Refresh TEST-REPORT for v0.9.0 cut #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Release gate. | |
| # | |
| # Runs on every tag push (vX.Y.Z). Two blocking checks: | |
| # | |
| # 1. The tagged commit must be reachable from main. Tags on feature | |
| # branches don't release — main is the canonical line of history. | |
| # 2. The auto-generated TEST-REPORT block in README.md must record | |
| # the current source's code hash. The block is only ever written | |
| # by scripts/update-test-report.sh after a green run of the full | |
| # test suite, so a matching hash means "this exact source passed | |
| # end-to-end, locally, on a Docker host that could run the e2e | |
| # harness". | |
| # | |
| # The gate is intentionally cheap and trust-based: it does not re-run | |
| # the e2e harness in CI (Docker-in-Docker on GitHub-hosted runners | |
| # is flaky and slow). The trust chain is "update-test-report.sh only | |
| # writes README.md on green" → "matching hash ⇒ matching green run". | |
| # | |
| # To unblock a tag whose check failed: | |
| # - tag-not-on-main: merge to main first, re-tag. | |
| # - report-stale: run scripts/update-test-report.sh locally, | |
| # commit README.md, re-tag. | |
| name: Release gate | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify-tag-on-main: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Full history so merge-base can decide ancestry. Without | |
| # fetch-depth: 0 the runner only has the tagged commit. | |
| fetch-depth: 0 | |
| - name: Tag must be reachable from main | |
| run: | | |
| git fetch --no-tags origin main:refs/remotes/origin/main | |
| if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then | |
| echo "::error::Tagged commit $GITHUB_SHA is not on main." | |
| echo "Releases must come from main. Merge to main first, then re-tag." | |
| exit 1 | |
| fi | |
| echo "Tag is on main ✓" | |
| verify-test-report: | |
| needs: verify-tag-on-main | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Verify recorded test report matches current source | |
| run: bash scripts/verify-test-report.sh |