name: Check Workflow Status Dashboard # Fails when a workflow file is added/renamed without a corresponding row # in docs/ci/workflow-status.md. Pure structural check — no GitHub API # calls, no live data — so it runs fast and doesn't need any auth. # # To fix a failure: regenerate the dashboard with # `pdm run python scripts/generate_workflow_status.py` # This requires `gh` authenticated against the repo. If you can't run it # locally, ping a maintainer to regenerate, or add a temporary placeholder # `\`.yml\`` mention in the file's manual-edit region # to unblock the PR. on: pull_request: paths: - '.github/workflows/**' - 'docs/ci/workflow-status.md' - 'scripts/generate_workflow_status.py' workflow_dispatch: permissions: contents: read jobs: check-structure: runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' - name: Install PyYAML # Pinned to match pdm.lock; the rest of the repo uses exact # `==` pins for ad-hoc workflow installs (see e.g. # validate-image-pinning.yml). Floating `~=` ranges can pick up # yanked / replaced patch versions silently. run: pip install pyyaml==6.0.3 - name: Verify dashboard structure run: python scripts/generate_workflow_status.py --check-structure