viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

ci: ancestor guard on DIFF_BASE; gate allowlists the owner's work email [ci skip]

Browse source 
Restarted infra pipelines after master moved diffed in REVERSE and
re-applied stale trees (pipeline 148 reverted payslip-ingest's fresh
ghcr config — repaired by the wave-2 agent). Only trust
CI_PREV_COMMIT_SHA when it is an ancestor of HEAD. publish-gate:
viktorbarzin@meta.com is the owner's own work email (same class as the
allowlisted personal domain), not blockable PII — unblocks infra#18.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-13 00:31:33 +00:00
parent cdd60d9078
commit e696957ebf
2 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.woodpecker/default.yml
View file

@ -143,7 +143,12 @@ steps:
DIFF_BASE="HEAD~1" DIFF_BASE="HEAD~1"
if [ -n "${CI_PREV_COMMIT_SHA:-}" ] && [ "$CI_PREV_COMMIT_SHA" != "$CI_COMMIT_SHA" ]; then if [ -n "${CI_PREV_COMMIT_SHA:-}" ] && [ "$CI_PREV_COMMIT_SHA" != "$CI_COMMIT_SHA" ]; then
git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null || git fetch --depth=50 origin master 2>/dev/null || true git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null || git fetch --depth=50 origin master 2>/dev/null || true
if git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null; then # Restarted pipelines after master moved produce REVERSE diffs
# (CI_PREV ahead of the checked-out HEAD re-applied stale trees and
# reverted a sibling apply on 2026-06-12, pipeline 148). Only use
# CI_PREV when it is an ancestor of HEAD.
if git cat-file -e "$CI_PREV_COMMIT_SHA^{commit}" 2>/dev/null \
&& git merge-base --is-ancestor "$CI_PREV_COMMIT_SHA" HEAD 2>/dev/null; then
DIFF_BASE="$CI_PREV_COMMIT_SHA" DIFF_BASE="$CI_PREV_COMMIT_SHA"
fi fi
fi fi

2
scripts/publish-gate
View file

@ -46,7 +46,7 @@ fi
say ""; say "-- PII heuristics (tracked files) --" say ""; say "-- PII heuristics (tracked files) --"
cd "$CLONE" cd "$CLONE"
EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' ':!package-lock.json' ':!pnpm-lock.yaml' ':!.beads' 2>/dev/null \ EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' ':!package-lock.json' ':!pnpm-lock.yaml' ':!.beads' 2>/dev/null \
| grep -viE '@(viktorbarzin\.me|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \ | grep -viE '@(viktorbarzin\.me|meta\.com|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \
| grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*)@' \ | grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*)@' \
| sort -u | head -20) | sort -u | head -20)
if [ -n "$EMAILS" ]; then say "real-looking emails found:"; say "$EMAILS"; say "(review: PII?)"; DIRTY=1; else say "emails: none beyond allowlist"; fi if [ -n "$EMAILS" ]; then say "real-looking emails found:"; say "$EMAILS"; say "(review: PII?)"; DIRTY=1; else say "emails: none beyond allowlist"; fi