fix(brew): track exact cache path so cask download bytes update #114
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Harness | |
| # Drift sensors that run alongside the main test workflow but never block a | |
| # merge. These are the "continuous drift" controls from the harness | |
| # engineering article — they observe maintainability decay (vulnerable deps, | |
| # dead code, stale go.mod) without forcing a refactor on every PR. | |
| # | |
| # Each job sets continue-on-error: true. Failures show up as informational | |
| # annotations on the PR. To promote any of these to a required check, | |
| # remove continue-on-error and add to the branch protection rules. | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| schedule: | |
| # Nightly run on main so drift in dependencies surfaces even without | |
| # PR activity (govulncheck advisories land independently of code). | |
| - cron: '0 7 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| govulncheck: | |
| name: govulncheck (drift) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: govulncheck ./... | |
| deadcode: | |
| name: deadcode (drift) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Install deadcode | |
| run: go install golang.org/x/tools/cmd/deadcode@latest | |
| - name: Run deadcode | |
| # -test includes test-only entry points; e2e,vm tags expose callers | |
| # in the destructive e2e suite (testutil.BuildTestBinary etc.). | |
| run: deadcode -test -tags="e2e,vm" ./... | |
| mod-tidy: | |
| name: go mod tidy diff (drift) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Verify go.mod is tidy | |
| run: | | |
| cp go.mod /tmp/go.mod.before | |
| cp go.sum /tmp/go.sum.before | |
| go mod tidy | |
| if ! diff -q go.mod /tmp/go.mod.before >/dev/null || ! diff -q go.sum /tmp/go.sum.before >/dev/null; then | |
| echo "::warning::go.mod / go.sum are not tidy — run 'go mod tidy' and commit the diff." | |
| echo "--- go.mod diff ---" | |
| diff /tmp/go.mod.before go.mod || true | |
| echo "--- go.sum diff ---" | |
| diff /tmp/go.sum.before go.sum || true | |
| exit 1 | |
| fi | |
| archtest-stale-baseline: | |
| name: archtest stale baseline (drift) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Detect stale baseline entries | |
| # archtest prints "stale baseline entr(ies)" via t.Logf when an entry | |
| # references code that no longer exists. Surface that here as a | |
| # warning so we can prune the baseline. | |
| run: | | |
| # -count=1 disables the test cache so t.Logf output always prints, | |
| # otherwise a cached "ok" line would hide stale baseline warnings. | |
| out=$(go test -v -count=1 ./internal/archtest/... 2>&1) | |
| echo "$out" | |
| if echo "$out" | grep -q "stale baseline"; then | |
| echo "::warning::archtest reported stale baseline entries — consider regenerating with ARCHTEST_UPDATE_BASELINE=1 and committing the diff." | |
| exit 1 | |
| fi | |
| required-checks-alignment: | |
| name: required-checks alignment (drift) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install PyYAML | |
| run: pip install --quiet --user pyyaml | |
| - name: Compare .github/required-checks.txt vs workflow job names | |
| # Catches the desync that bit PR #69: branch protection still | |
| # required `integration (L2)` and `contract schema (L3)` after the | |
| # workflow renamed/removed those jobs, so the squash-merge silently | |
| # blocked waiting for checks that would never report. | |
| # | |
| # `.github/required-checks.txt` is the in-repo source of truth for | |
| # branch protection's required_status_checks.contexts. This sensor | |
| # verifies every line there maps to an actual job `name:` across | |
| # the workflows. Live branch protection is updated via | |
| # `gh api -X PUT .../protection` in the same PR (see MERGE_POLICY). | |
| run: | | |
| set -euo pipefail | |
| required=$(grep -v '^[[:space:]]*\(#\|$\)' .github/required-checks.txt | sort -u) | |
| jobs=$(python3 <<'PY' | |
| import pathlib, yaml | |
| seen = set() | |
| for path in sorted(pathlib.Path('.github/workflows').glob('*.yml')): | |
| wf = yaml.safe_load(path.read_text()) | |
| if not isinstance(wf, dict) or not isinstance(wf.get('jobs'), dict): | |
| continue | |
| for job_id, job in wf['jobs'].items(): | |
| name = job.get('name', job_id) if isinstance(job, dict) else job_id | |
| seen.add(name) | |
| for n in sorted(seen): | |
| print(n) | |
| PY | |
| ) | |
| missing=$(comm -23 <(echo "$required") <(echo "$jobs")) | |
| if [ -n "$missing" ]; then | |
| echo "::warning::.github/required-checks.txt lists checks that no workflow job produces:" | |
| echo "$missing" | sed 's/^/ - /' | |
| echo "" | |
| echo "Either remove these from required-checks.txt (and update branch protection" | |
| echo "via 'gh api -X PUT .../protection'), or add matching jobs to .github/workflows/." | |
| echo "See docs/MERGE_POLICY.md." | |
| exit 1 | |
| fi | |
| printf '✓ All %d required checks have matching workflow jobs.\n' "$(echo "$required" | wc -l | tr -d ' ')" |