Skip to content

fix(ci): secret-scanner callers must grant the reusable's job permissions #32

fix(ci): secret-scanner callers must grant the reusable's job permissions

fix(ci): secret-scanner callers must grant the reusable's job permissions #32

Workflow file for this run

# SPDX-License-Identifier: MPL-2.0
# dyadt-verify — DYADT dogfood. Verify this repo's CLAIMS.a2ml against primary
# evidence, and run the DYADT conformance vector suite. If a claim this change
# makes is false, the verifier REFUTES it and this job fails loudly.
name: DYADT Verify
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
verify-claims:
name: Verify CLAIMS.a2ml + conformance
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # need origin/main as the DYADT diff base
- name: DYADT conformance vectors
run: |
bash did-you-actually-do-that/spec/conformance/run-conformance.sh
- name: Verify this change's own claims (dogfood)
env:
DYADT_BASE: origin/${{ github.base_ref || 'main' }}
run: |
if [ -f CLAIMS.a2ml ]; then
bash scripts/verify-claims.sh CLAIMS.a2ml
else
echo "No CLAIMS.a2ml at root — nothing to verify."
fi