6e73c6dd1f
All checks were successful
Extend .woodpecker/nomad-validate.yml with three new fail-closed steps
that guard every artifact under vault/policies/ and vault/roles.yaml
before it can land:
4. vault-policy-fmt — cp+fmt+diff idempotence check (vault 1.18.5
has no `policy fmt -check` flag, so we
build the non-destructive check out of
`vault policy fmt` on a /tmp copy + diff
against the original)
5. vault-policy-validate — HCL syntax + capability validation via
`vault policy write` against an inline
dev-mode Vault server (no offline
`policy validate` subcommand exists;
dev-mode writes are ephemeral so this is
a validator, not a deploy)
6. vault-roles-validate — yamllint + PyYAML-based role→policy
reference check (every role's `policy:`
field must match a vault/policies/*.hcl
basename; also checks the four required
fields name/policy/namespace/job_id)
Secret-scan coverage for vault/policies/*.hcl is already provided by
the P11 gate (.woodpecker/secret-scan.yml) via its `vault/**/*` trigger
path — this pipeline intentionally does NOT duplicate that gate to
avoid the inline-heredoc / YAML-parse failure mode that sank the prior
attempt at this issue (PR #896).
Trigger paths extended: `vault/policies/**` and `vault/roles.yaml`.
`lib/init/nomad/vault-*.sh` is already covered by the existing
`lib/init/nomad/**` glob.
Docs: nomad/AGENTS.md and vault/policies/AGENTS.md updated with the
policy lifecycle, the CI enforcement table, and the common failure
modes authors will see.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| AGENTS.md | ||
| bot-architect.hcl | ||
| bot-dev-qwen.hcl | ||
| bot-dev.hcl | ||
| bot-gardener.hcl | ||
| bot-planner.hcl | ||
| bot-predictor.hcl | ||
| bot-review.hcl | ||
| bot-supervisor.hcl | ||
| bot-vault.hcl | ||
| dispatcher.hcl | ||
| runner-CLAWHUB_TOKEN.hcl | ||
| runner-CODEBERG_TOKEN.hcl | ||
| runner-DEPLOY_KEY.hcl | ||
| runner-DOCKER_HUB_TOKEN.hcl | ||
| runner-GITHUB_TOKEN.hcl | ||
| runner-NPM_TOKEN.hcl | ||
| service-forgejo.hcl | ||
| service-woodpecker.hcl | ||