feat(workflows): file-size as native dryvist workflow (Step 2 of 9, pilot)#9
Closed
JacobPEvans-personal wants to merge 1 commit into
Closed
feat(workflows): file-size as native dryvist workflow (Step 2 of 9, pilot)#9JacobPEvans-personal wants to merge 1 commit into
JacobPEvans-personal wants to merge 1 commit into
Conversation
…ilot) Migrates the file-size check from JacobPEvans-personal/.github (where it lived as the reusable workflow _file-size.yml) into dryvist/.github as a standalone, org-Required-Workflow-shaped check. First migration of the "dryvist owns the workflow library; JacobPEvans-personal consumes" pattern established in CLAUDE.md. What lands ---------- - .github/workflows/file-size.yml: new. on: pull_request, two checkouts (target + .org-github), runs the script. No inline logic. - .github/scripts/file-size-check.sh: new (mode 100755). All control flow extracted per the no-scripts rule. Reads org defaults from a trusted file (passed by argument); validates per-repo override values with strict regexes before use (positive int / extension shape / basename shape) since the override file is attacker-controllable on PR runs. Emits ::warning:: for malformed override values rather than silently ignoring them. - .github/file-size-defaults.yml: new. Carries thresholds (warn: 6144, error: 12288), scan extensions, exempt list. No magic numbers in the workflow or the script - everything threshold-shaped is here. - CLAUDE.md: rewrites the "Inheritance from JacobPEvans/.github" section to reflect the reversed direction. dryvist/.github is now the source of truth for the shared workflow library; JacobPEvans-personal is a consumer. File-size + markdownlint are sourced here; release-please + renovate-presets + SECURITY.md still inherited pending migration. Scope section updated to enumerate the new .github/scripts/ and .github/<name>-defaults.yml directories. Per-repo override path ---------------------- Workflow prefers .github/file-size.yml (consolidated location); falls back to legacy .file-size.yml at root with a deprecation warning. Per-repo cleanup (Step 4 of the plan) renames every repo's .file-size.yml to .github/file-size.yml in batched PRs. What this does NOT do --------------------- - No deletion of _file-size.yml in JacobPEvans-personal/.github yet - that's atomic-after consumer flips. Sequence: (1) this PR lands here; (2) follow-up PRs flip every `uses: JacobPEvans-personal/.github/... /_file-size.yml@main` reference to `uses: dryvist/.github/.../ file-size.yml@main`; (3) once `gh code-search` confirms zero remaining references, delete the old workflow in JacobPEvans-personal/.github. - No ruleset binding yet - Step 3 of the plan adds github_organization_ruleset.org_file_size_check in terraform-github, which will inject this workflow into every dryvist repo's PRs without any per-repo caller. Verification ------------ - shellcheck .github/scripts/file-size-check.sh -> green - markdownlint-cli2 CLAUDE.md -> 0 errors - yq parses .github/file-size-defaults.yml and the workflow file -> green Assisted-by: Claude <noreply@anthropic.com>
Member
Author
|
Closing per direction: file-size enforcement is a native GitHub feature ( Follow-up moves:
Sorry for the rework — three lessons saved as agent memories for future sessions: file-size is native, no magic numbers / org names in code, CLAUDE.md is always a pointer to AGENTS.md. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Step 2 of the org-wide config plan — the pilot of "dryvist owns the shared workflow library; JacobPEvans-personal consumes." File-size is the first workflow to make the trip from
JacobPEvans-personal/.github/.github/workflows/_file-size.ymlinto this repo.What lands here:
.github/workflows/file-size.yml— minimal caller (on: pull_request, two checkouts, runs the script). Patterned after the existingmarkdownlint.yml..github/scripts/file-size-check.sh(mode100755) — all logic extracted per the no-scripts rule. Reads org defaults from a trusted, org-controlled file (passed as\$1); the per-repo override file is attacker-controllable on PR runs, so every value pulled from it is validated against strict regexes (positive int / extension shape / basename shape) before use. Malformed override values emit::warning::and fall back to the org default..github/file-size-defaults.yml— thresholds (warn: 6144,error: 12288), scan extensions, exempt list. Workflow + script have zero magic numbers.CLAUDE.md— rewrites the inheritance section to flip the direction.dryvist/.githubis the source of truth for the workflow library going forward;JacobPEvans-personal/.githubis the consumer. File-size + markdownlint sourced here today; release-please + renovate-presets + SECURITY.md still inherited pending future migrations.Per-repo override
.github/file-size.ymlin the consuming repo (consolidates workflow-consumed configs under.github/)..file-size.ymlat root — still read, but emits a::warning::to move it. Cleanup happens in Step 4 of the plan (batched per-repo PRs).Override fields are unchanged from the original
_file-size.yml:Sequence
This PR is PR A of a three-PR migration for file-size:
uses: JacobPEvans-personal/.github/.github/workflows/_file-size.yml@mainreference touses: dryvist/.github/.github/workflows/file-size.yml@main.JacobPEvans-personal/.github) — oncegh code-search 'uses: JacobPEvans-personal/.github/.github/workflows/_file-size.yml'returns zero hits, delete the source.Step 3 of the parent plan (separate, in
terraform-github) will then addgithub_organization_ruleset.org_file_size_checkthat injects this workflow into every dryvist repo's PRs without any per-repo caller — at which point Step 4 deletes the per-repo callers entirely.Test plan
shellcheck .github/scripts/file-size-check.sh— silent (green)markdownlint-cli2 CLAUDE.md— 0 errorsyqparses both.github/file-size-defaults.ymland.github/workflows/file-size.yml.github/scripts/directory conventionuses: dryvist/.github/.github/workflows/file-size.yml@main)