8367393813
* ci: enforce typecheck and add quality gates Remove continue-on-error on the Typecheck step: astro check currently reports 0 errors / 13 hints, so the step can block. Also run tracking:check and image:budget after the build so these quality gates actually fail CI when broken (they are defined in package.json but were never wired into the workflow). * chore: remove obsolete Tower deploy workflow The 'Deploy to Tower' workflow built the Astro Node adapter and scp'd it to Tower to run as a container on port 4321. Production has been served by Cloudflare since PR #5, so this pipeline only ever fails (Tower SSH secrets are stale and the target host is not the live origin). Removing it eliminates noisy red runs. * chore: monthly report tracks live required checks The report hardcoded a probe for 'Cross-stack coherence', which is no longer a required status check on main. Dump the live set from required_status_checks.contexts[] and .checks[].context instead, so the monthly report reflects whatever branch protection is configured at that point rather than a stale name.
95 lines
3.9 KiB
YAML
95 lines
3.9 KiB
YAML
name: Monthly Cross-stack Report
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '10 7 1 * *'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
actions: read
|
|
|
|
jobs:
|
|
monthly-report:
|
|
name: Monthly report
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Generate report
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
GH_REPO: ${{ github.repository }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
NOW_UTC="$(date -u +'%Y-%m-%d %H:%M:%S UTC')"
|
|
OUT_DIR="artifacts"
|
|
OUT_FILE="$OUT_DIR/monthly-cross-stack-report-$(date -u +'%Y-%m-%d').md"
|
|
mkdir -p "$OUT_DIR"
|
|
|
|
WORKFLOWS_JSON="$(curl -sS -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/$GH_REPO/actions/workflows?per_page=100")"
|
|
RUNS_JSON="$(curl -sS -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/$GH_REPO/actions/runs?per_page=20")"
|
|
LABELS_JSON="$(curl -sS -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/$GH_REPO/labels?per_page=100")"
|
|
PROTECTION_STATUS_AND_BODY="$(curl -sS -w "\n%{http_code}" -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/$GH_REPO/branches/main/protection")"
|
|
PROTECTION_HTTP_CODE="$(echo "$PROTECTION_STATUS_AND_BODY" | tail -n1)"
|
|
PROTECTION_JSON="$(echo "$PROTECTION_STATUS_AND_BODY" | sed '$d')"
|
|
|
|
EXPECTED_LABELS=(core api web e2e deploy infra docs)
|
|
MISSING_LABELS=()
|
|
for lbl in "${EXPECTED_LABELS[@]}"; do
|
|
if ! echo "$LABELS_JSON" | jq -e --arg L "$lbl" '.[] | select(.name == $L)' >/dev/null; then
|
|
MISSING_LABELS+=("$lbl")
|
|
fi
|
|
done
|
|
|
|
REQUIRED_CHECKS_LIST="(unknown)"
|
|
if [ "$PROTECTION_HTTP_CODE" = "200" ]; then
|
|
REQUIRED_CHECKS_LIST="$(echo "$PROTECTION_JSON" | jq -r '
|
|
[
|
|
(.required_status_checks.contexts // [])[],
|
|
(.required_status_checks.checks // [])[].context
|
|
] | unique | .[]
|
|
' 2>/dev/null || true)"
|
|
if [ -z "$REQUIRED_CHECKS_LIST" ]; then
|
|
REQUIRED_CHECKS_LIST="(none)"
|
|
fi
|
|
fi
|
|
|
|
{
|
|
echo "# Monthly Cross-stack Report"
|
|
echo
|
|
echo "Generated: $NOW_UTC"
|
|
echo "Repository: $GH_REPO"
|
|
echo
|
|
echo "## Branch Protection (main) — Required Status Checks"
|
|
if [ "$PROTECTION_HTTP_CODE" != "200" ]; then
|
|
echo "- Note: branch protection endpoint not readable with current token (HTTP $PROTECTION_HTTP_CODE)."
|
|
elif [ "$REQUIRED_CHECKS_LIST" = "(none)" ]; then
|
|
echo "- No required status checks configured."
|
|
else
|
|
echo "$REQUIRED_CHECKS_LIST" | while IFS= read -r ctx; do
|
|
[ -n "$ctx" ] && echo "- $ctx"
|
|
done
|
|
fi
|
|
echo
|
|
echo "## Expected Labels"
|
|
if [ ${#MISSING_LABELS[@]} -eq 0 ]; then
|
|
echo "- All expected labels are present: core, api, web, e2e, deploy, infra, docs"
|
|
else
|
|
echo "- Missing labels: ${MISSING_LABELS[*]}"
|
|
fi
|
|
echo
|
|
echo "## Active Workflows"
|
|
echo "$WORKFLOWS_JSON" | jq -r '.workflows[] | "- \(.name) [\(.state)]"'
|
|
echo
|
|
echo "## Latest Runs (Top 10)"
|
|
echo "$RUNS_JSON" | jq -r '.workflow_runs[:10][] | "- \(.name) | \(.event) | \(.status) | \(.conclusion // "in_progress") | \(.html_url)"'
|
|
} > "$OUT_FILE"
|
|
|
|
cat "$OUT_FILE" >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Upload report artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: monthly-cross-stack-report
|
|
path: artifacts/monthly-cross-stack-report-*.md
|