-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaction.yml
More file actions
236 lines (208 loc) · 8.22 KB
/
Copy pathaction.yml
File metadata and controls
236 lines (208 loc) · 8.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
name: 'spec-sync'
description: 'Gate verified SDD changes and validate module specs against source code with SpecSync'
branding:
icon: 'check-circle'
color: 'green'
inputs:
version:
description: 'SpecSync version to use (e.g. "1.0.0" or "latest")'
required: false
default: '5.1.1'
download-base-url:
description: 'Optional trusted release mirror URL (primarily for enterprise mirrors and release validation)'
required: false
default: ''
strict:
description: 'Treat warnings as errors'
required: false
default: 'false'
require-coverage:
description: 'Minimum file coverage percentage (0-100)'
required: false
default: '0'
root:
description: 'Project root directory'
required: false
default: '.'
args:
description: 'Additional whitespace-separated arguments to pass to specsync check (shell quoting is not supported)'
required: false
default: ''
lifecycle-enforce:
description: 'Run lifecycle enforcement checks (--all). Fails CI if specs violate lifecycle rules.'
required: false
default: 'false'
comment:
description: 'Post spec drift results as a PR comment (requires pull_request event and write permissions)'
required: false
default: 'false'
token:
description: 'GitHub token for posting PR comments (defaults to GITHUB_TOKEN)'
required: false
default: '${{ github.token }}'
runs:
using: 'composite'
steps:
- name: Download SpecSync
shell: bash
env:
SPECSYNC_VERSION: ${{ inputs.version }}
SPECSYNC_DOWNLOAD_BASE_URL: ${{ inputs.download-base-url }}
run: |
set -euo pipefail
# Detect OS
case "$RUNNER_OS" in
Linux) OS="linux" ;;
macOS) OS="macos" ;;
Windows) OS="windows" ;;
*)
echo "::error::Unsupported runner OS: $RUNNER_OS"
exit 1
;;
esac
# Detect architecture
ARCH="$(uname -m)"
case "$ARCH" in
x86_64|amd64) ARCH="x86_64" ;;
aarch64|arm64) ARCH="aarch64" ;;
*)
echo "::error::Unsupported architecture: $ARCH"
exit 1
;;
esac
REPO="CorvidLabs/spec-sync"
# Determine download URL
if [ -n "$SPECSYNC_DOWNLOAD_BASE_URL" ]; then
BASE_URL="${SPECSYNC_DOWNLOAD_BASE_URL%/}"
elif [ "$SPECSYNC_VERSION" = "latest" ]; then
BASE_URL="https://github.com/${REPO}/releases/latest/download"
else
BASE_URL="https://github.com/${REPO}/releases/download/v${SPECSYNC_VERSION}"
fi
# Download and install
INSTALL_DIR="${RUNNER_TEMP}/specsync"
mkdir -p "$INSTALL_DIR"
if [ "$OS" = "windows" ]; then
ARCHIVE="specsync-${OS}-${ARCH}.exe.zip"
curl -fsSL "${BASE_URL}/${ARCHIVE}" -o "${INSTALL_DIR}/specsync.zip"
curl -fsSL "${BASE_URL}/${ARCHIVE}.sha256" -o "${INSTALL_DIR}/specsync.sha256"
echo "Verifying checksum..."
cd "$INSTALL_DIR"
EXPECTED=$(awk '{print $1}' specsync.sha256)
ACTUAL=$(shasum -a 256 specsync.zip | awk '{print $1}')
if [ "$EXPECTED" != "$ACTUAL" ]; then
echo "::error::Checksum verification failed! Expected: $EXPECTED, Got: $ACTUAL"
exit 1
fi
echo "::notice::Checksum verified"
cd -
unzip -o "${INSTALL_DIR}/specsync.zip" -d "$INSTALL_DIR"
mv "${INSTALL_DIR}/specsync-${OS}-${ARCH}.exe" "${INSTALL_DIR}/specsync.exe"
else
ARCHIVE="specsync-${OS}-${ARCH}.tar.gz"
curl -fsSL "${BASE_URL}/${ARCHIVE}" -o "${INSTALL_DIR}/${ARCHIVE}"
curl -fsSL "${BASE_URL}/${ARCHIVE}.sha256" -o "${INSTALL_DIR}/${ARCHIVE}.sha256"
echo "Verifying checksum..."
