commit 1aa5b38eb3ede77c12ced96371dd61e53a7e015b Author: reynold Date: Sat Jul 18 20:21:37 2026 +0800 feat: seed Lariza feature demonstration Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6 diff --git a/.gitea/workflows/manual-ci.yaml b/.gitea/workflows/manual-ci.yaml new file mode 100644 index 0000000..bca8e68 --- /dev/null +++ b/.gitea/workflows/manual-ci.yaml @@ -0,0 +1,27 @@ +name: Manual CI demonstration + +on: + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: lariza-actions-demo + cancel-in-progress: false + +jobs: + policy-check: + runs-on: lariza-test + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + - name: Validate safe demonstration files + shell: sh + run: ./scripts/check.sh + - name: Show non-secret runner context + shell: sh + run: | + printf 'repository=%s\n' "$GITHUB_REPOSITORY" + printf 'sha=%s\n' "$GITHUB_SHA" + printf 'This workflow performs no deployment or external mutation.\n' diff --git a/.lariza/runner-policy.yaml b/.lariza/runner-policy.yaml new file mode 100644 index 0000000..a412b00 --- /dev/null +++ b/.lariza/runner-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: actions.lariza.dev/v1alpha1 +kind: RunnerPolicyIntent +metadata: + name: unprivileged-demo +spec: + mode: audit + allowedLabels: [lariza-test] + protectedLabels: [image-build, talos-deploy] + actionSources: + allow: + - github.com/actions/checkout + requireImmutableReferences: true + tokenPermissions: + default: {contents: read} + maximum: {contents: read, issues: write} + concurrency: + repositoryMaximum: 1 + schedules: + enabled: false + secrets: + allowForkPullRequests: false + requireEnvironmentApproval: true diff --git a/README.md b/README.md new file mode 100644 index 0000000..4f4e13d --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# Actions governance demo + +This repository demonstrates CI governance without starting work on push or on +a schedule. Every active workflow is manual-only (`workflow_dispatch`). + +Planned demonstrations include: + +- pause versus drain versus disable for a runner; +- organization-required workflows; +- trusted and protected runner labels; +- immutable action pinning and action-source allowlists; +- token-permission ceilings, secret release policy, quotas, and concurrency; +- an instance or organization scheduled-workflow kill switch. + +The file under `fixtures/workflows` has a `.txt` suffix and is not executable. +It exists solely to test schedule detection and policy previews. diff --git a/fixtures/workflows/scheduled-disabled.yaml.txt b/fixtures/workflows/scheduled-disabled.yaml.txt new file mode 100644 index 0000000..5313539 --- /dev/null +++ b/fixtures/workflows/scheduled-disabled.yaml.txt @@ -0,0 +1,10 @@ +# Fixture only: the .txt suffix prevents Gitea from loading this as a workflow. +name: Scheduled workflow policy fixture +on: + schedule: + - cron: '0 0 * * *' +jobs: + fixture: + runs-on: lariza-test + steps: + - run: echo 'This fixture must never execute.' diff --git a/scripts/check.sh b/scripts/check.sh new file mode 100755 index 0000000..efe7fe4 --- /dev/null +++ b/scripts/check.sh @@ -0,0 +1,12 @@ +#!/bin/sh +set -eu + +test -f .lariza/runner-policy.yaml +test -f fixtures/workflows/scheduled-disabled.yaml.txt + +if grep -ERq --include='*.yaml' '^[[:space:]]*schedule:' .gitea/workflows; then + echo 'active scheduled workflow detected' >&2 + exit 1 +fi + +printf 'manual-only workflow policy passed\n'