From 0a081b36d22664f1ba749e01592255a885d94940 Mon Sep 17 00:00:00 2001
From: Ian Jhumel Bautista <ianjhumelbautista@gmail.com>
Date: Mon, 8 Jun 2026 12:04:07 +0800
Subject: [PATCH] ci: add rule-pack validation gate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a PR/push workflow that builds the Trustabl engine and runs
'trustabl rules validate' over the packs — strict-loading every rule so a
schema, parse, duplicate-ID, missing-field, out-of-range-confidence, or
unknown-predicate error fails the build before it can merge.

The engine is resolved at the same-named branch when one exists (coordinated
engine+rules PRs validate together), otherwise main. Requires the engine's
'rules validate' command (trustabl/trustabl). Bundle signing/publishing is a
separate workflow, added once signing keys are provisioned.

Refs: TR-247
---
 .github/workflows/validate.yml | 65 ++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/workflows/validate.yml

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
new file mode 100644
index 0000000..1e488bd
--- /dev/null
+++ b/.github/workflows/validate.yml
@@ -0,0 +1,65 @@
+name: Validate rules
+
+# PR gate for the rule packs: build the Trustabl engine and strict-load every
+# pack against its rule schema. Catches schema, parse, duplicate-ID, missing
+# field, out-of-range confidence, and unknown-predicate errors before a change
+# can merge. Signing/publishing of bundles is a separate workflow (added once
+# signing keys are provisioned).
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+# The engine's discovery uses tree-sitter (a C library), so building the
+# validator binary needs cgo.
+env:
+  CGO_ENABLED: "1"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout rules
+        uses: actions/checkout@v4
+        with:
+          path: rules
+
+      # Validate against the engine's rule schema. A coordinated change ships as
+      # paired PRs (one in trustabl/trustabl, one here) sharing a branch name, so
+      # check out the engine at the same-named branch when it exists, otherwise
+      # main. This mirrors the engine repo's own rules-sync job in reverse, and
+      # means a schema bump in the engine and the rules that use it validate
+      # together before either merges.
+      - name: Resolve engine ref
+        id: engineref
+        run: |
+          ref="${{ github.head_ref }}"
+          if [ -n "$ref" ] && git ls-remote --exit-code --heads \
+              https://github.com/trustabl/trustabl.git "$ref" >/dev/null 2>&1; then
+            echo "ref=$ref" >> "$GITHUB_OUTPUT"
+          else
+            echo "ref=main" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout engine
+        uses: actions/checkout@v4
+        with:
+          repository: trustabl/trustabl
+          ref: ${{ steps.engineref.outputs.ref }}
+          path: engine
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: engine/go.mod
+          cache: true
+          cache-dependency-path: engine/go.sum
+
+      - name: Build the validator
+        working-directory: engine
+        run: go build -o "$RUNNER_TEMP/trustabl" ./cmd/trustabl
+
+      - name: Validate rule packs
+        run: |
+          "$RUNNER_TEMP/trustabl" rules validate ./rules