Skip to content
Governance Sweep

S025: SWEEP_LOG seal + CHANGELOG v1.0.7 + CROSS_REF v3.0 — template s… #29

Sign in to view logs

S025: SWEEP_LOG seal + CHANGELOG v1.0.7 + CROSS_REF v3.0 — template s…

S025: SWEEP_LOG seal + CHANGELOG v1.0.7 + CROSS_REF v3.0 — template s… #29

Workflow file for this run

.github/workflows/governance-sweep.yml at 1067b4f
# DGAF-Framework — Governance Sweep Workflow
# Agents: Sentinel (security), COLLEEN (automation), Amethyst (orchestration)
# Trigger: manual dispatch + push to main + weekly scheduled
name: Governance Sweep
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly sweep — every Monday at 06:00 UTC
- cron: '0 6 * * 1'
workflow_dispatch:
inputs:
sweep_depth:
description: 'Sweep depth (fast | standard | deep)'
required: false
default: 'standard'
jobs:
sentinel-checks:
name: Sentinel — Security & Integrity
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check for required governance files
run: |
echo "=== SENTINEL: Required file presence check ==="
REQUIRED=("README.md" "LICENSE" "SECURITY.md" "CHANGELOG.md" "CONTRIBUTING.md" "SWEEP_LOG.md")
MISSING=0
for FILE in "${REQUIRED[@]}"; do
if [ -f "$FILE" ]; then
echo " ✅ $FILE — present"
else
echo " ❌ $FILE — MISSING"
MISSING=$((MISSING+1))
fi
done
if [ $MISSING -gt 0 ]; then
echo "SENTINEL FAIL: $MISSING required governance file(s) missing."
exit 1
fi
echo "SENTINEL PASS: All required governance files present."
- name: Scan for accidental secret patterns
run: |
echo "=== SENTINEL: Secret pattern scan ==="
# Lightweight grep-based scan — does not replace dedicated secret scanning
PATTERNS=("api_key" "API_KEY" "secret" "password" "token" "private_key" "-----BEGIN")
FOUND=0
for PATTERN in "${PATTERNS[@]}"; do
HITS=$(grep -rn --include="*.md" --include="*.yml" --include="*.yaml" --include="*.json" --include="*.ts" --include="*.js" --include="*.py" "$PATTERN" . --exclude-dir=.git 2>/dev/null || true)
if [ -n "$HITS" ]; then
echo " ⚠️ Pattern '$PATTERN' found:"
echo "$HITS" | head -5
FOUND=$((FOUND+1))
fi
done
if [ $FOUND -gt 0 ]; then
echo "SENTINEL WARN: $FOUND potential secret pattern(s) detected — review required."
else
echo "SENTINEL PASS: No secret patterns detected."
fi
- name: Validate SWEEP_LOG entry exists for current month
run: |
echo "=== SENTINEL: SWEEP_LOG currency check ==="
MONTH=$(date +"%Y-%m")
if grep -q "$MONTH" SWEEP_LOG.md; then
echo "SENTINEL PASS: SWEEP_LOG has entry for $MONTH."
else
echo "SENTINEL WARN: No SWEEP_LOG entry found for $MONTH — update recommended."
fi
apogee-structure:
name: Apogee — Structural Quality
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Validate docs directory
run: |
echo "=== APOGEE: Docs directory check ==="
if [ -d "docs" ]; then
DOC_COUNT=$(find docs -type f | wc -l)
echo "APOGEE PASS: docs/ exists with $DOC_COUNT file(s)."
else
echo "APOGEE WARN: docs/ directory missing."
fi
- name: Check README minimum length
run: |
echo "=== APOGEE: README quality check ==="
if [ -f "README.md" ]; then
LINE_COUNT=$(wc -l < README.md)
if [ "$LINE_COUNT" -lt 20 ]; then
echo "APOGEE WARN: README.md is only $LINE_COUNT lines — consider expanding."
else
echo "APOGEE PASS: README.md has $LINE_COUNT lines."
fi
fi
reson-drift:
name: Reson — Pattern Coherence
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check CHANGELOG currency
run: |
echo "=== RESON: CHANGELOG drift check ==="
YEAR=$(date +"%Y")
if grep -q "$YEAR" CHANGELOG.md; then
echo "RESON PASS: CHANGELOG.md contains $YEAR entries."
else
echo "RESON WARN: CHANGELOG.md may be stale — no $YEAR entries found."
fi
- name: Check for broken internal references in CROSS_REF.md
run: |
echo "=== RESON: CROSS_REF presence check ==="
if [ -f "CROSS_REF.md" ]; then
echo "RESON PASS: CROSS_REF.md present."
else
echo "RESON WARN: CROSS_REF.md missing — cross-reference documentation incomplete."
fi