Skip to content

[codex] parse workflow policy structurally#1121

Merged
TheGreenCedar merged 2 commits into
dev/codestory-nextfrom
codex/1110-structural-workflow-policy
Jul 14, 2026
Merged

[codex] parse workflow policy structurally#1121
TheGreenCedar merged 2 commits into
dev/codestory-nextfrom
codex/1110-structural-workflow-policy

Conversation

@TheGreenCedar

Copy link
Copy Markdown
Owner

Context

The workflow-policy gate was parsing YAML as indented text. Comments, harmless quoting changes, and formatting could satisfy or break checks without changing the workflow GitHub executes. This replaces that parser while preserving the current policy surface, including the centralized Node worktree setup added on the integration branch.

Base: 1ee918119e004cccf220bfab05085152172b3b34
Head: d3df927a06044afdb2eceb3de195b08fdc17f4d1

Closes #1110
Refs #899

What changed

  • exact-pinned yaml@2.9.0 in the root package and lockfile, installed with npm ci --ignore-scripts in every workflow that runs the policy gate
  • structural checks for triggers, permissions, jobs, dependencies, conditions, matrices, secrets, action refs, cache keys, and named step commands
  • six focused mutation tests covering formatting immunity and credible policy bypasses
  • updated generalization-lint fixtures, contributor guidance, and changelog

The production checker shrinks from 839 lines on the base to 746. Tests live in a separate 124-line file instead of being embedded in formatting-sensitive parsing helpers.

Review

Start with .github/scripts/check-workflow-policy.mjs and its six mutation tests. The one intentionally scalar-specific parser is the dynamic fromJSON(...) package matrix expression; the surrounding workflow and matrix field are still selected structurally.

Risk: S4/R2. This changes a release-policy gate, but not runtime behavior. The main risk is dropping an existing invariant during the parser replacement; the full live workflow set and focused bypass mutations both pass.

Verification

  • npm ci --ignore-scripts
  • node --test .github/scripts/check-workflow-policy.test.mjs
  • node .github/scripts/check-workflow-policy.mjs
  • node --test plugins/codestory/tests/plugin-static.test.mjs (73 passed, 1 Windows-only skip)
  • node scripts/codex-worktree-setup.mjs --self-test
  • node .github/scripts/route-ci-proof.mjs --self-test
  • python .github/scripts/check-packaged-agent-proof.py --self-test
  • python .github/scripts/package-codestory-release.py --self-test
  • python .github/scripts/test-detect-codestory-release.py
  • python .github/scripts/check-codestory-release.py --version 0.15.0
  • node scripts/lint-retrieval-generalization.mjs
  • node .github/scripts/check-doc-links.mjs
  • direct rustfmt on the adjusted Rust fixture
  • changed-scope code-simplifier scan and git diff --check

No Cargo lane was run; this change does not alter Rust behavior, and broad Cargo proof belongs on the accepted exact head.

@TheGreenCedar TheGreenCedar marked this pull request as ready for review July 14, 2026 15:23
@TheGreenCedar TheGreenCedar merged commit a2c46c9 into dev/codestory-next Jul 14, 2026
12 checks passed
@TheGreenCedar TheGreenCedar deleted the codex/1110-structural-workflow-policy branch July 14, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

1 participant