ci: add Phase 1 CI workflow #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: sync-from-codezero | |
| # One-way export of the private source repo (CodeZero) into this public | |
| # distribution repo (CodeZ). See scripts/sync-from-codezero.sh and | |
| # docs/sync-from-codezero.md. | |
| # | |
| # Two jobs: | |
| # drift-check — on every push/PR to main, fail if CodeZ has fallen behind | |
| # CodeZero. This is the guard that stops the two repos from | |
| # silently diverging again. | |
| # sync — manual (workflow_dispatch). Runs the export and opens a PR | |
| # with the synced changes. Never commits to main directly. | |
| # | |
| # Both jobs check out CodeZero read-only. The default GITHUB_TOKEN cannot read | |
| # a separate private repo, so a PAT (or fine-grained token) with read access to | |
| # OpZero-sh/CodeZero must be provided as the CODEZERO_RO_TOKEN secret. When the | |
| # secret is absent (e.g. on forks), the jobs skip rather than fail. | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| drift-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out CodeZ (distro) | |
| uses: actions/checkout@v4 | |
| with: | |
| path: codez | |
| - name: Check for source access | |
| id: gate | |
| run: | | |
| if [ -n "${{ secrets.CODEZERO_RO_TOKEN }}" ]; then | |
| echo "have_token=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "have_token=false" >> "$GITHUB_OUTPUT" | |
| echo "::notice::CODEZERO_RO_TOKEN not set; skipping drift check." | |
| fi | |
| - name: Check out CodeZero (source, read-only) | |
| if: steps.gate.outputs.have_token == 'true' | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: OpZero-sh/CodeZero | |
| token: ${{ secrets.CODEZERO_RO_TOKEN }} | |
| path: codezero | |
| - name: Verify CodeZ is in sync with CodeZero | |
| if: steps.gate.outputs.have_token == 'true' | |
| working-directory: codez | |
| run: ./scripts/sync-from-codezero.sh --source "${GITHUB_WORKSPACE}/codezero" --check | |
| sync: | |
| if: github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Check out CodeZ (distro) | |
| uses: actions/checkout@v4 | |
| with: | |
| path: codez | |
| - name: Require source access | |
| run: | | |
| if [ -z "${{ secrets.CODEZERO_RO_TOKEN }}" ]; then | |
| echo "::error::CODEZERO_RO_TOKEN is required to run the sync." >&2 | |
| exit 1 | |
| fi | |
| - name: Check out CodeZero (source, read-only) | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: OpZero-sh/CodeZero | |
| token: ${{ secrets.CODEZERO_RO_TOKEN }} | |
| path: codezero | |
| - uses: oven-sh/setup-bun@v2 | |
| - name: Run export | |
| working-directory: codez | |
| run: ./scripts/sync-from-codezero.sh --source "${GITHUB_WORKSPACE}/codezero" | |
| - name: Refresh lockfile for pinned hub client | |
| working-directory: codez | |
| run: bun install | |
| - name: Open sync PR | |
| uses: peter-evans/create-pull-request@v6 | |
| with: | |
| path: codez | |
| branch: sync/from-codezero | |
| title: "chore: sync from CodeZero" | |
| commit-message: | | |
| chore: sync from CodeZero | |
| Deterministic one-way export via scripts/sync-from-codezero.sh. | |
| Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> | |
| body: | | |
| Automated one-way export of source changes from the private | |
| **CodeZero** repo into this **CodeZ** distribution repo. | |
| Generated by `scripts/sync-from-codezero.sh`. Excludes private | |
| source-only paths (RUNBOOK, docs/research, etc.) and preserves | |
| distro-only files (LICENSE, .env.example). See | |
| `docs/sync-from-codezero.md`. | |
| Review the diff before merging — this replaces the old manual | |
| force-sync. | |
| labels: sync |