feat: seed Lariza feature demonstration

Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities.

Assisted-by: Codex: GPT-5.6
This commit is contained in:
reynold
2026-07-18 20:21:37 +08:00
commit 1aa5b38eb3
5 changed files with 87 additions and 0 deletions
+27
View File
@@ -0,0 +1,27 @@
name: Manual CI demonstration
on:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: lariza-actions-demo
cancel-in-progress: false
jobs:
policy-check:
runs-on: lariza-test
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- name: Validate safe demonstration files
shell: sh
run: ./scripts/check.sh
- name: Show non-secret runner context
shell: sh
run: |
printf 'repository=%s\n' "$GITHUB_REPOSITORY"
printf 'sha=%s\n' "$GITHUB_SHA"
printf 'This workflow performs no deployment or external mutation.\n'
+22
View File
@@ -0,0 +1,22 @@
apiVersion: actions.lariza.dev/v1alpha1
kind: RunnerPolicyIntent
metadata:
name: unprivileged-demo
spec:
mode: audit
allowedLabels: [lariza-test]
protectedLabels: [image-build, talos-deploy]
actionSources:
allow:
- github.com/actions/checkout
requireImmutableReferences: true
tokenPermissions:
default: {contents: read}
maximum: {contents: read, issues: write}
concurrency:
repositoryMaximum: 1
schedules:
enabled: false
secrets:
allowForkPullRequests: false
requireEnvironmentApproval: true
+16
View File
@@ -0,0 +1,16 @@
# Actions governance demo
This repository demonstrates CI governance without starting work on push or on
a schedule. Every active workflow is manual-only (`workflow_dispatch`).
Planned demonstrations include:
- pause versus drain versus disable for a runner;
- organization-required workflows;
- trusted and protected runner labels;
- immutable action pinning and action-source allowlists;
- token-permission ceilings, secret release policy, quotas, and concurrency;
- an instance or organization scheduled-workflow kill switch.
The file under `fixtures/workflows` has a `.txt` suffix and is not executable.
It exists solely to test schedule detection and policy previews.
@@ -0,0 +1,10 @@
# Fixture only: the .txt suffix prevents Gitea from loading this as a workflow.
name: Scheduled workflow policy fixture
on:
schedule:
- cron: '0 0 * * *'
jobs:
fixture:
runs-on: lariza-test
steps:
- run: echo 'This fixture must never execute.'
+12
View File
@@ -0,0 +1,12 @@
#!/bin/sh
set -eu
test -f .lariza/runner-policy.yaml
test -f fixtures/workflows/scheduled-disabled.yaml.txt
if grep -ERq --include='*.yaml' '^[[:space:]]*schedule:' .gitea/workflows; then
echo 'active scheduled workflow detected' >&2
exit 1
fi
printf 'manual-only workflow policy passed\n'