feat: seed Lariza feature demonstration
Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6
This commit is contained in:
@@ -0,0 +1,27 @@
|
||||
name: Manual CI demonstration
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: lariza-actions-demo
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
policy-check:
|
||||
runs-on: lariza-test
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Validate safe demonstration files
|
||||
shell: sh
|
||||
run: ./scripts/check.sh
|
||||
- name: Show non-secret runner context
|
||||
shell: sh
|
||||
run: |
|
||||
printf 'repository=%s\n' "$GITHUB_REPOSITORY"
|
||||
printf 'sha=%s\n' "$GITHUB_SHA"
|
||||
printf 'This workflow performs no deployment or external mutation.\n'
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: actions.lariza.dev/v1alpha1
|
||||
kind: RunnerPolicyIntent
|
||||
metadata:
|
||||
name: unprivileged-demo
|
||||
spec:
|
||||
mode: audit
|
||||
allowedLabels: [lariza-test]
|
||||
protectedLabels: [image-build, talos-deploy]
|
||||
actionSources:
|
||||
allow:
|
||||
- github.com/actions/checkout
|
||||
requireImmutableReferences: true
|
||||
tokenPermissions:
|
||||
default: {contents: read}
|
||||
maximum: {contents: read, issues: write}
|
||||
concurrency:
|
||||
repositoryMaximum: 1
|
||||
schedules:
|
||||
enabled: false
|
||||
secrets:
|
||||
allowForkPullRequests: false
|
||||
requireEnvironmentApproval: true
|
||||
@@ -0,0 +1,16 @@
|
||||
# Actions governance demo
|
||||
|
||||
This repository demonstrates CI governance without starting work on push or on
|
||||
a schedule. Every active workflow is manual-only (`workflow_dispatch`).
|
||||
|
||||
Planned demonstrations include:
|
||||
|
||||
- pause versus drain versus disable for a runner;
|
||||
- organization-required workflows;
|
||||
- trusted and protected runner labels;
|
||||
- immutable action pinning and action-source allowlists;
|
||||
- token-permission ceilings, secret release policy, quotas, and concurrency;
|
||||
- an instance or organization scheduled-workflow kill switch.
|
||||
|
||||
The file under `fixtures/workflows` has a `.txt` suffix and is not executable.
|
||||
It exists solely to test schedule detection and policy previews.
|
||||
@@ -0,0 +1,10 @@
|
||||
# Fixture only: the .txt suffix prevents Gitea from loading this as a workflow.
|
||||
name: Scheduled workflow policy fixture
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 0 * * *'
|
||||
jobs:
|
||||
fixture:
|
||||
runs-on: lariza-test
|
||||
steps:
|
||||
- run: echo 'This fixture must never execute.'
|
||||
Executable
+12
@@ -0,0 +1,12 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
test -f .lariza/runner-policy.yaml
|
||||
test -f fixtures/workflows/scheduled-disabled.yaml.txt
|
||||
|
||||
if grep -ERq --include='*.yaml' '^[[:space:]]*schedule:' .gitea/workflows; then
|
||||
echo 'active scheduled workflow detected' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf 'manual-only workflow policy passed\n'
|
||||
Reference in New Issue
Block a user