From 2e394cd17c52fae3d86798da4951d1dff147d8b0 Mon Sep 17 00:00:00 2001 From: agentson Date: Sat, 28 Feb 2026 14:36:05 +0900 Subject: [PATCH] infra: enforce governance registry sync checks in CI (#330) --- .gitea/workflows/ci.yml | 15 ++++++- scripts/validate_governance_assets.py | 61 +++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f73be37..39fb10d 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -13,6 +13,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Set up Python uses: actions/setup-python@v5 @@ -26,7 +28,18 @@ jobs: run: python3 scripts/session_handover_check.py --strict - name: Validate governance assets - run: python3 scripts/validate_governance_assets.py + run: | + RANGE="" + if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then + RANGE="${{ github.event.pull_request.base.sha }}...${{ github.sha }}" + elif [ -n "${{ github.event.before }}" ] && [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then + RANGE="${{ github.event.before }}...${{ github.sha }}" + fi + if [ -n "$RANGE" ]; then + python3 scripts/validate_governance_assets.py "$RANGE" + else + python3 scripts/validate_governance_assets.py + fi - name: Validate Ouroboros docs run: python3 scripts/validate_ouroboros_docs.py diff --git a/scripts/validate_governance_assets.py b/scripts/validate_governance_assets.py index 80680d7..82e94d4 100644 --- a/scripts/validate_governance_assets.py +++ b/scripts/validate_governance_assets.py @@ -3,9 +3,12 @@ from __future__ import annotations +import subprocess import sys from pathlib import Path +REQUIREMENTS_REGISTRY = "docs/ouroboros/01_requirements_registry.md" + def must_contain(path: Path, required: list[str], errors: list[str]) -> None: if not path.exists(): @@ -17,8 +20,64 @@ def must_contain(path: Path, required: list[str], errors: list[str]) -> None: errors.append(f"{path}: missing required token -> {token}") +def normalize_changed_path(path: str) -> str: + normalized = path.strip().replace("\\", "/") + if normalized.startswith("./"): + normalized = normalized[2:] + return normalized + + +def is_policy_file(path: str) -> bool: + normalized = normalize_changed_path(path) + if not normalized.endswith(".md"): + return False + if not normalized.startswith("docs/ouroboros/"): + return False + return normalized != REQUIREMENTS_REGISTRY + + +def load_changed_files(args: list[str], errors: list[str]) -> list[str]: + if not args: + return [] + + # Single range input (e.g. BASE..HEAD or BASE...HEAD) + if len(args) == 1 and ".." in args[0]: + range_spec = args[0] + try: + completed = subprocess.run( + ["git", "diff", "--name-only", range_spec], + check=True, + capture_output=True, + text=True, + ) + except (subprocess.CalledProcessError, FileNotFoundError) as exc: + errors.append(f"failed to load changed files from range '{range_spec}': {exc}") + return [] + return [ + normalize_changed_path(line) + for line in completed.stdout.splitlines() + if line.strip() + ] + + return [normalize_changed_path(path) for path in args if path.strip()] + + +def validate_registry_sync(changed_files: list[str], errors: list[str]) -> None: + if not changed_files: + return + + changed_set = set(changed_files) + policy_changed = any(is_policy_file(path) for path in changed_set) + registry_changed = REQUIREMENTS_REGISTRY in changed_set + if policy_changed and not registry_changed: + errors.append( + "policy file changed without updating docs/ouroboros/01_requirements_registry.md" + ) + + def main() -> int: errors: list[str] = [] + changed_files = load_changed_files(sys.argv[1:], errors) pr_template = Path(".gitea/PULL_REQUEST_TEMPLATE.md") issue_template = Path(".gitea/ISSUE_TEMPLATE/runtime_verification.md") @@ -81,6 +140,8 @@ def main() -> int: if not handover_script.exists(): errors.append(f"missing file: {handover_script}") + validate_registry_sync(changed_files, errors) + if errors: print("[FAIL] governance asset validation failed") for err in errors: