Estate audit — Wave 4: DYADT, post-action agent-claim verification (r… #189
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| # registry-verify — fail the build if the spec registry or the DERIVED | |
| # topology map has drifted from the file tree. This is the in-repo half of | |
| # the drift-detection loop (the estate half is Hypatia rule HYP-S006). | |
| name: Registry Verify | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify: | |
| name: Registry + topology in sync | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 # full history so `git ls-files -s` hashes are stable | |
| - name: Verify registry + derived topology are current | |
| run: | | |
| if ! bash scripts/build-registry.sh --check; then | |
| { | |
| echo "### Registry drift detected" | |
| echo "" | |
| echo "A tracked file under a spec home (or STATE.a2ml) changed without" | |
| echo "regenerating the derived registry/topology. Fix locally:" | |
| echo "" | |
| echo '```sh' | |
| echo "just registry # or: bash scripts/build-registry.sh" | |
| echo "git add .machine_readable/REGISTRY.a2ml TOPOLOGY.md" | |
| echo '```' | |
| echo "" | |
| echo "Install the pre-commit guard so this is caught before push:" | |
| echo "" | |
| echo '```sh' | |
| echo "just hooks-install" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| exit 1 | |
| fi | |
| - name: Verify compliance dashboard is current | |
| run: | | |
| if ! bash scripts/build-scorecards.sh --check --strict; then | |
| { | |
| echo "### Compliance dashboard drift" | |
| echo "" | |
| echo "COMPLIANCE-DASHBOARD.md is stale, a scorecard is malformed/orphaned," | |
| echo "or a registered spec has no scorecard. Fix locally:" | |
| echo "" | |
| echo '```sh' | |
| echo "just scorecards # regenerate the dashboard" | |
| echo "just scorecards-check-strict" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| exit 1 | |
| fi |