diff --git a/README.md b/README.md index 036981d..6ee58a7 100644 --- a/README.md +++ b/README.md @@ -77,12 +77,6 @@ PolicyMesh reports `HIGH` policy conflicts and emits GitHub warning annotations ## Local Use -```powershell -npx policymesh@latest audit --repo . --format markdown -``` - -Or, if you have the repo checked out and want to hack on it: - ```powershell npm install npm run build @@ -91,12 +85,16 @@ node dist/index.js audit --repo . --format markdown Supported formats: `text` (default, ANSI-coloured in a TTY), `markdown`, `json`, `github` (PR annotations), and `sarif` (SARIF 2.1.0 for the GitHub Security tab and other SAST consumers). -```powershell -npx policymesh@latest audit --repo . --format sarif > policymesh.sarif -# Then in a workflow: -# - uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: policymesh.sarif +To emit SARIF for the GitHub Security tab, point the bundled CLI at the audit and upload the result via `github/codeql-action/upload-sarif`: + +```yaml +- uses: Conalh/PolicyMesh@v0.4.0 + with: + fail-on: none +- run: node "$GITHUB_ACTION_PATH/dist/index.js" audit --repo . --format sarif > policymesh.sarif +- uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: policymesh.sarif ``` ### Auto-fix mode diff --git a/package.json b/package.json index f46ab36..e2c7c2c 100644 --- a/package.json +++ b/package.json @@ -28,17 +28,7 @@ }, "scripts": { "build": "tsc -p tsconfig.json", - "test": "node --test", - "prepublishOnly": "npm run build && npm test" - }, - "files": [ - "dist/", - "action.yml", - "README.md", - "LICENSE" - ], - "publishConfig": { - "access": "public" + "test": "node --test" }, "dependencies": { "agent-gov-core": "^0.7.0" diff --git a/test/workflow.test.mjs b/test/workflow.test.mjs index 7178cfe..75fd79a 100644 --- a/test/workflow.test.mjs +++ b/test/workflow.test.mjs @@ -46,25 +46,15 @@ test('package metadata supports OSS discovery', async () => { ]); }); -test('package.json is publishable to npm with the right allowlist', async () => { +test('package.json does not carry npm-publish prep — PolicyMesh ships only as a GitHub Action', async () => { + // Deliberate scoping decision: agent-gov-core is the suite's npm artefact; + // tools (PolicyMesh, ScopeTrail, CapabilityEcho) ship as GitHub Actions + // consumed via `uses: Conalh/@vX.Y.Z`. Re-introducing publish prep + // here means adopting a second distribution surface — discuss before re-adding. const packageJson = JSON.parse(await readFile(join(packageRoot, 'package.json'), 'utf8')); - - // CLI binary registration so `npx policymesh@latest audit` works without install. - assert.deepEqual(packageJson.bin, { policymesh: './dist/index.js' }); - - // Public-by-default; first publish under @scope would otherwise fail. - assert.deepEqual(packageJson.publishConfig, { access: 'public' }); - - // Only the runtime artefacts ship. No src/, no test/, no fixtures. - assert.deepEqual(packageJson.files, ['dist/', 'action.yml', 'README.md', 'LICENSE']); - - // prepublishOnly builds and tests before any version reaches the registry. - assert.equal(packageJson.scripts.prepublishOnly, 'npm run build && npm test'); -}); - -test('dist/index.js preserves the executable shebang so npm-installed bin works', async () => { - const first = (await readFile(join(packageRoot, 'dist', 'index.js'), 'utf8')).split('\n', 1)[0]; - assert.equal(first, '#!/usr/bin/env node'); + assert.equal(packageJson.files, undefined); + assert.equal(packageJson.publishConfig, undefined); + assert.equal(packageJson.scripts.prepublishOnly, undefined); }); test('docs/workflows/agent-governance.yml composes the suite for adopters', async () => {