fix ts allowlist path normalization #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| name: No-JS Scan (warn-first) | |
| # Estate policy: no hand-authored JavaScript/TypeScript source | |
| # (see standards docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc). This workflow is | |
| # WARN-FIRST: it reports the authored-JS surface for migration but never fails | |
| # the build. The authoritative hard-block for NEW JS in non-carve-out paths is | |
| # hypatia (cicd_rules/javascript_detected); this is an additive companion. | |
| on: | |
| push: | |
| paths: | |
| - '**/*.js' | |
| - '**/*.jsx' | |
| - '**/*.mjs' | |
| - '**/*.cjs' | |
| - '**/*.ts' | |
| - '**/*.tsx' | |
| pull_request: | |
| paths: | |
| - '**/*.js' | |
| - '**/*.jsx' | |
| - '**/*.mjs' | |
| - '**/*.cjs' | |
| - '**/*.ts' | |
| - '**/*.tsx' | |
| # Estate guardrail: cancel superseded runs (read-only check, no mutation). | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| scan-authored-js: | |
| timeout-minutes: 10 | |
| name: Scan for hand-authored JavaScript/TypeScript | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 | |
| - name: Report authored JS/TS (warn-first, non-blocking) | |
| shell: bash | |
| run: | | |
| # Exclude only things that are NOT hand-authored source: vendored | |
| # (node_modules, deps, vendor, .git), generated/compiled (*.res.js, | |
| # *.res.mjs, lib/{js,es6,bs}, out, dist, .deno, generated/, *.min.js), | |
| # and declaration headers (*.d.ts). Everything else is reported. | |
| mapfile -t hits < <( | |
| find . \ | |
| \( -path './.git' -o -name node_modules -o -path '*/deps/*' \ | |
| -o -path '*/vendor/*' -o -path '*/lib/js/*' -o -path '*/lib/es6/*' \ | |
| -o -path '*/lib/bs/*' -o -path '*/out/*' -o -path '*/dist/*' \ | |
| -o -path '*/.deno/*' -o -path '*/generated/*' \) -prune -o \ | |
| -type f \ | |
| \( -name '*.js' -o -name '*.jsx' -o -name '*.mjs' -o -name '*.cjs' \ | |
| -o -name '*.ts' -o -name '*.tsx' \) \ | |
| ! -name '*.res.js' ! -name '*.res.mjs' ! -name '*.min.js' ! -name '*.d.ts' \ | |
| -print 2>/dev/null | sort || true | |
| ) | |
| count=${#hits[@]} | |
| { | |
| echo "# No-JS scan (warn-first)" | |
| echo | |
| echo "Estate policy: **no hand-authored JavaScript/TypeScript source.**" | |
| echo "Destination is AffineScript -> typed-wasm, or Rust + Zig -> wasm." | |
| echo "This check is **non-blocking** — it reports the migration surface only." | |
| echo "Authoritative hard-block for new files: hypatia \`cicd_rules/javascript_detected\`." | |
| echo "Policy: standards \`docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc\`." | |
| echo | |
| echo "**Hand-authored JS/TS files found: ${count}**" | |
| if [ "${count}" -gt 0 ]; then | |
| echo | |
| echo '| # | File |' | |
| echo '|---|------|' | |
| i=0 | |
| for f in "${hits[@]}"; do | |
| i=$((i + 1)) | |
| echo "| ${i} | \`${f#./}\` |" | |
| done | |
| else | |
| echo | |
| echo "No hand-authored JavaScript/TypeScript found. :white_check_mark:" | |
| fi | |
| } >> "${GITHUB_STEP_SUMMARY}" | |
| if [ "${count}" -gt 0 ]; then | |
| echo "::warning title=No-JS (warn-first)::${count} hand-authored JS/TS file(s) present. Estate target is AffineScript->typed-wasm / Rust+Zig->wasm. See standards docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc (non-blocking)." | |
| fi | |
| # Warn-first: never fail the build. | |
| exit 0 |