feat: generate an opt-in PR drift-check workflow#236
Merged
Conversation
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
cascade ships
cascade verify(drift + orphan detection) and uses it as a required PR gate on its own repo, but users only get that protection if they wire the workflow by hand. Closes #229.Fix
Adds an opt-in, additive manifest toggle
drift_check(enabled+comment) underconfig:. Whendrift_check.enabledis set,cascade generate-workflowemits apull_requestdrift-check workflow (.github/workflows/cascade-drift-check.yaml) that runscascade verifyand fails the check on drift. Whendrift_check.commentis also set, it emits the fork-safeworkflow_runcomment companion (.github/workflows/cascade-drift-comment.yaml) that posts the verify result as a sticky PR comment.This mirrors cascade's own two-file dogfood pattern:
pull_requestjob is strictly read-only (contents: read, no secrets, posts no comment). A fork PR gets a read-only token and uploads the verify result as thecascade-drift-resultartifact instead.workflow_runcompanion runs in the base-repo context with a scopedpull-requests: writetoken, downloads the artifact (data only), and posts the sticky comment. It never checks out or executes PR head code.Both generated files carry the cascade-owned
GeneratedFileMarker, socascade verifyitself tracks them. Third-party actions route through the existing pin seam (pin_modehonored); the cascade self-action uses thecli_versionref pattern.Security note
The generated comment companion derives the target PR number ONLY from trusted
workflow_runrun metadata (run.pull_requests[0].number, orlistPullRequestsAssociatedWithCommitmatchingrun.head_shafor fork PRs), NEVER from the fork-uploaded artifact. This preserves the fix from #228: a fork cannot redirect the comment at another PR. Thepull_requestjob has no write permissions and no secrets and posts no comment itself.Verification
schema_versionis NOT bumped (the field is additive andomitempty); all threemanifest.schema.jsoncopies regenerated and byte-identical.pull_requestjob, no checkout/secrets/comment in the check lane), determinism, SHA pinning, and an actionlint pass over both files.28-drift-check.yaml: a manifest with the toggle ON generates both workflows, they are cascade-owned, and a freshverifyis clean. Ran under Docker: PASS.go build ./... && go test ./...(1531 pass) andgolangci-lint run ./...(clean); e2e module builds and vets clean.Closes #229