-
Notifications
You must be signed in to change notification settings - Fork 0
120 lines (102 loc) · 3.88 KB
/
Copy pathsync-from-codezero.yml
File metadata and controls
120 lines (102 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: sync-from-codezero
# One-way export of the private source repo (CodeZero) into this public
# distribution repo (CodeZ). See scripts/sync-from-codezero.sh and
# docs/sync-from-codezero.md.
#
# Two jobs:
# drift-check — on every push/PR to main, fail if CodeZ has fallen behind
# CodeZero. This is the guard that stops the two repos from
# silently diverging again.
# sync — manual (workflow_dispatch). Runs the export and opens a PR
# with the synced changes. Never commits to main directly.
#
# Both jobs check out CodeZero read-only. The default GITHUB_TOKEN cannot read
# a separate private repo, so a PAT (or fine-grained token) with read access to
# OpZero-sh/CodeZero must be provided as the CODEZERO_RO_TOKEN secret. When the
# secret is absent (e.g. on forks), the jobs skip rather than fail.
on:
workflow_dispatch:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
drift-check:
runs-on: ubuntu-latest
steps:
- name: Check out CodeZ (distro)
uses: actions/checkout@v4
with:
path: codez
- name: Check for source access
id: gate
run: |
if [ -n "${{ secrets.CODEZERO_RO_TOKEN }}" ]; then
echo "have_token=true" >> "$GITHUB_OUTPUT"
else
echo "have_token=false" >> "$GITHUB_OUTPUT"
echo "::notice::CODEZERO_RO_TOKEN not set; skipping drift check."
fi
- name: Check out CodeZero (source, read-only)
if: steps.gate.outputs.have_token == 'true'
uses: actions/checkout@v4
with:
repository: OpZero-sh/CodeZero
token: ${{ secrets.CODEZERO_RO_TOKEN }}
path: codezero
- name: Verify CodeZ is in sync with CodeZero
if: steps.gate.outputs.have_token == 'true'
working-directory: codez
run: ./scripts/sync-from-codezero.sh --source "${GITHUB_WORKSPACE}/codezero" --check
sync:
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Check out CodeZ (distro)
uses: actions/checkout@v4
with:
path: codez
- name: Require source access
run: |
if [ -z "${{ secrets.CODEZERO_RO_TOKEN }}" ]; then
echo "::error::CODEZERO_RO_TOKEN is required to run the sync." >&2
exit 1
fi
- name: Check out CodeZero (source, read-only)
uses: actions/checkout@v4
with:
repository: OpZero-sh/CodeZero
token: ${{ secrets.CODEZERO_RO_TOKEN }}
path: codezero
- uses: oven-sh/setup-bun@v2
- name: Run export
working-directory: codez
run: ./scripts/sync-from-codezero.sh --source "${GITHUB_WORKSPACE}/codezero"
- name: Refresh lockfile for pinned hub client
working-directory: codez
run: bun install
- name: Open sync PR
uses: peter-evans/create-pull-request@v6
with:
path: codez
branch: sync/from-codezero
title: "chore: sync from CodeZero"
commit-message: |
chore: sync from CodeZero
Deterministic one-way export via scripts/sync-from-codezero.sh.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
body: |
Automated one-way export of source changes from the private
**CodeZero** repo into this **CodeZ** distribution repo.
Generated by `scripts/sync-from-codezero.sh`. Excludes private
source-only paths (RUNBOOK, docs/research, etc.) and preserves
distro-only files (LICENSE, .env.example). See
`docs/sync-from-codezero.md`.
Review the diff before merging — this replaces the old manual
force-sync.
labels: sync