udx · fqjony · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/.env.example b/.env.example
@@ -0,0 +1,14 @@
+# Local script defaults for direct merge testing.
+# The composite action normally receives these values from action inputs and
+# udx/rabbit-lifecycle outputs.
+
+INPUT_SOURCE_DIR=.rabbit
+INPUT_ENV_NAME=development
+INPUT_LIFECYCLE=development
+INPUT_IS_PROTECTED=false
+INPUT_RESOLUTION_REASON=local-example
+INPUT_OUTPUT_FORMAT=yaml
+INPUT_RECURSIVE=true
+INPUT_FILE_PATTERNS=*.yml,*.yaml
+INPUT_EXCLUDE=**/merged*.yml,**/merged*.yaml
+INPUT_DEBUG=false
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,38 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches:
+      - production
+      - lifecycle-action-integration
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: validate action contract
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install pinned yq
+        shell: bash
+        run: |
+          set -euo pipefail
+          version="v4.44.3"
+          install_dir="${RUNNER_TEMP}/rabbit-action-bin"
+          mkdir -p "$install_dir"
+          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64" -o "$install_dir/yq"
+          chmod +x "$install_dir/yq"
+          echo "$install_dir" >> "$GITHUB_PATH"
+
+      - name: Run validation
+        shell: bash
+        run: make test
+
+      - name: Refresh repo context
+        shell: bash
+        run: npx -y @udx/dev-kit@0.12.0 repo
diff --git a/.rabbit/context.yaml b/.rabbit/context.yaml
@@ -0,0 +1,77 @@
+# Generated by dev.kit repo — do not edit manually.
+# Run `dev.kit repo` to refresh.
+kind: repoContext
+version: udx.dev/dev.kit/v1
+generator:
+  tool: dev.kit
+  repo: https://github.com/udx/dev.kit
+  version: 0.12.0
+  generated_at: 2026-05-27T14:47:01Z
+  sources:
+    homepage: https://udx.dev/kit
+    repository: https://github.com/udx/dev.kit
+    package: https://www.npmjs.com/package/@udx/dev-kit
+    installation: https://github.com/udx/dev.kit/blob/latest/docs/installation.md
+
+repo:
+  name: github-rabbit-action
+  archetype: manifest-repo
+
+# Refs — Direct-read files and paths that define the repo contract.
+# Note: Include only files or directories a repo consumer should read before code exploration.
+# Note: Prefer README, focused docs, workflows, manifests, and explicit operational files.
+# Note: Exclude broad implementation directories unless they are the contract themselves.
+
+refs:
+  - ./README.md
+  - ./Makefile
+  - ./docs/configuration.md
+  - ./docs/validation.md
+  - ./src/configs/lifecycle-policy.yaml
+  - ./action.yml
+  - ./.github/workflows
+  - ./docs
+
+# Commands — Canonical repo entrypoints detected from strong repo signals.
+# Note: Prefer declared make targets and package scripts before regex matches in docs.
+# Note: Emit only commands that can be traced to a concrete source.
+# Note: Record the source path so the command can be reviewed and corrected.
+
+commands:
+  verify:
+    run: make test
+    source: Makefile
+
+# Dependencies — Meaningful dependency-repo contracts such as reusable workflows, images, or versioned manifests this repo relies on.
+# Note: Capture execution-shaping behavior defined outside the current checkout.
+# Note: Avoid promoting standard package inventory or ordinary GitHub action refs into top-level context.
+# Note: Normalize same-org versioned refs into repo slugs when possible.
+
+dependencies:
+  - repo: udx/rabbit-infra-config
+    kind: manifest contract (v1)
+    resolved: true
+    declared_as: udx.dev/rabbit-infra-config/v1
+    archetype: Composite action for determine infra config files and merge them.
+    used_by:
+      - src/configs/lifecycle-policy.yaml
+
+# Manifests — YAML files that define repo-specific workflow, deploy, or contract behavior.
+# Note: Include custom config/manifests that materially shape repo behavior or contract understanding.
+# Note: Do not include workflow YAML only because it lives under .github/workflows.
+# Note: Promote workflow files only when they declare reusable workflow refs or other repo-specific execution contracts.
+# Note: Prefer structured kind and description metadata from the manifest itself.
+# Note: Include hidden or nested contract dirs when they contain repo-owned manifests with meaningful metadata.
+
+manifests:
+  - path: src/configs/lifecycle-policy.yaml
+    kind: rabbitConfigLayout
+    declared_as: udx.dev/rabbit-infra-config/v1
+    source_repo: udx/rabbit-infra-config
+    used_by:
+      - bin/lib/config.sh
+      - docs/configuration.md
+    evidence:
+      - version: udx.dev/rabbit-infra-config/v1
+      - path reference: bin/lib/config.sh
+      - path reference: docs/configuration.md
diff --git a/Makefile b/Makefile
@@ -0,0 +1,19 @@
+.PHONY: test validate-shell validate-action validate-workflow
+
+test: validate-shell validate-action validate-workflow
+	tests/run-merge-tests.sh
+
+validate-shell:
+	bash -n \
+		bin/merge-configs.sh \
+		bin/lib/config.sh \
+		bin/lib/lifecycle.sh \
+		bin/lib/validation.sh \
+		bin/lib/environment.sh \
+		tests/run-merge-tests.sh
+
+validate-action:
+	yq eval '.' action.yml >/dev/null
+
+validate-workflow:
+	yq eval '.' .github/workflows/ci.yml >/dev/null
diff --git a/README.md b/README.md
@@ -132,11 +132,16 @@ services:
 │ GitHub Action Trigger (push / PR / delete / manual) │
 └──────────────────────┬──────────────────────────────┘
                        │
-         ┌─────────────▼──────────────┐
-         │   1. Merge Configs         │
-         │   Discover .rabbit/ YAML   │
-         │   Resolve lifecycle        │
-         │   Deep merge by module::id │
+        ┌─────────────▼──────────────┐
+        │   1. Resolve Lifecycle     │
+        │   Branch/env policy via    │
+        │   udx/rabbit-lifecycle     │
+        └─────────────┬──────────────┘
+                      │
+        ┌─────────────▼──────────────┐
+        │   2. Merge Configs         │
+        │   Discover .rabbit/ YAML   │
+        │   Deep merge by module::id │
          └─────────────┬──────────────┘
                        │
          ┌─────────────▼──────────────┐
@@ -170,7 +175,7 @@ services:
 
