Skip to content

test(wzrd-markets): C-02 admin-rotation behavioral coverage (re-audit gap) #162

test(wzrd-markets): C-02 admin-rotation behavioral coverage (re-audit gap)

test(wzrd-markets): C-02 admin-rotation behavioral coverage (re-audit gap) #162

Workflow file for this run

name: Repo Scope Guard
on:
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
inputs:
pr_number:
description: "PR number to validate (manual run)"
required: true
jobs:
guard:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Fail on forbidden paths
shell: bash
run: |
set -euo pipefail
# Compute changed files in this PR (base..head)
BASE_SHA='${{ github.event.pull_request.base.sha }}'
HEAD_SHA='${{ github.sha }}'
if [ -z "$BASE_SHA" ] || [ "$BASE_SHA" = "null" ]; then
echo "No pull_request base SHA; falling back to HEAD-only check"
CHANGED_FILES=$(git ls-files)
else
# Use merge-base to be robust even if the base branch was deleted post-merge
MB=$(git merge-base "$HEAD_SHA" "$BASE_SHA" 2>/dev/null || echo "")
if [ -n "$MB" ]; then
CHANGED_FILES=$(git diff --name-only "$MB"..."$HEAD_SHA" || true)
else
# Fallback: compare against the immediate parent of HEAD
CHANGED_FILES=$(git diff --name-only "${HEAD_SHA}^"..."$HEAD_SHA" || git ls-files)
fi
fi
# 1) Allow only certain subtrees under programs/ and oracles/ for CHANGED files
ALLOWED="^(programs/(attention-oracle|attention_oracle|wzrd-rails|wzrd_rails|wzrd-markets|wzrd_markets)|oracles/x402-switchboard)(/|$)"
FORBIDDEN_DIRS=$(echo "$CHANGED_FILES" | grep -E '^(programs|oracles)/' | grep -Ev "$ALLOWED" || true)
if [ -n "$FORBIDDEN_DIRS" ]; then
echo "❌ Forbidden paths detected (only attention-oracle, x402-switchboard allowed):"
echo "$FORBIDDEN_DIRS"
exit 1
fi
# 2) Forbid vendored/build/keys directories in CHANGED files
if echo "$CHANGED_FILES" | grep -E '(^|/)(node_modules|dist|logs|keys)(/|$)' | grep -q .; then
echo "❌ Forbidden vendored/build/keys paths detected"
exit 1
fi
# 3) Forbid .env files in CHANGED files (allow .env.example)
if echo "$CHANGED_FILES" | grep -E '(^|/)\.env($|/)' | grep -q .; then
echo "❌ Forbidden .env path detected"
exit 1
fi
# 4) Forbid database artifacts (*.db) in CHANGED files
if echo "$CHANGED_FILES" | grep -E '\.db($|/|\.)' | grep -q .; then
echo "❌ Forbidden database artifact detected"
exit 1
fi
echo "✅ Guard passed: scope is clean"
- name: Typecheck changed TypeScript scripts
shell: bash
run: |
set -euo pipefail
BASE_SHA='${{ github.event.pull_request.base.sha }}'
HEAD_SHA='${{ github.sha }}'
MB=$(git merge-base "$HEAD_SHA" "$BASE_SHA" 2>/dev/null || echo "")
if [ -n "$MB" ]; then
CHANGED_TS=$(git diff --name-only "$MB"..."$HEAD_SHA" | grep -E '^scripts/.*\.ts$' || true)
else
CHANGED_TS=$(git diff --name-only "${HEAD_SHA}^"..."$HEAD_SHA" | grep -E '^scripts/.*\.ts$' || true)
fi
if [ -z "$CHANGED_TS" ]; then
echo "No TypeScript scripts changed"
exit 0
fi
echo "$CHANGED_TS"
npm install --no-save --package-lock=false --ignore-scripts \
typescript @types/node @solana/web3.js
npx tsc --noEmit --target ES2022 --module Node16 --moduleResolution Node16 \
--types node --skipLibCheck $CHANGED_TS
guard_manual:
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Collect changed files via GitHub API
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
set -euo pipefail
PR_NUM='${{ github.event.inputs.pr_number }}'
REPO_FULL="$GITHUB_REPOSITORY" # owner/repo
API_ROOT="https://api.github.com/repos/$REPO_FULL/pulls/$PR_NUM/files?per_page=100"
CHANGED_FILES=""
URL="$API_ROOT"
while [ -n "$URL" ]; do
RESP=$(curl -fsSL -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" "$URL")
PAGE_FILES=$(echo "$RESP" | jq -r '.[].filename')
CHANGED_FILES=$(printf "%s\n%s" "$CHANGED_FILES" "$PAGE_FILES")
# Parse simple pagination via Link header (GitHub sets it; but curl above loses headers). Fallback: single page.
URL="" # best-effort; sufficient for <=100 files
done
CHANGED_FILES=$(echo "$CHANGED_FILES" | sed '/^$/d' | sort -u)
echo "Changed files:\n$CHANGED_FILES"
# 1) Allow only certain subtrees under programs/ and oracles/
ALLOWED='^(programs/(attention-oracle|attention_oracle|wzrd-rails|wzrd_rails|wzrd-markets|wzrd_markets)|oracles/x402-switchboard)(/|$)'
FORBIDDEN_DIRS=$(echo "$CHANGED_FILES" | grep -E '^(programs|oracles)/' | grep -Ev "$ALLOWED" || true)
if [ -n "$FORBIDDEN_DIRS" ]; then
echo "❌ Forbidden paths detected (only attention-oracle, x402-switchboard allowed):"
echo "$FORBIDDEN_DIRS"
exit 1
fi
# 2) Forbid vendored/build/keys directories in CHANGED files
if echo "$CHANGED_FILES" | grep -E '(^|/)(node_modules|dist|logs|keys)(/|$)' | grep -q .; then
echo "❌ Forbidden vendored/build/keys paths detected"
exit 1
fi
# 3) Forbid .env files in CHANGED files (allow .env.example)
if echo "$CHANGED_FILES" | grep -E '(^|/)\.env($|/)' | grep -q .; then
echo "❌ Forbidden .env path detected"
exit 1
fi
# 4) Forbid database artifacts (*.db) in CHANGED files
if echo "$CHANGED_FILES" | grep -E '\.db($|/|\.)' | grep -q .; then
echo "❌ Forbidden database artifact detected"
exit 1
fi
echo "✅ Guard (manual) passed: scope is clean for PR #$PR_NUM"