git.stella-ops.org/.gitea/workflows/manifest-integrity.yml

name: Manifest Integrity

on:
  push:
    branches: [main]
    paths:
      - 'docs/**/*.schema.json'
      - 'docs/contracts/**'
      - 'docs/schemas/**'
      - 'scripts/packs/**'
  pull_request:
    paths:
      - 'docs/**/*.schema.json'
      - 'docs/contracts/**'
      - 'docs/schemas/**'
      - 'scripts/packs/**'

jobs:
  validate-schemas:
    name: Validate Schema Integrity
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm install -g ajv-cli ajv-formats

      - name: Validate JSON schemas
        run: |
          EXIT_CODE=0
          for schema in docs/schemas/*.schema.json; do
            echo "Validating $schema..."
            if ! ajv compile -s "$schema" --spec=draft2020 2>/dev/null; then
              echo "Error: $schema is invalid"
              EXIT_CODE=1
            fi
          done
          exit $EXIT_CODE

  validate-contracts:
    name: Validate Contract Documents
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check contract structure
        run: |
          for contract in docs/contracts/*.md; do
            echo "Checking $contract..."
            # Verify required sections exist
            if ! grep -q "^## " "$contract"; then
              echo "Warning: $contract missing section headers"
            fi
            # Check for decision ID
            if grep -q "Decision ID" "$contract" && ! grep -q "DECISION-\|CONTRACT-" "$contract"; then
              echo "Warning: $contract missing decision ID format"
            fi
          done

  validate-pack-fixtures:
    name: Validate Pack Fixtures
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: pip install jsonschema

      - name: Run fixture validation
        run: |
          if [ -f .gitea/scripts/test/run-fixtures-check.sh ]; then
            chmod +x .gitea/scripts/test/run-fixtures-check.sh
            ./.gitea/scripts/test/run-fixtures-check.sh
          fi

  checksum-audit:
    name: Audit SHA256SUMS Files
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Validate checksums
        run: |
          find . -name "SHA256SUMS" -type f | while read f; do
            dir=$(dirname "$f")
            echo "Validating checksums in $dir..."
            cd "$dir"
            # Check if all referenced files exist
            while read hash file; do
              if [ ! -f "$file" ]; then
                echo "Warning: $file referenced in SHA256SUMS but not found"
              fi
            done < SHA256SUMS
            cd - > /dev/null
          done

  merkle-consistency:
    name: Verify Merkle Roots
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check DSSE Merkle roots
        run: |
          find . -name "*.dsse.json" -type f | while read f; do
            echo "Checking Merkle root in $f..."
            # Extract and validate Merkle root if present
            if jq -e '.payload' "$f" > /dev/null 2>&1; then
              PAYLOAD=$(jq -r '.payload' "$f" | base64 -d 2>/dev/null || echo "")
              if echo "$PAYLOAD" | jq -e '._stellaops.merkleRoot' > /dev/null 2>&1; then
                MERKLE=$(echo "$PAYLOAD" | jq -r '._stellaops.merkleRoot')
                echo "  Merkle root: $MERKLE"
              fi
            fi
          done