 ### Environment Detection
 
-The environment is automatically resolved from:
+The environment is automatically resolved from the workflow event, then passed to `udx/rabbit-lifecycle` for lifecycle policy resolution:
 
 | Trigger | Environment Source |
 | --- | --- |
@@ -201,7 +206,10 @@ Infrastructure configs live in `.rabbit/` directories organized by lifecycle:
 
 - Files are sorted by name (`10-infra.yaml` before `20-monitoring.yaml`)
 - Services with the same `module::id` are deep-merged across files
-- Root-level files in `.rabbit/` are ignored (must be in a lifecycle directory)
+- Root-level files in the configured `source_dir` are ignored (must be in a lifecycle directory)
+- Only direct lifecycle roots under `source_dir` are eligible; use `source_dir: .rabbit/infra_configs` for nested config roots
+
+See [docs/configuration.md](docs/configuration.md) for the repo-owned Rabbit config layout and merge contract.
 
 ### Plan Mode
 
@@ -473,14 +481,16 @@ The workflow dispatch inputs provide safe manual control:
 | `newrelic_api_key` | — | — | New Relic API key |
 | `slack_webhook` | — | — | Slack webhook URL |
 | `source_dir` | — | `.rabbit` | Config source directory |
-| `github_token` | — | `github.token` | GitHub token for PR comments |
+| `github_token` | — | `github.token` | GitHub token passed to lifecycle resolution and used for PR comments |
 
 ## Outputs
 
 | Output | Description |
 | --- | --- |
 | `environment` | Resolved environment name |
 | `lifecycle` | Resolved lifecycle (production/staging/development) |
+| `is_protected` | Whether GitHub reported the environment branch as protected |
+| `resolution_reason` | Lifecycle rule that selected the lifecycle |
 | `plan_only` | Whether run was plan-only |
 | `terraform_action` | Action executed (apply/destroy/skip) |
 | `has_changes` | Whether Terraform detected changes |
@@ -528,9 +538,14 @@ Notifications include environment, change counts, failure stage, and a link to t
 - **Pin `r2a_version`** to a specific tag for reproducible deploys (e.g., `4.8.0` instead of `latest`)
 - **Name files with numeric prefixes** (`10-dns.yaml`, `20-cdn.yaml`, `30-app.yaml`) for deterministic ordering
 - **Use `#{Environment}` placeholders** in service IDs to keep configs environment-aware
+- **Set `source_dir` explicitly** when configs live below `.rabbit/infra_configs` or another nested root
 - **Schedule nightly runs** (`cron: "0 2 * * *"`) to detect infrastructure drift
 - **Keep `.rabbit/` configs small and focused** — one concern per file
 
+## Development
+
+The local validation contract is documented in [docs/validation.md](docs/validation.md). Run `make test` and `dev.kit repo` before updating a PR.
+
 ---
 
 ## License