Skip to content

Make catalog validation real and guard against link rot#4

Merged
scotwells merged 1 commit into
mainfrom
ci/harden-validation
Jul 1, 2026
Merged

Make catalog validation real and guard against link rot#4
scotwells merged 1 commit into
mainfrom
ci/harden-validation

Conversation

@scotwells

Copy link
Copy Markdown
Contributor

Why

The catalog's job is to make plugins installable and trustworthy. Its CI wasn't doing that.

The PR validation check was a false green: it built its file list from git diff origin/main...HEAD against a shallow checkout that has no origin/main ref, so the list was always empty. Schema, URL-resolution, and checksum verification never ran — the check passed in ~6s having validated nothing. (Seen directly on #1, where the job's log shows for f in ; do.)

What this changes

  • Validation that actually runs, over the whole catalog. Every manifest is schema-checked, every advertised download URL is resolved, and every archive's SHA256 is verified against the manifest. A wrong checksum or a deleted release asset now fails in CI instead of in a user's datumctl plugin install.
  • index.yaml can't drift. It's the file datumctl reads and is fully derived from plugins/*.yaml, so CI regenerates it and fails the PR if the committed copy doesn't match. This keeps main correct by construction — and removes the bot-authored "regenerate index" PR that used to trail every merge (the exact drift that caused the merge conflict on Register the IPAM CLI plugin #1).
  • A weekly health check. Those release assets live in other repositories and can be retagged or deleted after a plugin lands here. A scheduled job re-verifies the entire catalog and opens a tracking issue when links or checksums rot, before a user hits it.

The generator and verifier are committed as scripts/ so contributors and CI run the identical logic; the README documents regenerating the index before opening a PR.

Verification

Ran both scripts against the live assets: all 12 archives across ipam and inventory resolve and match their checksums, and the index is in sync. Negative tests confirm a mutated checksum and a drifted index each fail with a clear message. actionlint is clean.

Related

Harden the CI that keeps this catalog installable.

The previous PR check silently verified nothing: it derived its file list
from `git diff origin/main...HEAD` against a shallow checkout with no
origin/main ref, so the list was always empty and schema/URL/checksum
validation never ran. It reported success in seconds having checked no
manifests.

This replaces it with validation that always runs against the whole catalog:

- Schema-validate every plugin manifest, resolve every advertised download
  URL, and verify each archive's sha256 against the manifest — so a wrong
  checksum or a missing release asset fails in CI, not in a user's install.
- Gate index.yaml on being in sync with plugins/. It is what datumctl reads
  and is fully derived from the manifests, so CI regenerates it and fails on
  drift. This keeps main's index correct by construction and removes the
  bot-authored "regenerate index" pull request that previously trailed every
  merge.
- Add a weekly health check that re-verifies the entire catalog and opens an
  issue when a plugin's links or checksums have rotted, since those assets
  live in other repositories and can change after a plugin lands here.

The generator and verifier are committed as scripts so contributors and CI
run exactly the same logic; the README documents regenerating the index.
@scotwells scotwells merged commit 4ae680b into main Jul 1, 2026
1 check passed
@scotwells scotwells deleted the ci/harden-validation branch July 1, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants