verify-network #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: verify-network | |
| # Network verification tiers (source-URL liveness + external cross-reference) and | |
| # verified promotion, run in TechEngine against a TechAPI checkout. NEVER on | |
| # pull_request — external sites, rate-limited. Scheduled + manual. Promotions are | |
| # committed as TechEngineBot and opened as a human-gated PR on TechAPI; the job | |
| # hard-guards that nothing but `verified` flags + the ledger changed. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| apply: | |
| description: "Flip verified->true and open a PR on TechAPI (else dry-run)" | |
| type: boolean | |
| default: false | |
| max_urls: | |
| description: "Frontier records to URL-check" | |
| default: "2000" | |
| max_crossref: | |
| description: "Records to cross-reference" | |
| default: "500" | |
| schedule: | |
| - cron: "0 4 * * 1" # Mondays 04:00 UTC | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: verify-network | |
| cancel-in-progress: false | |
| jobs: | |
| verify-network: | |
| runs-on: ubuntu-latest | |
| env: | |
| PYTHONIOENCODING: utf-8 | |
| APPLY: ${{ github.event_name == 'schedule' || github.event.inputs.apply == 'true' }} | |
| TECHAPI_DATA_DIR: ${{ github.workspace }}/TechAPI/data | |
| WRITE_TOKEN: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.TECHAPI_TOKEN }} | |
| steps: | |
| - name: Checkout TechEngine | |
| uses: actions/checkout@v4 | |
| - name: Checkout TechAPI | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: GetTechAPI/TechAPI | |
| path: TechAPI | |
| fetch-depth: 0 | |
| token: ${{ secrets.TECHENGINEBOT_TOKEN || secrets.TECHAPI_TOKEN || secrets.GITHUB_TOKEN }} | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| - name: Install TechEngine | |
| run: pip install -e . | |
| - name: Tier 0 score (writes scores cache) | |
| run: python -m app.verify score | |
| - name: Tier 1 source-URL liveness | |
| run: python -m app.verify check-urls --max ${{ github.event.inputs.max_urls || '2000' }} | |
| - name: Tier 2 external cross-reference | |
| run: python -m app.verify crossref --max ${{ github.event.inputs.max_crossref || '500' }} | |
| - name: Tier 3 promote (dry-run) | |
| run: python -m app.verify promote | |
| - name: Tier 3 promote (apply) | |
| if: ${{ env.APPLY == 'true' }} | |
| run: python -m app.verify promote --apply | |
| - name: Structural validator self-check | |
| if: ${{ env.APPLY == 'true' }} | |
| run: python -m app.validate | |
| # Guard: the only tracked changes in TechAPI may be `verified` toggles in | |
| # data/**.json (the ledger under data/_verify/ is expected to change too). | |
| - name: Guard diff scope | |
| if: ${{ env.APPLY == 'true' }} | |
| run: | | |
| python - <<'PY' | |
| import subprocess, sys | |
| out = subprocess.run( | |
| ["git", "-C", "TechAPI", "diff", "--unified=0", "--", | |
| "data/", ":(exclude)data/_verify/**"], | |
| capture_output=True, text=True).stdout | |
| bad = [] | |
| for line in out.splitlines(): | |
| if line.startswith(("+++", "---", "@@", "diff ", "index ")): | |
| continue | |
| if line.startswith(("+", "-")) and line[1:].strip(): | |
| body = line[1:].strip().rstrip(",") | |
| if body not in ('"verified": true', '"verified": false'): | |
| bad.append(line) | |
| if bad: | |
| print("Unexpected non-verified changes:") | |
| print("\n".join(bad[:50])) | |
| sys.exit(1) | |
| print("diff scope OK: only verified toggles") | |
| PY | |
| - name: Open promotion PR on TechAPI (TechEngineBot) | |
| if: ${{ env.APPLY == 'true' }} | |
| env: | |
| GH_TOKEN: ${{ env.WRITE_TOKEN }} | |
| run: | | |
| set -e | |
| cd TechAPI | |
| if git diff --quiet -- data/; then | |
| echo "no promotions to commit"; exit 0 | |
| fi | |
| branch="verify/promote-${{ github.run_id }}" | |
| git config user.name "TechEngineBot" | |
| git config user.email "289859915+TechEngineBot@users.noreply.github.com" | |
| git checkout -b "$branch" | |
| git add data/ | |
| git commit -m "data(verify): promote records to verified (reality cross-reference) | |
| Auto-promotions from the verification layer (green+live-source or crossref-confirm). | |
| Each flip is verified:false->true only; see data/_verify/ledger.jsonl. Refs #1" | |
| git push origin "$branch" | |
| gh pr create --repo GetTechAPI/TechAPI --base main --head "$branch" \ | |
| --title "data(verify): verified promotions ($(date -u +%Y-%m-%d))" \ | |
| --body "Automated verified promotions from \`app.verify promote\` (run in TechEngine). Each change flips only the \`verified\` flag; structural validator passed and diff scope guarded. Review before merge. Refs #1" |