48 lines
1.7 KiB
YAML
48 lines
1.7 KiB
YAML
# Drop into each agent-managed project repo as .gitea/workflows/auditor.yml.
|
|
# Requires the project to have these Gitea Actions secrets configured:
|
|
# AUDITOR_SSH_KEY — private ed25519 key whose public counterpart is in
|
|
# agent@dev-01:~/.ssh/authorized_keys
|
|
#
|
|
# The workflow SSH's into dev-01 (192.168.1.29) and runs audit-task.sh, which
|
|
# uses claude headless to review the PR against its linked issue's Done
|
|
# criteria, then posts the audit as a PR comment.
|
|
|
|
name: Auditor
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
jobs:
|
|
audit:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: debian:bookworm-slim
|
|
steps:
|
|
- name: Install ssh + curl
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq openssh-client curl jq ca-certificates
|
|
|
|
- name: Audit PR via dev-01
|
|
env:
|
|
AUDITOR_KEY: ${{ secrets.AUDITOR_SSH_KEY }}
|
|
REPO: ${{ github.repository }}
|
|
PR_NUM: ${{ github.event.pull_request.number }}
|
|
run: |
|
|
set -e
|
|
[ -n "$AUDITOR_KEY" ] || { echo "ERROR: AUDITOR_SSH_KEY secret not set"; exit 1; }
|
|
|
|
mkdir -p ~/.ssh
|
|
printf '%s\n' "$AUDITOR_KEY" > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
|
|
# Trust dev-01's host key — collected at runtime; LAN-only path
|
|
ssh-keyscan -H 192.168.1.29 >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
ssh -i ~/.ssh/id_ed25519 \
|
|
-o BatchMode=yes \
|
|
-o StrictHostKeyChecking=yes \
|
|
agent@192.168.1.29 \
|
|
"PATH=\$HOME/.local/bin:/usr/local/bin:\$PATH MAX_WALLCLOCK=10m /usr/local/bin/audit-task.sh '$REPO' '$PR_NUM'"
|