tooling(scripts): add per-template sweep classifiers (#187/#190/#192/#193)#194
Open
hyperpolymath wants to merge 2 commits into
Open
tooling(scripts): add per-template sweep classifiers (#187/#190/#192/#193)#194hyperpolymath wants to merge 2 commits into
hyperpolymath wants to merge 2 commits into
Conversation
…-workflow campaign Durable tooling for the wrapper-sweep work that follows each of the foundational reusable PRs (#187 mirror, #190 secret-scanner, #192 codeql, #193 hypatia-scan). Each classifier: - reads a paginated `gh api /search/code` JSON dump - fetches each unique blob SHA exactly once (cached in $BLOBS_DIR) - emits per-repo TSV: <repo>\t<sha>\t<class>\t<reason>\t<lines>\t<details> Classes vary per template but follow the same shape: TRIVIAL (canonical match, mechanical wrapper) vs SLIM/MISSING/OLDER (propagation lag, auto-upgrades on first run after wrapper merge) vs NEEDS_REVIEW (custom workflow body, requires per-repo diff). Numbers produced by these classifiers across the four campaign templates: - mirror.yml — 267/289 TRIVIAL (92.4%); 22 NEEDS_REVIEW - secret-scanner — 273/281 missing shell-secrets (97.2%); 1 TRIVIAL (standards itself) - codeql — 246/263 mechanical (93.5%); 17 NEEDS_REVIEW - hypatia-scan — 249/255 safe-to-standardize-up (97.6%); 6 NEEDS_REVIEW README documents the path-filter caveat: `gh api /search/code` with `path:.github/workflows` excludes monorepo-nested workflow files; the broader `filename:` query (no path filter) catches them. For hypatia-scan, the broader query returns 704 vs the 255 path-filtered count — the ~449 nested copies also need wrappers when sweeps fire.
Same as #192 (codeql-reusable) — auto-merge enabled but zero workflow runs against the head commit. Pushing empty commit to re-trigger CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Durable tooling for the wrapper-sweep work that follows each of the four foundational reusable PRs filed today (#187 mirror, #190 secret-scanner, #192 codeql, #193 hypatia-scan).
Adds
scripts/sweep-classifiers/:classify-mirror.sh— for feat(governance): add mirror-reusable.yml — consolidate 289-repo mirror.yml drift #187classify-secret-scanner.sh— for feat(governance): add secret-scanner-reusable.yml — propagate shell-secrets to 281 repos #190classify-codeql.sh— for feat(governance): add codeql-reusable.yml — consolidate 263-repo codeql.yml drift #192classify-hypatia-scan.sh— for feat(governance): add hypatia-scan-reusable.yml — biggest LOC leverage of the reusable trilogy #193README.adoc— usage + nested-path caveatWhat each classifier does
gh api /search/codeJSON dump for the template$BLOBS_DIR)<repo>\t<sha>\t<class>\t<reason>\t<lines>\t<details>Numbers produced across the four campaign templates
standardsrepo carriesshell-secretstodayNested-path caveat (documented in README)
gh api /search/codewithpath:.github/workflowsmatches the pathPREFIX — monorepo nested workflow files (e.g.,
a2ml/bindings/deno/.github/workflows/hypatia-scan.yml) are EXCLUDED.Verified for hypatia-scan: broader query without
path:returns 704results vs 255 path-filtered. The same effect likely applies to the
other three templates; sweep tooling must walk all
**/.github/workflows/<template>.ymlpaths.Pattern
Same shape as
scripts/apply-baseline.sh(paired withscripts/tests/apply-baseline-test.sh) — committed durable toolingrather than ephemeral
/tmpscripts.🤖 Generated with Claude Code