feat: Claude auto-update, spec workflow overhaul, share URL shortener #27
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: supply-chain | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 3 * * *' | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| checks: write | |
| jobs: | |
| supply-chain: | |
| name: supply-chain | |
| permissions: | |
| contents: read | |
| # `issues: write` is scoped to this job and only used by the nightly | |
| # cron's failure-handler step. PR + workflow_dispatch invocations don't | |
| # need it, so granting at the workflow level was over-scoped. | |
| issues: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Install git-crypt | |
| # `launcher/**` and `console/**` are git-crypt encrypted — without | |
| # decryption, the drift checker reads encrypted bytes and crashes on | |
| # invalid UTF-8 (or now, emits a Finding for every encrypted file). | |
| run: sudo apt-get update && sudo apt-get install -y git-crypt | |
| - name: Unlock repository | |
| env: | |
| GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }} | |
| run: bash .github/workflows/scripts/setup-git-crypt.sh | |
| - name: Set up Python | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Python deps for the manifest tooling | |
| run: python -m pip install --upgrade pip "PyYAML==6.0.3" | |
| - name: Manifest schema validation | |
| env: | |
| PYTHONPATH: ${{ github.workspace }} | |
| run: python -c "from installer import manifest; manifest.validate(manifest.load())" | |
| - name: Drift check | |
| env: | |
| PYTHONPATH: ${{ github.workspace }} | |
| run: python scripts/check_manifest_drift.py | |
| - name: Open issue on nightly failure | |
| if: failure() && github.event_name == 'schedule' | |
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 | |
| with: | |
| script: | | |
| await github.rest.issues.create({ | |
| ...context.repo, | |
| title: `Supply-chain: nightly scan failed (${new Date().toISOString().slice(0,10)})`, | |
| body: `Nightly supply-chain scan failed for ${context.sha}. See workflow run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`, | |
| labels: ['security', 'supply-chain'] | |
| }); |