verify-network #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: verify-network | |
| # Network verification tiers (source-URL liveness + external cross-reference) and | |
| # verified promotion. NEVER runs on pull_request — these tiers hit external sites, | |
| # are rate-limited, and must not gate a merge. Scheduled + manual only. Promotions | |
| # are written on a branch and opened as a PR for human review; the job hard-guards | |
| # that nothing but `verified` flags and the ledger changed. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| apply: | |
| description: "Flip verified->true and open a PR (otherwise dry-run only)" | |
| type: boolean | |
| default: false | |
| max_urls: | |
| description: "Frontier records to URL-check" | |
| default: "2000" | |
| max_crossref: | |
| description: "Yellow/red records to cross-reference" | |
| default: "500" | |
| schedule: | |
| - cron: "0 4 * * 1" # Mondays 04:00 UTC | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| verify-network: | |
| runs-on: ubuntu-latest | |
| env: | |
| PYTHONIOENCODING: utf-8 | |
| # Apply (open a promotion PR) on the weekly schedule and on manual apply=true. | |
| # Manual runs without apply stay dry-run for previewing. | |
| APPLY: ${{ github.event_name == 'schedule' || github.event.inputs.apply == 'true' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| # Resumable caches (URL + crossref). Recomputable, so a miss is harmless. | |
| - name: Restore verify caches | |
| uses: actions/cache@v4 | |
| with: | |
| path: data/_verify/state | |
| key: verify-state-${{ github.run_id }} | |
| restore-keys: verify-state- | |
| - name: Tier 0 score (writes scores cache) | |
| run: python -m app.verify score | |
| - name: Tier 1 source-URL liveness | |
| run: python -m app.verify check-urls --max ${{ github.event.inputs.max_urls || '2000' }} | |
| - name: Tier 2 external cross-reference | |
| run: python -m app.verify crossref --max ${{ github.event.inputs.max_crossref || '500' }} | |
| - name: Tier 3 promote (dry-run) | |
| run: python -m app.verify promote | |
| - name: Tier 3 promote (apply) | |
| if: ${{ env.APPLY == 'true' }} | |
| run: python -m app.verify promote --apply | |
| - name: Structural validator self-check | |
| if: ${{ env.APPLY == 'true' }} | |
| run: python -m app.validate | |
| # Guard: the only tracked changes may be `verified` toggles in data/**.json | |
| # plus the promotion ledger. Anything else fails the run loudly. | |
| - name: Guard diff scope | |
| if: ${{ env.APPLY == 'true' }} | |
| run: | | |
| python - <<'PY' | |
| import subprocess, sys | |
| # Record files only — the promotion ledger (data/_verify/) is expected to change. | |
| out = subprocess.run( | |
| ["git", "diff", "--unified=0", "--", "data/", ":(exclude)data/_verify/**"], | |
| capture_output=True, text=True).stdout | |
| bad = [] | |
| for line in out.splitlines(): | |
| if line.startswith(("+++", "---", "@@", "diff ", "index ")): | |
| continue | |
| if line.startswith(("+", "-")) and line[1:].strip(): | |
| body = line[1:].strip().rstrip(",") | |
| if body not in ('"verified": true', '"verified": false'): | |
| bad.append(line) | |
| if bad: | |
| print("Unexpected non-verified changes:") | |
| print("\n".join(bad[:50])) | |
| sys.exit(1) | |
| print("diff scope OK: only verified toggles") | |
| PY | |
| - name: Open promotion PR | |
| if: ${{ env.APPLY == 'true' }} | |
| env: | |
| GH_TOKEN: ${{ secrets.ENGINE_TOKEN || secrets.TECHAPI_TOKEN || secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| if git diff --quiet -- data/; then | |
| echo "no promotions to commit"; exit 0 | |
| fi | |
| branch="verify/promote-${{ github.run_id }}" | |
| git config user.name "TechEngineBot" | |
| git config user.email "289859915+TechEngineBot@users.noreply.github.com" | |
| git checkout -b "$branch" | |
| git add data/ | |
| git commit -m "data(verify): promote records to verified via cross-reference | |
| Auto-promotions from the verification layer (green+live-source or crossref-confirm). | |
| Each flip is verified:false->true only; see data/_verify/ledger.jsonl. Refs #1" | |
| git push origin "$branch" | |
| gh pr create --base main --head "$branch" \ | |
| --title "data(verify): verified promotions ($(date -u +%Y-%m-%d))" \ | |
| --body "Automated verified promotions from \`app.verify promote\`. Each change flips only the \`verified\` flag; structural validator passed and diff scope guarded. Review before merge. Refs #1" |