Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/rulesets/main-branch.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"name": "main-branch-protection",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"rules": [
{ "type": "deletion" },
{ "type": "non_fast_forward" },
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": false,
"require_code_owner_review": false,
"require_last_push_approval": false,
"required_review_thread_resolution": false,
"allowed_merge_methods": ["merge", "squash", "rebase"]
}
},
{
"type": "required_status_checks",
"parameters": {
"strict_required_status_checks_policy": false,
"required_status_checks": [
{ "context": "go-test", "integration_id": 15368 },
{ "context": "docker-build", "integration_id": 15368 }
]
}
}
]
}
47 changes: 47 additions & 0 deletions .github/workflows/docker-build-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Docker build check

# PR-time gate for the repo's real build contract: the two Dockerfile targets
# that "Build and Push providers-vibedata" publishes from main. Builds amd64
# only and never pushes — it exists so a Dockerfile break is caught before
# merge instead of on the main publish run.

permissions:
contents: read

on:
# ready_for_review: upstream-sync drafts are created with GITHUB_TOKEN, whose
# events trigger no workflows — marking the draft ready must start the checks.
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main

concurrency:
group: docker-build-check-${{ github.ref }}
cancel-in-progress: true

jobs:
docker-build:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4

- name: Set up Buildx
uses: docker/setup-buildx-action@v3

- name: Build providers target
uses: docker/build-push-action@v6
with:
context: .
target: providers
platforms: linux/amd64
push: false

- name: Build encryption-bins target
uses: docker/build-push-action@v6
with:
context: .
target: encryption-bins
platforms: linux/amd64
push: false
5 changes: 4 additions & 1 deletion .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ permissions:
contents: read

on:
# ready_for_review: upstream-sync drafts are created with GITHUB_TOKEN, whose
# events trigger no workflows — marking the draft ready must start the checks.
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main

Expand All @@ -17,7 +20,7 @@ jobs:
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: "1.26"

Expand Down
35 changes: 35 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Providers (Accelerate fork)

Fork of `obot-platform/providers`: model and auth providers for the Obot MCP gateway. Each provider is its own Go module (e.g. `github-auth-provider/`, `generic-oauth-auth-provider/`, `openai-model-provider/`); the `Dockerfile` packages them into two images.

## CI Gates and Release Contract

This repo publishes two Studio release inputs:

- `ghcr.io/accelerate-data/providers-vibedata:latest`
- `ghcr.io/accelerate-data/providers-vibedata/encryption-bins:latest`

Studio's nightly release pipeline resolves the `:latest` digests at candidate time and pins them into the candidate tag (vd-studio `docs/functional/release-management/README.md`). The `accelerate-data/obot` image build also consumes both images as `FROM` inputs, pinned to verified digests.

### Required checks on `main`

The GitHub ruleset is versioned at `.github/rulesets/main-branch.json`. Create it with `gh api repos/accelerate-data/providers/rulesets --input .github/rulesets/main-branch.json`; update an existing one with `--method PUT` against `.../rulesets/<id>`. Required contexts:

- `go-test` (`test.yaml`) — Go tests for the auth provider modules.
- `docker-build` (`docker-build-check.yml`) — builds both Dockerfile targets (amd64, no push), the repo's real build contract.

Do not add paths filters to a required check's workflow — non-matching PRs could never merge.

Upstream-sync PRs are drafts created with `GITHUB_TOKEN`, whose events trigger no workflows — the required checks start when a maintainer marks the PR ready for review. If the branch is updated by automation after that, close and reopen the PR to re-trigger the checks.

### Image publication is fail-closed

`build-vibedata-providers.yml` (push to `main` or manual dispatch) is the only workflow that advances the `:latest` tags; the upstream `Build providers` / `Build release encryption bins` workflows are `workflow_dispatch`-only. Stage order: per-arch builds pushed by digest only (untagged) → manifest merge creates the `:latest` tags → both-arch verification → cosign signing. A failure at any stage leaves the previous `:latest` untouched.

If Studio picks up a broken or stale providers input, the owning failure is a red `Build and Push providers-vibedata` run on `main` in this repo.

### Local verification

- `make test` — Go tests for the auth providers
- `make docker-build` — builds the providers image target locally
- `docker build --target encryption-bins .` — builds the encryption-bins target
Loading