john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/.github/workflows/sync-public-docs.yml
TheFlow 8ee66ed5a9 fix: update validation script to allow legitimate public info 
Security Validation Improvements:
- Added pm.me to allowed email domains (public contact email)
- Added code block detection to skip infrastructure patterns in examples
- Port numbers in markdown code blocks no longer flagged
- Fixes false positives blocking README.md sync

Workflow Improvements:
- Added issues:write permission to notify-failure job
- Fixes 403 error when creating failure notification issues

This allows the public README with code examples and contact info
to pass validation while still blocking actual security issues.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-09 15:23:40 +13:00

175 lines
5.6 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: Sync Documentation to Public Repository
on:
push:
branches:
- main
paths:
- 'docs/case-studies/**/*.md'
- 'docs/research/**/*.md'
- 'README.md'
workflow_dispatch:
inputs:
skip_validation:
description: 'Skip security validation (USE WITH CAUTION)'
required: false
default: 'false'
type: choice
options:
- 'false'
- 'true'
jobs:
validate-and-sync:
runs-on: ubuntu-latest
steps:
- name: Checkout Private Repository
uses: actions/checkout@v4
with:
path: tractatus-private
fetch-depth: 0
- name: Checkout Public Repository
uses: actions/checkout@v4
with:
repository: AgenticGovernance/tractatus-framework
token: ${{ secrets.PUBLIC_REPO_TOKEN }}
path: tractatus-public
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Dependencies
run: |
cd tractatus-private
npm ci
- name: Run Security Validation
if: github.event.inputs.skip_validation != 'true'
id: validation
run: |
cd tractatus-private
node scripts/validate-public-sync.js
env:
SYNC_MODE: github-actions
- name: Sync Case Studies
if: success()
run: |
# Create directory if it doesn't exist
mkdir -p tractatus-public/docs/case-studies
# Copy case studies (only if they exist and passed validation)
for file in tractatus-private/docs/case-studies/*.md; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Syncing case study: $filename"
cp "$file" "tractatus-public/docs/case-studies/$filename"
fi
done
- name: Sync Research Topics
if: success()
run: |
# Create directory if it doesn't exist
mkdir -p tractatus-public/docs/research
# Copy research topics (only if they exist and passed validation)
for file in tractatus-private/docs/research/*.md; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Syncing research topic: $filename"
cp "$file" "tractatus-public/docs/research/$filename"
fi
done
- name: Sync README (if sanitized)
if: success()
run: |
# Only sync README if it has been marked as sanitized
if grep -q "<!-- PUBLIC_REPO_SAFE -->" tractatus-private/README.md; then
echo "README marked as sanitized, syncing..."
cp tractatus-private/README.md tractatus-public/README.md
else
echo "README not marked as sanitized, skipping sync"
fi
- name: Configure Git
if: success()
run: |
cd tractatus-public
git config user.name "Tractatus Framework Bot"
git config user.email "noreply@agenticgovernance.org"
- name: Commit and Push Changes
if: success()
run: |
cd tractatus-public
# Check if there are changes
if [ -n "$(git status --porcelain)" ]; then
git add docs/case-studies/*.md docs/research/*.md README.md 2>/dev/null || true
# Get commit message from private repo
COMMIT_MSG=$(cd ../tractatus-private && git log -1 --pretty=%B)
git commit -m "docs: sync from private repo" -m "Original commit: $COMMIT_MSG" -m "Automated sync from private repository" -m "Validated by: scripts/validate-public-sync.js"
git push origin main
echo "✅ Changes synced successfully"
else
echo " No changes to sync"
fi
- name: Create Sync Report
if: always()
run: |
cd tractatus-private
# Generate sync report
echo "# Sync Report - $(date -u +%Y-%m-%d)" > sync-report.md
echo "" >> sync-report.md
echo "## Validation Status" >> sync-report.md
echo "- Security Validation: ${{ steps.validation.outcome || 'skipped' }}" >> sync-report.md
echo "- Files Synced: $(cd ../tractatus-public && git diff --cached --name-only | wc -l)" >> sync-report.md
echo "" >> sync-report.md
echo "## Changed Files" >> sync-report.md
cd ../tractatus-public
git diff --cached --name-only >> ../tractatus-private/sync-report.md || echo "No changes" >> ../tractatus-private/sync-report.md
- name: Upload Sync Report
if: always()
uses: actions/upload-artifact@v4
with:
name: sync-report
path: tractatus-private/sync-report.md
retention-days: 30
notify-failure:
runs-on: ubuntu-latest
needs: validate-and-sync
if: failure()
permissions:
issues: write
steps:
- name: Create Issue on Failure
uses: actions/github-script@v7
with:
script: |
github.rest.issues.create({
owner: 'AgenticGovernance',
repo: 'tractatus',
title: '🚨 Public Docs Sync Failed',
body: `The automated sync to public repository failed.
**Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
**Commit:** ${{ github.sha }}
**Branch:** ${{ github.ref }}
Please review the workflow logs and validation report.`,
labels: ['automation', 'sync-failure']
})
Reference in a new issue View git blame Copy permalink