Skip to content

refactor(quality-gate): manifest + self-ci only; consumers own their drift-gate workflow#6

Merged
NWarila merged 4 commits into
mainfrom
feat/use-drift-gate-action
May 9, 2026
Merged

refactor(quality-gate): manifest + self-ci only; consumers own their drift-gate workflow#6
NWarila merged 4 commits into
mainfrom
feat/use-drift-gate-action

Conversation

@NWarila

@NWarila NWarila commented May 8, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR turns `nwarila-platform/.github` into a lean source-of-truth repo for the org baseline:

  • `baseline-manifest.json` — which files must mirror byte-for-byte in every consumer.
  • `.github/workflows/self-ci.yml` — slimmed to validate the manifest's schema and confirm every `source` path resolves on disk, before consumers see a broken manifest.
  • That's it. No tooling, no shipped workflow.

The old plan (org repository ruleset injects `org-baseline.yml` into every consumer's PRs) is dropped. Each consumer now owns a thin `drift-gate.yaml` that calls NWarila/drift-gate directly. Reference wiring is live in nwarila-platform/github-terraform-framework PR #42.

Net diff

Lines
Removed Python tooling (tools/, tests/, pyproject.toml, .gitignore) -779
Replaced inline workflow with delegation to NWarila/drift-gate (was on first commit; reverted in last)
Removed org-baseline.yml entirely (no injection) -58
Slimmed self-ci.yml to manifest validation only net change
Total ~-840

Commits

  1. `refactor` — remove inline Python tooling, delegate to NWarila/drift-gate
  2. `chore(deps)` — bump drift-gate pin (rendering upgrade + stdlib-only refactor)
  3. `chore(workflows)` — remove org-baseline.yml (no ruleset injection)

Test plan

  • `self-ci / validate manifest` passes (manifest schema validates, all 3 ADR sources resolve on disk).
  • No `verify` job to skip — file deleted, not just gated.
  • Reference consumer wiring demonstrates the pattern: each consumer's `.github/workflows/drift-gate.yaml` pins `NWarila/drift-gate@` and supplies `source-repo`, `source-ref`, and `manifest` inputs.
  • Red-fire view captured on PR #43 (now closed): banner, stats, linked file table, inline annotation at first-diff-line, unified diff in raw_details, source pin footer.

🤖 Generated with Claude Code

NWarila and others added 3 commits May 8, 2026 23:46
…e action

The drift-detection logic now lives in its own SHA-pinned composite
action at NWarila/drift-gate. This repo keeps only the source-of-truth
inputs:

  - baseline-manifest.json: which org files must be byte-identical
    in every consumer
  - .github/workflows/org-baseline.yml: thin wrapper that delegates
    to drift-gate@<sha>; org ruleset injects this into every PR
  - .github/workflows/self-ci.yml: validates the manifest on this
    repo's own PRs (parses against schema, every source resolves)

Removed: pyproject.toml, tools/org_baseline/, tests/, .gitignore.
All of that lives in NWarila/drift-gate now and is independently
tested + linted there. Single source of truth, single supply-chain
pin, one place to bump.

The org ruleset reference (workflow file path) is unchanged, so any
existing or pending repository ruleset configuration keeps working.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Picks up the rendering upgrade (banner + linked source pin + per-DRIFT
unified diff in `<details>` and `raw_details`, first-diff-line
annotations, footer with source-repo@source-ref + engine link) and
the stdlib-only refactor (no setup-python, no pip install on the
consumer hot path, ~15s saved per PR).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Originally org-baseline.yml lived here so an org-level repository
ruleset could inject it into every consumer's PRs (the
"consumers add nothing" architecture). That mechanism is no longer
the chosen wiring model — each consumer now owns a thin
drift-gate.yaml that calls NWarila/drift-gate directly.

With injection off the table, this file has no purpose: it doesn't
run on consumers (no injection), and on the canonical itself the
self-skip check turns it into a no-op anyway. Deleting it.

What stays:
  - baseline-manifest.json: org-level source of truth for which
    files must mirror byte-for-byte in every consumer.
  - .github/workflows/self-ci.yml: validates the manifest schema
    + every source path resolves on disk, on every PR into this
    repo. Catches manifest bugs before consumers see them.

Reference wiring for consumers lives at
nwarila-platform/github-terraform-framework/.github/workflows/drift-gate.yaml
(PR #42).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NWarila NWarila changed the title refactor(quality-gate): swap inline drift tooling for NWarila/drift-gate action refactor(quality-gate): manifest + self-ci only; consumers own their drift-gate workflow May 9, 2026
Adopts a three-tier ADR model — org / template / repo — and enforces
the full /docs layout skeleton via .gitkeep placeholders mirrored to
every adopting child repository.

Why three tiers
---------------
Two tiers (org + repo) leaves type-specific decisions homeless. A
"Terraform repos require Terraform 1.15" decision is too narrow for
the org baseline (it only matters to Terraform consumers) and too
broad for any single repo (it recurs across every Terraform consumer).
The new template tier — sourced from per-stack template repositories
like NWarila/terraform-runner-template or NWarila/secure-packer-bootstrapper —
is the right home for those.

The three tiers use independent four-digit numbering namespaces. The
same number can appear in org/, template/, and repo/ without conflict
because each namespace is governed by a different source.

Why a layout skeleton
---------------------
Every adopting repo carries `docs/decision-records/{org,template,repo}/`
plus the four Diátaxis quadrants `docs/{tutorials,how-to,reference,
explanation}/`, even when individual scopes are empty. The presence
of the directories (via .gitkeep placeholders) gives every repo the
same predictable shape so a reader can navigate any consumer with
the same mental model. Content in each scope remains opt-in — the
skeleton enforces *layout*, not population.

What changes
------------
- ADR-0001: rewritten Decision Outcome to define three scopes;
  Confirmation gains a "Type-template mirror check" and a
  "Layout-skeleton check"; HTML comment header and "How to author"
  block extended with template-tier authoring steps; Consequences
  updated to reflect the dual-source duplication and the
  three-directory layout.
- ADR-0002: existing references to {org,repo}/ updated to
  {org,template,repo}/ throughout; Confirmation gains a
  "Layout-skeleton check" for the four Diátaxis quadrants.
- docs/decision-records/README.md: rewritten "How to Contribute"
  scope decision to include the type-template option; Conventions
  updated to describe the full three-tier directory layout.
- New .gitkeep placeholders (zero bytes each):
    * docs/decision-records/org/.gitkeep
    * docs/decision-records/template/.gitkeep
    * docs/decision-records/repo/.gitkeep
    * docs/tutorials/.gitkeep
    * docs/how-to/.gitkeep
    * docs/reference/.gitkeep
    * docs/explanation/.gitkeep
- baseline-manifest.json: 3 → 10 entries. The 7 new entries pin
  every .gitkeep at 1:1 source/target paths (no /org/ transformation
  for layout placeholders — they're not org-baseline content).

Verified locally: drift-gate's stdlib-only manifest loader parses
the new manifest cleanly and all 10 sources resolve on disk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NWarila NWarila merged commit 4c905cd into main May 9, 2026
1 check passed
@NWarila NWarila deleted the feat/use-drift-gate-action branch May 9, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant