keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/scripts
History
Parfii-bot c778b7d9a3 feat(v0.20.1): workflow-file validation infrastructure 
Three layers of defense against the dtolnay-SHA-class bug reaching main
(today's incident: agent SHA-pinned dtolnay/rust-toolchain with a pin
that was real but semantically wrong — lost 'install current stable'
meaning, locked to rust 1.94.1 branch tip, broke CI).

Layer 1 — actionlint static lint
  scripts/install-actionlint.sh (65 LOC) — installs rhysd/actionlint
    v1.7.12 [VERIFIED] to ~/.local/bin or suggests brew install.
  scripts/lint-workflows.sh (40 LOC) — runs actionlint on
    .github/workflows/*.yml, exit 0 on clean, advisory when binary
    missing.

Layer 2 — SHA existence check (today's bug class)
  scripts/validate-workflow-shas.sh (98 LOC) — extracts every
    'uses: <repo>@<40-hex>' from workflow files + dependabot.yml,
    checks each via GitHub REST commits API (exit 200/404/422).
    Supports 'validate-workflow-shas: skip=<reason>' trailing
    comment for intentional exceptions. Falls back to anonymous
    API (60/hr quota) if GITHUB_TOKEN probe fails.
  DESIGN PIVOT from spec: spec said 'git ls-remote <repo> <sha>'
    but that only resolves REFS (branch/tag tips), not arbitrary
    commit SHAs — would have given false-positive 100% MISSING
    report. Switched to REST API /commits/{sha} for unambiguous
    200/404/422.

Layer 3 — CI gate
  .github/workflows/ci.yml — new 'workflow-lint' job after
    shell-lint. Installs actionlint + runs both scripts on every
    push to main and PR. Blocks CI on any fabricated SHA.

Layer 4 — optional pre-commit hook
  scripts/pre-commit-workflow-lint.sh (54 LOC) — detects staged
    .github/workflows/*.{yml,yaml} + .github/dependabot.yml
    changes, runs layers 1+2, blocks commit on failure.
  Install via: ln -sf ../../scripts/pre-commit-workflow-lint.sh
    .git/hooks/pre-commit

REAL EXECUTION VERIFIED (not claim-only):
  - actionlint ran: zero findings on current workflows
  - validate-workflow-shas.sh ran: 21 SHA pins checked, 21 OK,
    0 MISSING (confirms all current v0.19.1+ pins resolve)
  - bash -n on every new script: clean
  - bash-3.2 parser bug workaround: case-in-subshell → grep -E

RULE 0.2 exception #6 (shell is external convention for git hooks
+ GH Actions runs — Rust rewrite would add zero value).
RULE 0.13 respected — no git invocations except read-only API calls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 17:50:23 +08:00
..
install-actionlint.sh feat(v0.20.1): workflow-file validation infrastructure 2026-04-22 17:50:23 +08:00
lint-workflows.sh feat(v0.20.1): workflow-file validation infrastructure 2026-04-22 17:50:23 +08:00
pre-commit-workflow-lint.sh feat(v0.20.1): workflow-file validation infrastructure 2026-04-22 17:50:23 +08:00
precommit-counts-check.sh refactor(v0.17): README counts auto-generation via markers + regen script 2026-04-22 15:24:05 +08:00
regen-counts.sh refactor(v0.17): README counts auto-generation via markers + regen script 2026-04-22 15:24:05 +08:00
validate-workflow-shas.sh feat(v0.20.1): workflow-file validation infrastructure 2026-04-22 17:50:23 +08:00