | |
| if: steps.changed-entries.outputs.any_changed != 'true' | |
| run: | | |
| echo "No entry files changed. Skipping quick compliance check." | |
| exit 0 | |
| - name: Set up Python (host — for orchestration only) | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.3.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Install orchestration dependencies | |
| run: pip install jsonschema ruamel.yaml pyyaml | |
| - name: Run quick check for each changed entry | |
| env: | |
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | |
| run: | | |
| set -e | |
| FAILED=0 | |
| ENTRIES="${{ steps.changed-entries.outputs.all_changed_files }}" | |
| while IFS= read -r entry_file; do | |
| [ -z "$entry_file" ] && continue | |
| [ ! -f "$entry_file" ] && continue | |
| echo "==========================================" | |
| echo "Checking: $entry_file" | |
| echo "==========================================" | |
| # /derived is a writable host tmpdir mounted into the container. | |
| # quick_check.py writes the updated entry YAML there after introspection. | |
| # The workspace itself is mounted read-only — no credentials, no secrets. | |
| DERIVED_DIR=$(mktemp -d) | |
| docker run --rm \ | |
| --memory 2g \ | |
| --cpus 2 \ | |
| --pids-limit 512 \ | |
| --cap-drop NET_ADMIN \ | |
| --cap-drop SYS_PTRACE \ | |
| --cap-drop SYS_ADMIN \ | |
| --security-opt no-new-privileges \ | |
| -v "$(pwd):/workspace:ro" \ | |
| -v "$DERIVED_DIR:/derived:rw" \ | |
| python:3.12-slim \ | |
| bash -c " | |
| set -e | |
| apt-get update -qq && apt-get install -y -qq --no-install-recommends git ca-certificates | |
| pip install jsonschema 'ruamel.yaml' pyyaml | |
| cp -r /workspace /workspace-copy | |
| cd /workspace-copy | |
| python scripts/quick_check.py \ | |
| --entry '$entry_file' \ | |
| --pr-author '$PR_AUTHOR' \ | |
| --output-dir /derived | |
| " || { FAILED=1; rm -rf "$DERIVED_DIR"; continue; } | |
| # Copy the updated YAML (with CI-derived fields) back to the workspace. | |
| ENTRY_BASENAME=$(basename "$entry_file") | |
| if [ -f "$DERIVED_DIR/$ENTRY_BASENAME" ]; then | |
| cp "$DERIVED_DIR/$ENTRY_BASENAME" "$entry_file" | |
| echo " Updated $entry_file with CI-derived fields" | |
| fi | |
| rm -rf "$DERIVED_DIR" | |
| done <<< "$ENTRIES" | |
| exit $FAILED | |
| - name: Commit CI-derived fields back to PR branch | |
| if: success() | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Only commit if there are changes to the entry YAMLs. | |
| if git diff --quiet -- entries/; then | |
| echo "No CI-derived field changes to commit." | |
| exit 0 | |
| fi | |
| git config user.name "cube-registry-bot" | |
| git config user.email "cube-registry-bot@users.noreply.github.com" | |
| git add entries/ | |
| git commit -m "ci: write back derived fields from quick-check [skip ci]" | |
| # For same-repo PRs we can push directly to the head branch. | |
| # For fork PRs GITHUB_TOKEN cannot push to the fork; post a comment instead. | |
| HEAD_REPO="${{ github.event.pull_request.head.repo.full_name }}" | |
| BASE_REPO="${{ github.repository }}" | |
| if [ "$HEAD_REPO" = "$BASE_REPO" ]; then | |
| git push origin HEAD:"${{ github.event.pull_request.head.ref }}" | |
| echo "Pushed derived fields to PR branch." | |
| else | |
| # Fork PR — push the derived YAML as a patch comment so the author can apply it. | |
| PATCH=$(git format-patch HEAD~1 --stdout | head -200) | |
| gh pr comment "${{ github.event.pull_request.number }}" \ | |
| --repo "$BASE_REPO" \ | |
| --body "$(printf '## CI-derived fields\n\nQuick-check introspected your package and derived the following fields.\nBecause this is a fork PR, apply the patch below to your branch:\n\n```diff\n%s\n```' "$PATCH")" | |
| # Revert so the base repo does not have a dangling commit. | |
| git reset --hard HEAD~1 | |
| fi | |
| # ── Job 3: Request review when both checks pass ─────────────────────────── | |
| # Security: auto-merge is disabled. A maintainer must approve before merging | |
| # to prevent a compromised check script from merging malicious entries. | |
| request-review: | |
| name: Request maintainer review | |
| runs-on: ubuntu-latest | |
| needs: [ownership-check, quick-compliance] | |
| if: success() | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Add ready-for-review label | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh pr edit "${{ github.event.pull_request.number }}" \ | |
| --add-label "ready-for-review" \ | |
| --repo "${{ github.repository }}" || true | |
| gh pr comment "${{ github.event.pull_request.number }}" \ | |
| --body "✅ ownership-check and quick-compliance passed. A maintainer can now review and merge." \ | |
| --repo "${{ github.repository }}" |