Files
wehub-resource-sync 26382a7ac6
CI / Clippy (push) Failing after 15m13s
CI / Test (ubuntu-latest) (push) Failing after 16m1s
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / Build (no embeddings / no ORT) (push) Has been cancelled
CI / Format (push) Has been cancelled
CI / Cookbook (Node) (push) Has been cancelled
CI / Pi Extension (Node) (push) Has been cancelled
CI / Rust SDK (lean-ctx-client) (push) Has been cancelled
CI / Embed SDK (lean-ctx-sdk) (push) Has been cancelled
CI / Python SDK (leanctx) (push) Has been cancelled
CI / Hermes Plugin (Python) (push) Has been cancelled
CI / SDK Conformance Matrix (push) Has been cancelled
CI / Coverage (push) Has been cancelled
CI / cargo-deny (push) Has been cancelled
CI / Adversarial Safety (push) Has been cancelled
CI / Benchmarks (push) Has been cancelled
CI / Output-Quality Gate (eval A/B) (push) Has been cancelled
CI / Documentation (push) Has been cancelled
CI / CI Green (push) Has been cancelled
JetBrains Plugin / Actionlint (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CodeQL / Analyze (rust) (push) Has been cancelled
JetBrains Plugin / Validation (push) Has been cancelled
JetBrains Plugin / Build (push) Has been cancelled
JetBrains Plugin / Test (push) Has been cancelled
Security Check / Security Scan (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:35:30 +08:00

45 lines
1.6 KiB
YAML

name: Addon Registry Freshness
# The curated addon registry pins every upstream package to an exact version
# (supply-chain safety), but pins go stale silently. This lightweight,
# non-blocking check resolves each pin against its registry (PyPI/npm/NuGet/
# crates.io) and reports drift. It is intentionally NOT part of the `CI Green`
# gate — an upstream release must never break our own build.
on:
schedule:
- cron: "0 6 * * 1" # Mondays 06:00 UTC — weekly drift alert
workflow_dispatch:
pull_request:
branches: [main]
# Only when the registry or the checker itself changes, so unrelated PRs
# are never nagged — but a pin bump is validated the moment it is proposed.
paths:
- rust/data/addon_registry.json
- scripts/check-addon-versions.py
- .github/workflows/addon-versions.yml
permissions:
contents: read
jobs:
check:
name: Check addon pins vs upstream
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4 # v4
with:
persist-credentials: false
- uses: actions/setup-python@v5 # v5
with:
python-version: "3.11"
- name: Resolve pinned addon versions against upstream registries
shell: bash
# Warn-only on PRs / manual runs (annotations, exit 0); the weekly
# scheduled run is `--strict` so drift turns the run red as a real alert.
run: |
if [ "${{ github.event_name }}" = "schedule" ]; then
python3 scripts/check-addon-versions.py --strict
else
python3 scripts/check-addon-versions.py
fi