fix(repo): Harden catalog sync and release integrity
Tighten the repo-state automation so canonical bot commits remain predictable while leaving main clean after each sync. Make the public catalog UI more honest by hiding dev-only sync, turning stars into explicit browser-local saves, aligning risk types, and removing hardcoded catalog counts. Add shared public asset URL helpers, risk suggestion plumbing, safer unpack/sync guards, and CI coverage gates so release and maintainer workflows catch drift earlier.
This commit is contained in:
sickn33
@@ -98,6 +98,31 @@ assert.match(
|
||||
/GH_TOKEN: \$\{\{ github\.token \}\}/,
|
||||
"main CI should provide GH_TOKEN for contributor synchronization",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/main-validation-and-sync:[\s\S]*?concurrency:[\s\S]*?group: canonical-main-sync[\s\S]*?cancel-in-progress: false/,
|
||||
"main validation should serialize canonical sync writers",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/pip install -r tools\/requirements\.txt/g,
|
||||
"CI workflows should install Python dependencies from tools/requirements.txt",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/- name: Audit npm dependencies[\s\S]*?run: npm audit --audit-level=high/,
|
||||
"CI should run npm audit at high severity",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/main-validation-and-sync:[\s\S]*?- name: Audit npm dependencies[\s\S]*?run: npm audit --audit-level=high/,
|
||||
"main validation should enforce npm audit before syncing canonical state",
|
||||
);
|
||||
assert.doesNotMatch(
|
||||
ciWorkflow,
|
||||
/main-validation-and-sync:[\s\S]*?continue-on-error: true/,
|
||||
"main validation should not treat high-severity npm audit findings as non-blocking",
|
||||
);
|
||||
assert.doesNotMatch(
|
||||
ciWorkflow,
|
||||
/^ - name: Generate index$/m,
|
||||
@@ -113,16 +138,46 @@ assert.doesNotMatch(
|
||||
/^ - name: Build catalog$/m,
|
||||
"main CI should not keep the old standalone Build catalog step",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/git commit -m "chore: sync repo state \[ci skip\]"/,
|
||||
"main CI should keep bot-generated canonical sync commits out of the normal CI loop",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/git ls-files --others --exclude-standard/,
|
||||
"main CI should fail if canonical sync leaves unmanaged untracked drift",
|
||||
);
|
||||
assert.match(
|
||||
ciWorkflow,
|
||||
/git diff --name-only/,
|
||||
"main CI should fail if canonical sync leaves unmanaged tracked drift",
|
||||
);
|
||||
|
||||
assert.ok(fs.existsSync(hygieneWorkflowPath), "repo hygiene workflow should exist");
|
||||
|
||||
const hygieneWorkflow = readText(".github/workflows/repo-hygiene.yml");
|
||||
assert.match(hygieneWorkflow, /^on:\n workflow_dispatch:\n schedule:/m, "repo hygiene workflow should support schedule and manual runs");
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/concurrency:\n\s+group: canonical-main-sync\n\s+cancel-in-progress: false/,
|
||||
"repo hygiene workflow should serialize canonical sync writers with main CI",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/GH_TOKEN: \$\{\{ github\.token \}\}/,
|
||||
"repo hygiene workflow should provide GH_TOKEN for gh-based contributor sync",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/pip install -r tools\/requirements\.txt/,
|
||||
"repo hygiene workflow should install Python dependencies from tools/requirements.txt",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/run: npm audit --audit-level=high/,
|
||||
"repo hygiene workflow should block on high-severity npm audit findings before syncing",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/run: npm run sync:repo-state/,
|
||||
@@ -133,8 +188,33 @@ assert.match(
|
||||
/generated_files\.js --include-mixed/,
|
||||
"repo hygiene workflow should resolve and stage the mixed generated files contract",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/git commit -m "chore: scheduled repo hygiene sync \[ci skip\]"/,
|
||||
"repo hygiene workflow should keep bot-generated sync commits out of the normal CI loop",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/git ls-files --others --exclude-standard/,
|
||||
"repo hygiene workflow should fail if canonical sync leaves unmanaged untracked drift",
|
||||
);
|
||||
assert.match(
|
||||
hygieneWorkflow,
|
||||
/git diff --name-only/,
|
||||
"repo hygiene workflow should fail if canonical sync leaves unmanaged tracked drift",
|
||||
);
|
||||
|
||||
assert.match(publishWorkflow, /run: npm ci/, "npm publish workflow should install dependencies");
|
||||
assert.match(
|
||||
publishWorkflow,
|
||||
/pip install -r tools\/requirements\.txt/,
|
||||
"npm publish workflow should install Python dependencies from tools/requirements.txt",
|
||||
);
|
||||
assert.match(
|
||||
publishWorkflow,
|
||||
/run: npm audit --audit-level=high/,
|
||||
"npm publish workflow should block on high-severity npm audit findings",
|
||||
);
|
||||
assert.match(
|
||||
publishWorkflow,
|
||||
/run: npm run app:install/,
|
||||
|
||||
Reference in New Issue
Block a user