|
491 | 491 | "execing or deserializing anything from the payload" |
492 | 492 | ], |
493 | 493 | "asset_id": "sha256:ac2a2f185390aef37996651ef21355f4beb437049e52a6ca3898619a8d648084" |
494 | | - }, |
495 | | - { |
496 | | - "type": "Gene", |
497 | | - "id": "gene_shared_sentinel_arena_ci_gate", |
498 | | - "category": "optimize", |
499 | | - "signals_match": [ |
500 | | - "sentinel_arena", |
501 | | - "shared_ci_gate", |
502 | | - "github_actions_composite_action", |
503 | | - "self_hosted_runner", |
504 | | - "open_pr_sweep", |
505 | | - "private_internal_action_access", |
506 | | - "对抗性流水线", |
507 | | - "共享sentinel", |
508 | | - "反向依赖", |
509 | | - "本地runner" |
510 | | - ], |
511 | | - "strategy": [ |
512 | | - "Extract the adversarial quality gate into a dedicated shared repository/action first; product repositories should keep only policy config and thin local wrappers", |
513 | | - "Make consumers reverse-depend on the shared action in CI and keep a fast verifier that asserts the workflow uses the shared action, uploads reports, and preserves fail-on-review policy", |
514 | | - "During migration, land narrow main-branch compatibility bridges before tightening consumer contracts, because pull_request_target enforcers execute from main while validating PR head files", |
515 | | - "For internal/private action repositories, set GitHub Actions repository access to organization; otherwise consumers fail during action resolution before the gate can run", |
516 | | - "Validate in layers: local contract verifier, shared action verifier, dry-run adversarial scan, PR matrix CI, self-hosted sentinel arena job, post-merge main CI, and open PR sweep", |
517 | | - "Treat local sandbox failures separately from runner authority: localhost bind/cache/DNS failures may be environmental, but remote self-hosted CI and uploaded reports are authoritative for merge decisions" |
518 | | - ], |
519 | | - "validation": [ |
520 | | - "node --version" |
521 | | - ], |
522 | | - "constraints": { |
523 | | - "max_files": 30, |
524 | | - "forbidden_paths": [ |
525 | | - ".git", |
526 | | - "node_modules" |
527 | | - ] |
528 | | - }, |
529 | | - "preconditions": [ |
530 | | - "a product repository needs an adversarial quality gate shared across multiple EvoMap repos", |
531 | | - "GitHub Actions runs on organization-owned self-hosted runners or internal/private action repos" |
532 | | - ], |
533 | | - "summary": "Roll out a reusable lowercase sentinel arena CI gate: extract the runner into a shared action, make product repos reverse-depend on it, bridge pull_request_target enforcers during migration, enable internal action repository access, and verify via PR CI, main CI, and open PR sweep.", |
534 | | - "schema_version": "1.6.0", |
535 | | - "epigenetic_marks": [], |
536 | | - "learning_history": [], |
537 | | - "anti_patterns": [], |
538 | | - "routing_hint": null, |
539 | | - "tool_policy": null, |
540 | | - "avoid": [ |
541 | | - "vendoring the same arena runner into each product repository", |
542 | | - "tightening PR-head contracts before main pull_request_target enforcers can accept the new shape", |
543 | | - "forgetting GitHub Actions access on the internal action repository, which fails before the job starts", |
544 | | - "treating local sandbox DNS/localhost/cache failures as product regressions without checking self-hosted runner evidence" |
545 | | - ], |
546 | | - "asset_id": "sha256:253e9b8c5bf627aa807aed421952751c0354b64b5e87d7d3e1f766b00b915e6f" |
547 | 494 | } |
548 | 495 | ] |
549 | 496 | } |
0 commit comments