From 530b33fcc8679320809f6d4b1546f50534dffaee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81=20Lange?= Date: Sat, 4 Apr 2026 23:56:08 +0200 Subject: [PATCH] feat: consolidate forbid-artifacts into CI Gate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the forbidden-file/history check from repo-safety.yml into ci.yml so that CI Gate is the single required status check — no manual juggling of multiple required checks in branch protection settings. Gate now covers: test · lint · package · forbid-artifacts Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 32 +++++++++++++++++++++++++++---- .github/workflows/repo-safety.yml | 32 ------------------------------- 2 files changed, 28 insertions(+), 36 deletions(-) delete mode 100644 .github/workflows/repo-safety.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a4edbf..3e9240c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -162,17 +162,41 @@ jobs: echo "CHANGELOG.md is up to date." fi + forbid-artifacts: + name: Forbid artifacts + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Fail if forbidden paths are tracked + run: | + set -euo pipefail + if git ls-files | grep -qE '(\.ssh/|\.db($|-)|.*\.sqlite|.*\.log$)'; then + echo "ERROR: forbidden files are tracked:" + git ls-files | grep -E '(\.ssh/|\.db($|-)|.*\.sqlite|.*\.log$)' || true + exit 1 + fi + - name: Fail if history contains forbidden blobs + run: | + set -euo pipefail + if git rev-list --objects --all | grep -qE '(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)'; then + echo "ERROR: forbidden artifacts exist in history:" + git rev-list --objects --all | grep -E '(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)' || true + exit 1 + fi gate: name: CI Gate runs-on: ubuntu-latest - needs: [test, lint, package] + needs: [test, lint, package, forbid-artifacts] if: always() steps: - name: All required checks passed run: | - if [[ "${{ needs.test.result }}" != "success" ]] || - [[ "${{ needs.lint.result }}" != "success" ]] || - [[ "${{ needs.package.result }}" != "success" ]]; then + if [[ "${{ needs.test.result }}" != "success" ]] || + [[ "${{ needs.lint.result }}" != "success" ]] || + [[ "${{ needs.package.result }}" != "success" ]] || + [[ "${{ needs.forbid-artifacts.result }}" != "success" ]]; then echo "::error::One or more required checks failed — merge blocked." exit 1 fi diff --git a/.github/workflows/repo-safety.yml b/.github/workflows/repo-safety.yml deleted file mode 100644 index e0370a4..0000000 --- a/.github/workflows/repo-safety.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: repo-safety -on: - push: - pull_request: - -jobs: - forbid-artifacts: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Fail if forbidden paths are tracked - run: | - set -euo pipefail - echo "Checking tracked files..." - if git ls-files | egrep -q '(^\.ssh/|\.db($|-)|\.sqlite|\.log$)'; then - echo "ERROR: forbidden files are tracked:" - git ls-files | egrep '(^\.ssh/|\.db($|-)|\.sqlite|\.log$)' || true - exit 1 - fi - - - name: Fail if history contains forbidden blobs - run: | - set -euo pipefail - echo "Checking full history objects..." - if git rev-list --objects --all | egrep -q '(^|/)(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)'; then - echo "ERROR: forbidden artifacts exist in history:" - git rev-list --objects --all | egrep '(^|/)(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)' || true - exit 1 - fi