repo-guard/action.yml at main · netkeep80/repo-guard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: "repo-guard"
description: "Enforce repository policy and change contracts on pull requests"
author: "netkeep80"

branding:
  icon: "shield"
  color: "red"

inputs:
  mode:
    description: >
      Command mode. Use `check-pr` to validate a pull request against policy
      and change contract (requires GitHub Actions PR event context). Use `check-diff`
      to validate a local diff between two refs.
    required: false
    default: "check-pr"

  enforcement:
    description: >
      Policy enforcement behavior. `blocking`/`enforce` fails the job when
      policy violations are found. `advisory`/`warn` reports violations but
      exits successfully so teams can observe noise before enforcing.
    required: false
    default: "blocking"

  repo-root:
    description: >
      Path to the repository root that contains `repo-policy.json`.
      Defaults to the root of the checked-out repository (`$GITHUB_WORKSPACE`).
    required: false
    default: ""

  base:
    description: >
      Base git ref for diff comparison (used with `mode: check-diff`).
      Example: `main` or a commit SHA.
    required: false
    default: ""

  head:
    description: >
      Head git ref for diff comparison (used with `mode: check-diff`).
      Example: `feature-branch` or a commit SHA.
    required: false
    default: ""

  contract:
    description: >
      Path to a change contract JSON file (used with `mode: check-diff`).
      Path is relative to `repo-root`.
    required: false
    default: ""

  node-version:
    description: "Node.js version to use when running repo-guard."
    required: false
    default: "20"

outputs:
  result:
    description: >
      Enforcement result: `passed` if all checks passed, `failed` if any check
      failed (including advisory violations), or `error` if repo-guard could not
      run (e.g. missing policy file).
    value: ${{ steps.run-repo-guard.outputs.result }}

  summary:
    description: "Human-readable one-line summary of the enforcement run."
    value: ${{ steps.run-repo-guard.outputs.summary }}

runs:
  using: "composite"
  steps:
    - name: Set up Node.js
      uses: actions/setup-node@v4
      with:
        node-version: ${{ inputs.node-version }}

    - name: Install repo-guard dependencies
      shell: bash
      run: |
        # Install runtime dependencies for the checked-out Action source.
        cd "${GITHUB_ACTION_PATH}"
        npm install --production --silent

    - name: Run repo-guard
      id: run-repo-guard
      shell: bash
      env:
        GH_TOKEN: ${{ env.GH_TOKEN }}
      run: |
        set +e

        # Always run the CLI from the checked-out Action source.
        BIN="node ${GITHUB_ACTION_PATH}/src/repo-guard.mjs"

        # Build the command
        CMD="$BIN"

        # Append --repo-root if provided; fall back to GITHUB_WORKSPACE
        REPO_ROOT="${{ inputs.repo-root }}"
        if [ -z "$REPO_ROOT" ]; then
          REPO_ROOT="${GITHUB_WORKSPACE:-$PWD}"
        fi
        CMD="$CMD --repo-root $REPO_ROOT"

        # Append enforcement behavior and command mode / sub-command
        ENFORCEMENT="${{ inputs.enforcement }}"
        if [ -n "$ENFORCEMENT" ]; then
          CMD="$CMD --enforcement $ENFORCEMENT"
        fi

        MODE="${{ inputs.mode }}"
        CMD="$CMD $MODE"

        # Append check-diff specific flags
        if [ "$MODE" = "check-diff" ]; then
          if [ -n "${{ inputs.base }}" ]; then
            CMD="$CMD --base ${{ inputs.base }}"
          fi
          if [ -n "${{ inputs.head }}" ]; then
            CMD="$CMD --head ${{ inputs.head }}"
          fi
          if [ -n "${{ inputs.contract }}" ]; then
            CMD="$CMD --contract ${{ inputs.contract }}"
          fi
        fi

        echo "Running: $CMD"
        OUTPUT=$($CMD 2>&1)
        EXIT_CODE=$?

        echo "$OUTPUT"

        # Derive result and summary outputs. Advisory mode can exit 0 while
        # still reporting policy violations, so prefer the CLI Result line.
        CLI_RESULT=$(echo "$OUTPUT" | sed -nE 's/^Result: ([a-z]+).*/\1/p' | tail -1)
        SUMMARY=$(echo "$OUTPUT" | grep -E "^Summary:" | tail -1)

        if [ $EXIT_CODE -eq 0 ]; then
          RESULT="${CLI_RESULT:-passed}"
          if [ -z "$SUMMARY" ]; then
            SUMMARY="repo-guard: all checks passed"
          fi
        else
          # Distinguish configuration/runtime errors from enforcement failures
          if echo "$OUTPUT" | grep -qE "^(ERROR|FAIL: repo-policy)"; then
            RESULT="error"
          else
            RESULT="${CLI_RESULT:-failed}"
          fi
          if [ -z "$SUMMARY" ]; then
            SUMMARY="repo-guard: one or more checks failed (exit $EXIT_CODE)"
          fi
        fi

        echo "result=$RESULT" >> "$GITHUB_OUTPUT"
        echo "summary=$SUMMARY" >> "$GITHUB_OUTPUT"

        exit $EXIT_CODE