Skip to content

feat(clients): add shared publish-api-clients reusable workflow#9

Merged
jorisjonkers-dev-agents[bot] merged 1 commit into
mainfrom
feat/shared-api-clients
Jun 28, 2026
Merged

feat(clients): add shared publish-api-clients reusable workflow#9
jorisjonkers-dev-agents[bot] merged 1 commit into
mainfrom
feat/shared-api-clients

Conversation

@jorisjonkers-dev-agents

Copy link
Copy Markdown
Contributor

No description provided.

@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot merged commit 96a2b65 into main Jun 28, 2026
4 checks passed
This was referenced Jun 28, 2026
jorisjonkers-dev-agents Bot added a commit that referenced this pull request Jul 8, 2026
…ws (#31)

* feat: add deploy-artifact, leak-scan, deploy-validate reusable workflows

Implements Chunk D of the deploy platform build-out:

- .github/workflows/deploy-artifact.yml: reusable workflow for OCI artifact
  publish with idempotent push, race detection, keyless cosign signing, and
  SC-4 gate-summary emission on every failure path (finalize job, if: always())
- .github/workflows/leak-scan.yml: reusable workflow wrapping the leak-scan
  composite action; exposes gate-summary-artifact output
- .github/workflows/deploy-validate.yml: reusable workflow for PR deploy
  preview with sticky comment and SC-4 gate-summary; pull-requests:write
- actions/deploy-artifact/{action.yml,run.sh,publish.sh,install-tooling.sh}:
  composite action for rendering 5 fragments, kubeconform/kustomize validation,
  reject kind:Secret, emit-contract; render-hash declared in outputs block
  (correction #8); npm-signatures gate emitted before exit 1 (correction #9)
- actions/leak-scan/{action.yml,run.sh}: SC-8 path deny-list plus gitleaks/
  trufflehog wrappers; three scan modes (all-refs, pr-diff, path); redacted
  gate-summary.json (never exposes raw match content)
- actions/deploy-preview/{action.yml,run.sh}: SC-11 readiness scorecard,
  deploy-preview-summary.md rendering, sticky PR comment (post/update),
  escape-hatch detection, SC-4 gate-summary
- data/leak-patterns.json: SC-8 canonical source in {modes, extra_paths}
  shape (correction #5); deployment-artifact extra_paths = deploy/raw-manifests/**
- docs/action-pinning.md: action pinning policy
- renovate.json: add pinDigests:true globally; github-actions pinned digests
  group (weekly Monday); JorisJonkers-dev/github-workflows exempt (semver)
- tests/test_deploy_platform_d.py: 51 tests covering T-D1..T-D6
- tests/test_crac_train_workflow.py: update renovate.json contract test to
  accommodate the new pinDigests/packageRules fields
- .github/workflows/ci.yml: add PyYAML to python-tests venv for test_deploy_platform_d

VERIFICATION fix applied: image-lock-artifact is the only lock input on the
workflow_call interface (no image-lock-path alternative).

* fix: pin real SHA256 digests for deploy-artifact tooling

install-tooling.sh shipped with placeholder digests that would fail
checksum verification on first CI run; digests now computed from the
actual v2.4.3/1.28.0/1.2.3/0.7.0/5.6.0/4.45.3 release artifacts.

---------

Co-authored-by: JorisJonkers Agent <agents@jorisjonkers.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant