feat(structure-lock): org reusable workflow + stdlib check script (FIVUCSAS#209)#2
Merged
Merged
Conversation
…AS#209) Add an ArchUnit-style FREEZE for repo root layout, shared org-wide: - tools/check_repo_structure.py: stdlib-only checker. Reads a per-repo .repo-structure.yml policy (allowed_root_files/dirs, forbidden_root_patterns regexes, required_files); exits 1 listing every offender on drift. Optional --fix moves forbidden root tracking-docs to docs/archive/ (never auto-run in CI). Parses a small single-quoted YAML subset so no PyYAML dependency. - tools/test_check_repo_structure.py: 12 unittest cases (clean pass, forbidden dated docs, TODO, disallowed file/dir, missing required, .git ignored, --fix scope, policy parse/validation). - .github/workflows/repo-structure.yml: reusable workflow_call. Checks out the caller repo + this .github repo (for the script), runs the check on ubuntu-latest (deliberately NOT the self-hosted runner). Policy input passed via env, never interpolated into the shell line. - .pre-commit-hooks.yaml: exports the `repo-structure` hook (language: script) so any repo can run the same gate locally. - .repo-structure.yml + .github/workflows/structure-check.yml: this repo eats its own dog food (frozen root + self-calling gate).
The reusable workflow checks this tooling repo out into .repo-structure-tools/ inside the caller's workspace, so the scanner saw it as a root entry and failed the .github repo's own self-check with "DISALLOWED DIR: .repo-structure-tools" (caught by the live PR run). Always-ignore .git and .repo-structure-tools at the root. Adds a test for the tooling-checkout case.
ahmetabdullahgultekin
added a commit
to Rollingcat-Software/FIVUCSAS
that referenced
this pull request
Jun 13, 2026
…CSAS#209) (#210) Pilot the org repo structure-lock on the umbrella repo. - .repo-structure.yml: allowlists FROZEN from the current clean origin/master root (16 root files + 20 root dirs) + forbidden_root_patterns so dated tracking docs (*_AUDIT_*, *_2026-06-13*, TODO*/ROADMAP*/BACKLOG*) can never reappear at root + required_files (README/LICENSE/.gitignore). - .github/workflows/structure-check.yml: thin caller of the org reusable workflow Rollingcat-Software/.github .github/workflows/repo-structure.yml@main, on pull_request. FAILS the PR on any layout drift. - .pre-commit-config.yaml: add the `repo-structure` hook from the .github repo for fast local feedback mirroring the CI gate. Verified: check PASSES on the current clean root (exit 0) and FAILS on a planted TEST_AUDIT_2026-06-13.md (exit 1, FORBIDDEN). Dummy removed. Depends on Rollingcat-Software/.github#2 (reusable workflow + script). Co-authored-by: Ahmet Abdullah Gultekin <rollingcat.help@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
An ArchUnit-style FREEZE for repo file/folder layout, shared org-wide. It blocks (red CI check), it does not silently auto-move — exactly like ArchUnit fails the build. Tracks Rollingcat-Software/FIVUCSAS#209.
This is the dependency PR: it ships the reusable workflow + check script. The FIVUCSAS pilot PR (policy + caller + pre-commit) consumes it.
Contents
tools/check_repo_structure.py.repo-structure.yml, scans the repo root, exits 1 listing every offender.tools/test_check_repo_structure.pyunittestcases. Run:cd tools && python3 -m unittest test_check_repo_structure..github/workflows/repo-structure.ymlworkflow_call. Checks out the caller repo + this repo (for the script), runs the check onubuntu-latest..pre-commit-hooks.yamlrepo-structurepre-commit hook (language: script) for local fast-feedback..repo-structure.yml+.github/workflows/structure-check.ymlPolicy schema (
.repo-structure.yml)The gate fails (exit 1) when: a root entry not in the allowlist appears, OR a path matches a forbidden pattern, OR a required file is missing. To intentionally add a new root entry you edit the policy in the same PR — the explicit, reviewed "unfreeze".
Why
ubuntu-latest, not the self-hosted runnerThe check is a tiny stdlib Python job. It deliberately runs on GitHub-hosted
ubuntu-latestso it never depends on the resource-constrained self-hosted Hetzner runner.Security
Workflow inputs (
policy,tools-ref) come from the trusted caller, not event data.policyis still passed throughenv:(never interpolated into therun:line).tools-refis only used as a checkoutref.--fix(convenience, never in CI)python3 tools/check_repo_structure.py --fix [--dry-run]MOVES forbidden root tracking-docs intodocs/archive/. Files only (never dirs, never disallowed-but-not-forbidden entries — those need a human). The gate is primary;--fixis a manual helper.Proof (run locally against the FIVUCSAS clean root)
12/12 unit tests green.
Rollout (after merge)
v1) so consumers can pin@v1instead of@main..repo-structure.yml(frozen from its own root) + a thin caller.github/workflows/structure-check.ymlthat doesuses: Rollingcat-Software/.github/.github/workflows/repo-structure.yml@main. The FIVUCSAS PR is the worked example.structure-check / repo-structure / structure-checkas a REQUIRED check in branch protection so violations actually block merge.Do not merge until reviewed; owner sets the required check.