mirror of
https://github.com/samvallad33/vestige.git
synced 2026-07-02 22:01:01 +02:00
ci: guard against private cloud service code in public repo
Vestige Cloud is split: the public client (a thin HTTP sync backend that only moves encrypted bytes) belongs here, but the hosted service — billing, sync-key->namespace mapping, per-user isolation, Lemon Squeezy webhooks, transactional email — must live only in the private repo. Add scripts/check-no-private-cloud.sh, which git-greps tracked files for distinctive private-service signatures (service crate identity, module headers, billing/provider internals, server-side sync-key mapping SQL). The patterns are chosen so the legitimate public client — including its VESTIGE_CLOUD_* client env vars — does not match. Wired into CI via guard-no-private-cloud.yml on push/PR. Verified both directions: passes on the clean repo, fails (naming the markers) when real private webhook.rs/keys.rs are introduced. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
a19ea11276
commit
2b50bf5d53
2 changed files with 108 additions and 0 deletions
25
.github/workflows/guard-no-private-cloud.yml
vendored
Normal file
25
.github/workflows/guard-no-private-cloud.yml
vendored
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
name: Guard — No Private Cloud Code
|
||||
|
||||
# Fails if private Vestige Cloud *service* code (billing, sync-key/namespace
|
||||
# mapping, Lemon Squeezy webhooks, transactional email) ever lands in this
|
||||
# public repo. The public cloud *client* is allowed and does not trip this.
|
||||
on:
|
||||
push:
|
||||
branches: [main, feat/cloud-sync-mvp]
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
guard:
|
||||
name: No private cloud service code
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Scan for private cloud service markers
|
||||
run: ./scripts/check-no-private-cloud.sh
|
||||
Loading…
Add table
Add a link
Reference in a new issue