mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-27 11:22:03 +00:00
05c896cf52
ci: centralize path-gating behind single orchestrator + all-checks-pass gate Replace the scattered per-workflow detect-changes pattern with a single ci.yml orchestrator that runs the classifier once, then conditionally calls sub-workflows via workflow_call based on lane outputs. A final all-checks-pass job (if: always()) aggregates all results so branch protection only needs to require one check. Changes: - New .github/workflows/ci.yml orchestrator (detect + conditional calls + all-checks-pass gate) - Extend classify_changes.py with scan/deps/mcp_catalog lanes, absorbing supply-chain-audit's internal changes job - Update detect-changes/action.yml to expose the new lane outputs - Convert all 10 PR-gated sub-workflows to workflow_call-only triggers, removing their push/pull_request triggers and per-step detect-changes guards (gating now happens at the orchestrator level) - lint.yml + supply-chain-audit.yml receive event_name as a workflow_call input to replace github.event_name (which is "workflow_call" inside called workflows) - supply-chain-audit.yml: remove internal changes job + *-gate jobs (orchestrator handles gating, booleans arrive as inputs) - contributor-check.yml: remove internal filter step - Update test_classify_changes.py for 6-lane output + new supply-chain test cases
55 lines
1.8 KiB
YAML
55 lines
1.8 KiB
YAML
name: Docker / shell lint
|
|
|
|
# Lints the container build inputs: Dockerfile (via hadolint) and any shell
|
|
# scripts under docker/ (via shellcheck). These catch the class of regression
|
|
# the behavioral docker-publish smoke test can't — unquoted variable
|
|
# expansions, silently-failing RUN commands, etc.
|
|
#
|
|
# Rules and ignores are documented in .hadolint.yaml at the repo root.
|
|
# shellcheck severity is pinned to `error` so SC1091-style "can't follow
|
|
# sourced script" info-level warnings don't fail the job — the .venv
|
|
# activate script doesn't exist at lint time.
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: docker-lint-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
hadolint:
|
|
name: Lint Dockerfile (hadolint)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: hadolint
|
|
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
|
|
with:
|
|
dockerfile: Dockerfile
|
|
config: .hadolint.yaml
|
|
failure-threshold: warning
|
|
|
|
shellcheck:
|
|
name: Lint docker/ shell scripts (shellcheck)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: shellcheck
|
|
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
|
|
env:
|
|
# Severity = error: SC1091 (can't follow sourced script) is info-
|
|
# level and would otherwise fail when the venv activate script
|
|
# doesn't exist at lint time.
|
|
SHELLCHECK_OPTS: --severity=error
|
|
with:
|
|
scandir: ./docker
|