From 6cbdb6518442fb5692472c3256e8ae9e95993577 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 19 May 2026 22:48:12 +0100 Subject: [PATCH] ci(tooling): promote standards R4 lint to strict Refs #95 --- .github/workflows/affinescript-verify.yml | 10 +++++++++- .github/workflows/governance-reusable.yml | 2 ++ .github/workflows/hypatia-scan.yml | 6 ++++-- Mustfile | 2 +- TOOLING-VERSION-INTEGRITY-POLICY.adoc | 13 ++++++++----- 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/workflows/affinescript-verify.yml b/.github/workflows/affinescript-verify.yml index 800f88e..985516c 100644 --- a/.github/workflows/affinescript-verify.yml +++ b/.github/workflows/affinescript-verify.yml @@ -39,7 +39,7 @@ jobs: verify: name: AffineScript Verify runs-on: ubuntu-latest - # NON-BLOCKING (temporary): see header note. continue-on-error keeps the + # advisory: see header note. continue-on-error keeps the # whole job advisory — including the compiler checkout/setup-ocaml/build # steps — so a toolchain/build problem cannot block merges or add # estate-wide red noise while the ports + build are sorted in follow-up. @@ -78,6 +78,8 @@ jobs: - name: Checkout AffineScript compiler if: steps.changed.outputs.any == 'true' + # advisory: compiler checkout is report-only until the port backlog + # is cleared and BLOCKING flips to true. continue-on-error: true uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -87,6 +89,8 @@ jobs: - name: Set up OCaml if: steps.changed.outputs.any == 'true' + # advisory: setup failures should surface as signal without blocking + # unrelated standards changes while AffineScript verification matures. continue-on-error: true uses: ocaml/setup-ocaml@e32b06a3e831ff2fbc6f08cf35be2085e3918014 # v3 with: @@ -94,6 +98,8 @@ jobs: - name: Build compiler if: steps.changed.outputs.any == 'true' + # advisory: compiler build failures are reported by this job, not yet + # merge-blocking, until the report-only porting phase ends. continue-on-error: true working-directory: .affinescript-compiler run: | @@ -102,6 +108,8 @@ jobs: - name: Verify changed .affine files if: steps.changed.outputs.any == 'true' + # advisory: verification findings are emitted as warnings and job + # summary entries until BLOCKING is intentionally enabled. continue-on-error: true working-directory: .affinescript-compiler run: | diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml index 7ed659f..a85c64b 100644 --- a/.github/workflows/governance-reusable.yml +++ b/.github/workflows/governance-reusable.yml @@ -382,6 +382,8 @@ jobs: find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files" - name: EditorConfig check uses: editorconfig-checker/action-editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 # v2.1.0 + # advisory: formatting hygiene is reported from the reusable estate + # bundle; repos opt into blocking formatter checks locally when ready. continue-on-error: true - name: Check documentation run: | diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index a895ce4..0b7796c 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -259,6 +259,8 @@ jobs: # See hyperpolymath/hypatia#213 (gate decoupling) and the exit-127 # estate-wide breakage when gitbot-fleet/scripts/submit-finding.sh # no longer existed on the default branch. + # advisory: Phase 2 learning submission is optional enrichment; the + # security gate remains the baseline-aware severity check below. continue-on-error: true env: # All GitHub context values surface as env vars so the run @@ -376,7 +378,7 @@ jobs: - name: Comment on PR with findings if: github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0 - # Advisory only — posting findings as a PR comment must never gate + # advisory: posting findings as a PR comment must never gate # the scan (hypatia#213 gate decoupling). Belt-and-braces alongside # the pull-requests: write permission above: a token/API hiccup or # a fork PR (read-only token) skips the comment, not the check. @@ -411,4 +413,4 @@ jobs: repo: context.repo.repo, issue_number: context.issue.number, body: comment - }); \ No newline at end of file + }); diff --git a/Mustfile b/Mustfile index 5d409a5..fbdd374 100644 --- a/Mustfile +++ b/Mustfile @@ -12,4 +12,4 @@ checks: - name: format run: just fmt - name: tooling-version-integrity - run: bash tasks/tooling-integrity-lint.sh + run: bash tasks/tooling-integrity-lint.sh --strict diff --git a/TOOLING-VERSION-INTEGRITY-POLICY.adoc b/TOOLING-VERSION-INTEGRITY-POLICY.adoc index b839c8e..a881e2f 100644 --- a/TOOLING-VERSION-INTEGRITY-POLICY.adoc +++ b/TOOLING-VERSION-INTEGRITY-POLICY.adoc @@ -137,8 +137,11 @@ Integrity sweep tracking issue). * `tasks/tooling-integrity-lint.sh` — scans `.github/workflows/` for unversioned family-tool installs (Rule 1) and bare `continue-on-error` - (Rule 4). Exit non-zero on any violation. -* `contractiles/must/Mustfile` (canonical template) and this repo's live - `Mustfile` carry a `tooling-version-integrity` mandatory check that - runs the lint — so every repo adopting the canonical `must` contract - inherits the gate (Rule 3, Rule 5). + (Rule 4). R1 is always blocking; R4 is advisory by default and blocking + with `--strict`. +* `contractiles/must/Mustfile` (canonical template) carries a default + `tooling-version-integrity` mandatory check so every repo adopting the + canonical `must` contract inherits the R0/R1 gate (Rule 3, Rule 5). + This repo's live `Mustfile` runs the lint with `--strict` because its + local soft-gates are now explained; the reusable estate workflow keeps + R4 advisory until each consumer repo is ready to promote it.