Drift status (check 1 of 2)#36
Draft
crutkas wants to merge 3 commits into
Draft
Conversation
Introduces src/tools/check-signed-drift.ps1 (shared comparator) and .github/workflows/signed-copy-guard.yml. The workflow runs on PRs that touch the top-level signed-copy roots and fails if any PR-touched file no longer matches its src/ counterpart (modulo the Authenticode signature block on .ps1 files). A follow-up PR will layer a non-blocking "Drift status" visibility check on the same comparator (check 1 of 2). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduces .github/workflows/drift-visibility.yml. The workflow runs on every PR (no paths filter) and reuses the shared comparator script introduced by the preceding signed-copy-drift-guard branch. When any file drift exists between src/ and the top-level signed copies, the job exits non-zero so the check surfaces as a red ❌ entry named "Drift status" in the PR's "Some checks were not successful" panel, with a markdown table written to the job summary listing every drifted / missing file. Unlike the signed-copy guard, this check is informational — drift is expected in the window between a src/ change landing on main and the next sign-pipeline cycle catching up — and is not intended to be a required status check by default. The user-facing intent is purely visibility: "I'm OK with drift, the issue is not knowing there is drift." Stacked on top of signed-copy-drift-guard. The companion docs subsection in src/docs/development.md replaces that branch's forward-reference sentence with a back-reference to this new "Drift status" subsection. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Layered on top of #34 (the signed-copy drift guard). Please review and merge #34 first. When #34 merges, GitHub will auto-update this PR's base to
mainand it becomes mergeable on its own.What this PR adds
A single new workflow:
.github/workflows/drift-visibility.yml. It calls the shared comparator (src/tools/check-signed-drift.ps1, introduced in #34) on every PR — nopaths:filter, so the check runs even for PRs that only editsrc/. When any file drift exists betweensrc/and the top-level signed copies (Workloads/,windows-dev-config/,wsl-comfort/), the job exits non-zero and the check surfaces as a red ❌ entry namedDrift statusinside the PR's "Some checks were not successful" panel at the top of the conversation.What this PR does not add
src/docs/development.md) is the only doc update.Intended branch protection
This check is informational, not blocking. Do not add it to required status checks in
mainbranch protection. Drift is expected during the window between asrc/change landing onmainand the next sign-pipeline cycle catching up; the red ❌ is the awareness signal the user explicitly asked for ("I''m OK with drift, the issue is not knowing there is drift"). The companionSigned copy guardfrom #34 is the one that should be required.Verification
Tested locally in a CI-emulating environment (fresh
pwshprocess spawned with the OS-levelWorkingDirectoryset to the workspace, matching how the GH Actions runner invokesshell: pwshsteps):ok=30, drifted=0, missing_in_root=0, missing_in_src=0; workflow exits 0; job summary shows "✅ Signed copies in sync withsrc/. 30 file(s) checked. No drift detected."windows-dev-config/dev-config.winget(then reverted): comparator reportsdrifted=1; workflow exits 1;::notice::annotation emitted; job summary contains the markdown table:| windows-dev-config/dev-config.winget | drifted | bytes differ at offset 0 (src len=39522, root len=39522) |cc reviewers of #34 — same author/scope/intent.