Skip to content

ci: add rule-pack validation gate #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
trustabl merged 2 commits into from
Jun 14, 2026
Merged

ci: add rule-pack validation gate #24

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a081b3
ci: add rule-pack validation gate
jhumel-code Jun 8, 2026
5143136
Merge remote-tracking branch 'origin/main' into tr/optimistic-matsumo…
jhumel-code Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Validate rules

# PR gate for the rule packs: build the Trustabl engine and strict-load every
# pack against its rule schema. Catches schema, parse, duplicate-ID, missing
# field, out-of-range confidence, and unknown-predicate errors before a change
# can merge. Signing/publishing of bundles is a separate workflow (added once
# signing keys are provisioned).

on:
push:
branches: [main]
pull_request:
branches: [main]

# The engine's discovery uses tree-sitter (a C library), so building the
# validator binary needs cgo.
env:
CGO_ENABLED: "1"

jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout rules
uses: actions/checkout@v4
with:
path: rules

# Validate against the engine's rule schema. A coordinated change ships as
# paired PRs (one in trustabl/trustabl, one here) sharing a branch name, so
# check out the engine at the same-named branch when it exists, otherwise
# main. This mirrors the engine repo's own rules-sync job in reverse, and
# means a schema bump in the engine and the rules that use it validate
# together before either merges.
- name: Resolve engine ref
id: engineref
run: |
ref="${{ github.head_ref }}"
if [ -n "$ref" ] && git ls-remote --exit-code --heads \
https://github.com/trustabl/trustabl.git "$ref" >/dev/null 2>&1; then
echo "ref=$ref" >> "$GITHUB_OUTPUT"
else
echo "ref=main" >> "$GITHUB_OUTPUT"
fi

- name: Checkout engine
uses: actions/checkout@v4
with:
repository: trustabl/trustabl
ref: ${{ steps.engineref.outputs.ref }}
path: engine

- uses: actions/setup-go@v5
with:
go-version-file: engine/go.mod
cache: true
cache-dependency-path: engine/go.sum

- name: Build the validator
working-directory: engine
run: go build -o "$RUNNER_TEMP/trustabl" ./cmd/trustabl

- name: Validate rule packs
run: |
"$RUNNER_TEMP/trustabl" rules validate ./rules
Loading