cd "$INSTALL_DIR"
shasum -a 256 -c "${ARCHIVE}.sha256"
echo "::notice::Checksum verified"
cd -
tar xz -C "$INSTALL_DIR" -f "${INSTALL_DIR}/${ARCHIVE}"
mv "${INSTALL_DIR}/specsync-${OS}-${ARCH}" "${INSTALL_DIR}/specsync"
chmod +x "${INSTALL_DIR}/specsync"
fi
# Add to PATH
echo "${INSTALL_DIR}" >> "$GITHUB_PATH"
echo "::notice::SpecSync installed (${OS}/${ARCH}) from ${BASE_URL}/${ARCHIVE}"
- name: Run SpecSync
shell: bash
id: specsync
working-directory: ${{ inputs.root }}
env:
INPUT_STRICT: ${{ inputs.strict }}
INPUT_REQUIRE_COVERAGE: ${{ inputs.require-coverage }}
INPUT_ARGS: ${{ inputs.args }}
INPUT_COMMENT: ${{ inputs.comment }}
INPUT_LIFECYCLE_ENFORCE: ${{ inputs.lifecycle-enforce }}
run: |
set -euo pipefail
if ! [[ "$INPUT_REQUIRE_COVERAGE" =~ ^[0-9]+$ ]] || [ "$INPUT_REQUIRE_COVERAGE" -gt 100 ]; then
echo "::error::require-coverage must be an integer from 0 to 100"
exit 1
fi
# Always use --force in CI — hash cache is not committed, so
# every CI run validates all specs from scratch.
CMD=(specsync check --force)
if [ "$INPUT_STRICT" = "true" ]; then
CMD+=(--strict)
fi
if [ "$INPUT_REQUIRE_COVERAGE" != "0" ]; then
CMD+=(--require-coverage "$INPUT_REQUIRE_COVERAGE")
fi
if [ -n "$INPUT_ARGS" ]; then
# INPUT_ARGS is intentionally split on whitespace only across all lines.
# Shell quoting, substitutions, pipes, and other shell syntax are not evaluated.
NORMALIZED_ARGS="${INPUT_ARGS//$'\r'/ }"
NORMALIZED_ARGS="${NORMALIZED_ARGS//$'\n'/ }"
NORMALIZED_ARGS="${NORMALIZED_ARGS//$'\t'/ }"
read -r -a EXTRA_ARGS <<< "$NORMALIZED_ARGS"
CMD+=("${EXTRA_ARGS[@]}")
fi
echo "::group::SpecSync Check"
printf 'Running:'
printf ' %q' "${CMD[@]}"
printf '\n'
EXIT_CODE=0
"${CMD[@]}" || EXIT_CODE=$?
echo "::endgroup::"
# If lifecycle enforcement is enabled, run it (may override exit code)
if [ "$INPUT_LIFECYCLE_ENFORCE" = "true" ]; then
echo "::group::SpecSync Lifecycle Enforce"
specsync lifecycle enforce --all || EXIT_CODE=$?
echo "::endgroup::"
fi
# If comment mode is enabled, generate the rich comment body
# Uses the same `specsync comment` pipeline as our own CI workflow
# for identical output between the marketplace action and direct usage.
if [ "$INPUT_COMMENT" = "true" ]; then
COMMENT_CMD=(specsync comment)
if [ "$INPUT_STRICT" = "true" ]; then
COMMENT_CMD+=(--strict)
fi
if [ "$INPUT_REQUIRE_COVERAGE" != "0" ]; then
COMMENT_CMD+=(--require-coverage "$INPUT_REQUIRE_COVERAGE")
fi
COMMENT_OUTPUT=$("${COMMENT_CMD[@]}" 2>/dev/null) || true
{
echo "SPECSYNC_MARKDOWN<<SPECSYNC_EOF"
echo "$COMMENT_OUTPUT"
echo "SPECSYNC_EOF"
} >> "$GITHUB_ENV"
fi
exit $EXIT_CODE
- name: Post PR Comment
if: inputs.comment == 'true' && github.event_name == 'pull_request' && always()
shell: bash
env:
GH_TOKEN: ${{ inputs.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
if [ -z "${SPECSYNC_MARKDOWN:-}" ]; then
echo "No drift output to comment"
exit 0
fi
COMMENT_BODY="$(printf '%s\n\n---\n<sub>Posted by [SpecSync](https://github.com/CorvidLabs/spec-sync) via GitHub Actions</sub>' "$SPECSYNC_MARKDOWN")"
# Check for existing SpecSync comment and update it, or create new
EXISTING_COMMENT_ID=$(gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" \
--jq '.[] | select(.body | contains("Posted by [SpecSync]")) | .id' | head -1)
if [ -n "$EXISTING_COMMENT_ID" ]; then
gh api "repos/${REPO}/issues/comments/${EXISTING_COMMENT_ID}" \
-X PATCH -f body="$COMMENT_BODY" > /dev/null
echo "::notice::Updated existing SpecSync PR comment"
else
gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" \
-f body="$COMMENT_BODY" > /dev/null
echo "::notice::Posted SpecSync PR comment"
fi