Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 30 additions & 22 deletions .github/workflows/dogfood-gate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,33 @@ jobs:

- name: Check and validate eclexiaiser manifest
id: eclex
# The validation script lives in env: rather than inline in run:
# because a YAML literal block ends at the first column-1 line — an
# unindented heredoc/py-snippet inside run: silently truncates the
# block and makes the whole workflow file unparseable (zero jobs,
# path shown as the workflow name). env: block scalars strip the
# base indentation, so Python receives clean unindented code.
env:
PYCODE: |
import tomllib, sys
with open('eclexiaiser.toml', 'rb') as f:
data = tomllib.load(f)
project = data.get('project', {})
if not project.get('name', '').strip():
print('ERROR: project.name is required', file=sys.stderr)
sys.exit(1)
functions = data.get('functions', [])
if not functions:
print('ERROR: at least one [[functions]] entry is required', file=sys.stderr)
sys.exit(1)
for fn in functions:
if not fn.get('name', '').strip():
print('ERROR: function name cannot be empty', file=sys.stderr)
sys.exit(1)
if not fn.get('source', '').strip():
print(f'ERROR: function {fn["name"]} has no source path', file=sys.stderr)
sys.exit(1)
print(f'Valid: {project["name"]} ({len(functions)} function(s))')
run: |
if [ ! -f "eclexiaiser.toml" ]; then
# Check if repo has a Containerfile — if so, recommend eclexiaiser
Expand All @@ -261,28 +288,9 @@ jobs:

echo "has_manifest=true" >> "$GITHUB_OUTPUT"

# Validate TOML structure using Python 3.11+ tomllib
python3 -c "
import tomllib, sys
with open('eclexiaiser.toml', 'rb') as f:
data = tomllib.load(f)
project = data.get('project', {})
if not project.get('name', '').strip():
print('ERROR: project.name is required', file=sys.stderr)
sys.exit(1)
functions = data.get('functions', [])
if not functions:
print('ERROR: at least one [[functions]] entry is required', file=sys.stderr)
sys.exit(1)
for fn in functions:
if not fn.get('name', '').strip():
print('ERROR: function name cannot be empty', file=sys.stderr)
sys.exit(1)
if not fn.get('source', '').strip():
print(f'ERROR: function {fn[\"name\"]} has no source path', file=sys.stderr)
sys.exit(1)
print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
" || {
# Validate TOML structure using Python 3.11+ tomllib (script in
# the step's env.PYCODE — see comment above)
python3 -c "$PYCODE" || {
echo "::error file=eclexiaiser.toml::Invalid eclexiaiser.toml — see step output for details"
exit 1
}
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/instant-sync.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,15 @@ jobs:
dispatch:
runs-on: ubuntu-latest
timeout-minutes: 15
# The `secrets` context is not available in step-level `if:` — using it
# there is a workflow-file error, so every run failed at load time with
# zero jobs. Hoist the secret into env (where `secrets` IS available)
# and gate the step on env instead.
env:
FARM_DISPATCH_TOKEN: ${{ secrets.FARM_DISPATCH_TOKEN }}
steps:
- name: Trigger Propagation
if: ${{ secrets.FARM_DISPATCH_TOKEN != '' }}
if: ${{ env.FARM_DISPATCH_TOKEN != '' }}
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
with:
token: ${{ secrets.FARM_DISPATCH_TOKEN }}
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,15 @@ on:
push:
branches: [main]

permissions: read-all
# The called reusable's scorecard job requests security-events:write +
# id-token:write at job level. read-all cannot cover write scopes and a
# called workflow can only narrow the caller's token — so every run was
# a startup_failure. Grant exactly the superset the callee needs.
permissions:
contents: read
actions: read
security-events: write
id-token: write

jobs:
analysis:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/secret-scanner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,15 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# The called reusable's gitleaks job requests pull-requests:write +
# actions:read at job level. A called workflow can only NARROW the
# caller's token, never exceed it — granting only contents:read here
# made every run a startup_failure ("workflow file issue", zero jobs)
# since the 2026-06-24 repin. The caller must grant the superset.
permissions:
contents: read
pull-requests: write
actions: read

jobs:
scan:
Expand Down
Loading