fix(ci): keep workflow guard changes on narrow cd profile
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 25s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 25s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
This commit is contained in:
Your Name
@@ -200,6 +200,23 @@ jobs:
|
||||
;;
|
||||
.gitea/workflows/cd.yaml)
|
||||
;;
|
||||
# 2026-06-30 Codex: workflow secret-transport and guard-only
|
||||
# hardening must stay on the narrow profile. These changes are
|
||||
# validated by workflow-shape, the secret-surface guard, and the
|
||||
# runner pressure/profile tests; sending them to full/B5 would
|
||||
# reintroduce the heavy runner path while not increasing coverage.
|
||||
.gitea/workflows/cd-dev.yaml)
|
||||
;;
|
||||
.gitea/workflows/code-review.yaml)
|
||||
;;
|
||||
.gitea/workflows/deploy-alerts.yaml)
|
||||
;;
|
||||
.gitea/workflows/e2e-health.yaml)
|
||||
;;
|
||||
.gitea/workflows/run-migration.yml)
|
||||
;;
|
||||
scripts/ci/check-gitea-step-env-secrets.js)
|
||||
;;
|
||||
# 2026-06-29 Codex: the onboarding warning-step workflow is
|
||||
# copied in a disabled workflow_dispatch-only state. Treat the
|
||||
# source and template files as controlled-runtime sources so the
|
||||
|
||||
@@ -35,6 +35,21 @@ def test_deploy_marker_k8s_files_stay_on_controlled_runtime_profile() -> None:
|
||||
assert "k8s/awoooi-prod/kustomization.yaml)" in text
|
||||
|
||||
|
||||
def test_workflow_secret_transport_sources_stay_on_controlled_runtime_profile() -> None:
|
||||
text = _workflow_text()
|
||||
assert "workflow secret-transport and guard-only" in text
|
||||
expected_sources = [
|
||||
".gitea/workflows/cd-dev.yaml)",
|
||||
".gitea/workflows/code-review.yaml)",
|
||||
".gitea/workflows/deploy-alerts.yaml)",
|
||||
".gitea/workflows/e2e-health.yaml)",
|
||||
".gitea/workflows/run-migration.yml)",
|
||||
"scripts/ci/check-gitea-step-env-secrets.js)",
|
||||
]
|
||||
for source in expected_sources:
|
||||
assert source in text
|
||||
|
||||
|
||||
def test_onboarding_warning_step_template_stays_on_controlled_runtime_profile() -> None:
|
||||
text = _workflow_text()
|
||||
assert "onboarding warning-step workflow is" in text
|
||||
|
||||
Reference in New Issue
Block a user