From ec7839af9038b79c272764ecc7b0c86be6b7c395 Mon Sep 17 00:00:00 2001 From: danny8632 Date: Tue, 12 May 2026 06:58:06 +0000 Subject: [PATCH] Install auditor workflow (Gitea Actions) --- .gitea/workflows/auditor.yml | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .gitea/workflows/auditor.yml diff --git a/.gitea/workflows/auditor.yml b/.gitea/workflows/auditor.yml new file mode 100644 index 0000000..d0288bd --- /dev/null +++ b/.gitea/workflows/auditor.yml @@ -0,0 +1,47 @@ +# Drop into each agent-managed project repo as .gitea/workflows/auditor.yml. +# Requires the project to have these Gitea Actions secrets configured: +# AUDITOR_SSH_KEY — private ed25519 key whose public counterpart is in +# agent@dev-01:~/.ssh/authorized_keys +# +# The workflow SSH's into dev-01 (192.168.1.29) and runs audit-task.sh, which +# uses claude headless to review the PR against its linked issue's Done +# criteria, then posts the audit as a PR comment. + +name: Auditor + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + audit: + runs-on: ubuntu-latest + container: + image: debian:bookworm-slim + steps: + - name: Install ssh + curl + run: | + apt-get update -qq + apt-get install -y -qq openssh-client curl jq ca-certificates + + - name: Audit PR via dev-01 + env: + AUDITOR_KEY: ${{ secrets.AUDITOR_SSH_KEY }} + REPO: ${{ github.repository }} + PR_NUM: ${{ github.event.pull_request.number }} + run: | + set -e + [ -n "$AUDITOR_KEY" ] || { echo "ERROR: AUDITOR_SSH_KEY secret not set"; exit 1; } + + mkdir -p ~/.ssh + printf '%s\n' "$AUDITOR_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + # Trust dev-01's host key — collected at runtime; LAN-only path + ssh-keyscan -H 192.168.1.29 >> ~/.ssh/known_hosts 2>/dev/null + + ssh -i ~/.ssh/id_ed25519 \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=yes \ + agent@192.168.1.29 \ + "PATH=\$HOME/.local/bin:/usr/local/bin:\$PATH MAX_WALLCLOCK=10m /usr/local/bin/audit-task.sh '$REPO' '$PR_NUM'"