feat: emit environments.json from the manifest#239
Merged
Conversation
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
GitHub environment protection rules (required reviewers, wait timers, deployment branch and tag policies) and environment-scoped secret and variable names are repository configuration, not workflow YAML. The manifest could not express them, so operators set them by hand with no single source of truth tied to the manifest.
Fix
Add a
cascade environmentscommand that emits a deterministic, per-environmentenvironments.jsonderived from the manifest. The operator applies it out of band (gh api / Terraform); cascade never calls the GitHub API. This is the additive sibling of thebranch-protectioncommand (#5).EnvironmentConfigwith additiveomitemptyfields:required_reviewers([]string slugs),wait_timer(int, 0..43200),branch_policy(protected|custom|all),branch_patterns/tag_patterns([]string, custom only),secrets/variables([]string, NAMES only, never values).CurrentSchemaVersionis unchanged.internal/environmentspackage mirroringinternal/branchprotection: each entry pairs the directly-appliable Environments REST body (wait_timer,deployment_branch_policy) withoperator_todoguidance. Reviewers are surfaced as slugs underoperator_todobecause the REST API needs a numeric id the manifest does not carry; secret and variable names are surfaced for the operator to create with values out of band.MarshalIndent, single trailing newline.internal/generate/{plan,marker,verify}.goare untouched and the command is not added togenerate.Plan.Verification
go build ./cmd/... ./internal/...,go test ./...(1588 passed),golangci-lint run ./...(no issues), e2e module build/vet/lint clean.--output, parity), and e2e scenario29-environment-config-emitproving the enriched manifest parses and regenerates byte-identically (ran green under Docker).manifest.schema.jsoncopies regenerated and byte-identical.Closes #186.