docs: add FDE environment ladder #55
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-guards | |
| on: | |
| pull_request: | |
| branches: [main, dev, v1] | |
| push: | |
| branches: [main, dev, v1] | |
| jobs: | |
| secrets-scan: | |
| name: Secrets scanning (gitleaks CLI) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks CLI | |
| run: | | |
| set -e | |
| VERSION=8.18.4 | |
| curl -fsSL -o /tmp/gitleaks.tar.gz \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" | |
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp | |
| sudo mv /tmp/gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - name: Scan PR diff (only new commits) | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| set -e | |
| git fetch origin "${{ github.base_ref }}" | |
| gitleaks detect \ | |
| --source . \ | |
| --log-opts="origin/${{ github.base_ref }}...HEAD" \ | |
| --redact \ | |
| --verbose \ | |
| --exit-code 1 | |
| - name: Full history scan (informational on push) | |
| if: github.event_name == 'push' | |
| continue-on-error: true | |
| run: | | |
| gitleaks detect \ | |
| --source . \ | |
| --redact \ | |
| --verbose \ | |
| --exit-code 1 || echo "::warning::gitleaks found findings in history — rotate any real leaks and consider a .gitleaks.toml allowlist" | |
| context-presence: | |
| name: CLAUDE.md + .claude/rules/identity.md presence | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Verify required context files exist | |
| run: | | |
| set -e | |
| missing=0 | |
| if [ ! -f CLAUDE.md ]; then | |
| echo "::error::CLAUDE.md missing at repo root — every khal-os repo must carry workspace context" | |
| missing=1 | |
| fi | |
| if [ ! -f .claude/rules/identity.md ]; then | |
| echo "::error::.claude/rules/identity.md missing — every khal-os repo must carry an identity rule" | |
| missing=1 | |
| fi | |
| if [ "$missing" -eq 1 ]; then | |
| echo "See khal-os workspace docs for the CLAUDE.md + .claude/rules pattern." | |
| exit 1 | |
| fi | |
| echo "✓ CLAUDE.md + .claude/rules/identity.md present" | |
| stale-scaffold-refs: | |
| name: No stale gh repo create --template references | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Reject 'gh repo create --template khal-os/pack-template' in authored docs | |
| run: | | |
| set -e | |
| # Authored user-facing docs only. Excludes .genie/ (historical wish/brainstorm artifacts). | |
| if grep -rnE "gh repo create --template khal-os/pack-template" \ | |
| --include="*.md" --include="*.mdx" \ | |
| --exclude-dir=".genie" \ | |
| --exclude-dir="node_modules" \ | |
| .; then | |
| echo "::error::Stale scaffold reference found. Replace with 'khal new app <name>' (from @khal-os/app-kit)." | |
| exit 1 | |
| fi | |
| echo "✓ No stale 'gh repo create --template khal-os/pack-template' references in authored docs" |