@windyroad/risk-scorer 0.1.4-preview.26 → 0.1.4-preview.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/hooks/git-push-gate.sh +10 -1
- package/hooks/test/git-push-gate.bats +82 -0
- package/package.json +1 -1
package/hooks/git-push-gate.sh
CHANGED
|
@@ -110,7 +110,16 @@ fi
|
|
|
110
110
|
|
|
111
111
|
# Match gh pr merge. Should go via npm run release:watch instead.
|
|
112
112
|
if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*gh pr merge(\s|$)'; then
|
|
113
|
-
|
|
113
|
+
# Check if the project has a release:watch script
|
|
114
|
+
if [ -f "package.json" ] && python3 -c "
|
|
115
|
+
import json, sys
|
|
116
|
+
pkg = json.load(open('package.json'))
|
|
117
|
+
sys.exit(0 if 'release:watch' in pkg.get('scripts', {}) else 1)
|
|
118
|
+
" 2>/dev/null; then
|
|
119
|
+
risk_gate_deny "Use \`npm run release:watch\` instead of \`gh pr merge\`. It merges the release PR, watches the publish pipeline, and surfaces the production URL when live -- or tells you what failed and how to fix it."
|
|
120
|
+
else
|
|
121
|
+
risk_gate_deny "Direct \`gh pr merge\` is blocked (no release:watch script found). Create a release:watch npm script that: (1) finds and merges the release PR with \`gh pr merge\`, (2) waits for the CI workflow with \`gh run list\`, and (3) watches it with \`gh run watch --exit-status\`. Then run \`npm run release:watch\` to release."
|
|
122
|
+
fi
|
|
114
123
|
exit 0
|
|
115
124
|
fi
|
|
116
125
|
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
#!/usr/bin/env bats
|
|
2
|
+
# Tests for git-push-gate.sh — gh pr merge block and release:watch guidance
|
|
3
|
+
|
|
4
|
+
setup() {
|
|
5
|
+
HOOKS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
|
|
6
|
+
HOOK="$HOOKS_DIR/git-push-gate.sh"
|
|
7
|
+
|
|
8
|
+
TEST_SESSION="bats-push-gate-$$-${BATS_TEST_NUMBER}"
|
|
9
|
+
# Ensure a clean risk dir
|
|
10
|
+
RDIR="${TMPDIR:-/tmp}/claude-risk-${TEST_SESSION}"
|
|
11
|
+
rm -rf "$RDIR"
|
|
12
|
+
mkdir -p "$RDIR"
|
|
13
|
+
|
|
14
|
+
# Create a temp project dir for package.json detection
|
|
15
|
+
TEST_PROJECT_DIR="$(mktemp -d)"
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
teardown() {
|
|
19
|
+
rm -rf "$RDIR"
|
|
20
|
+
rm -rf "$TEST_PROJECT_DIR"
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
# Helper: build a PreToolUse Bash input with a given command
|
|
24
|
+
build_input() {
|
|
25
|
+
local cmd="$1"
|
|
26
|
+
cat <<ENDJSON
|
|
27
|
+
{
|
|
28
|
+
"session_id": "$TEST_SESSION",
|
|
29
|
+
"tool_name": "Bash",
|
|
30
|
+
"tool_input": {
|
|
31
|
+
"command": "$cmd"
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
ENDJSON
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
@test "gh pr merge is blocked with release:watch guidance when script exists" {
|
|
38
|
+
# Create a package.json with release:watch
|
|
39
|
+
cat > "$TEST_PROJECT_DIR/package.json" <<'PKG'
|
|
40
|
+
{ "scripts": { "release:watch": "bash scripts/release-watch.sh" } }
|
|
41
|
+
PKG
|
|
42
|
+
|
|
43
|
+
INPUT=$(build_input "gh pr merge 4 --merge")
|
|
44
|
+
run bash -c "cd '$TEST_PROJECT_DIR' && echo '$INPUT' | '$HOOK'"
|
|
45
|
+
[ "$status" -eq 0 ]
|
|
46
|
+
[[ "$output" == *"permissionDecision"* ]]
|
|
47
|
+
[[ "$output" == *"deny"* ]]
|
|
48
|
+
[[ "$output" == *"release:watch"* ]]
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
@test "gh pr merge tells agent to create release:watch when script missing" {
|
|
52
|
+
# Create a package.json WITHOUT release:watch
|
|
53
|
+
cat > "$TEST_PROJECT_DIR/package.json" <<'PKG'
|
|
54
|
+
{ "scripts": { "test": "echo test" } }
|
|
55
|
+
PKG
|
|
56
|
+
|
|
57
|
+
INPUT=$(build_input "gh pr merge 4 --merge")
|
|
58
|
+
run bash -c "cd '$TEST_PROJECT_DIR' && echo '$INPUT' | '$HOOK'"
|
|
59
|
+
[ "$status" -eq 0 ]
|
|
60
|
+
[[ "$output" == *"permissionDecision"* ]]
|
|
61
|
+
[[ "$output" == *"deny"* ]]
|
|
62
|
+
# Should tell agent to create the script
|
|
63
|
+
[[ "$output" == *"no release:watch script"* ]]
|
|
64
|
+
[[ "$output" == *"gh pr merge"* ]]
|
|
65
|
+
[[ "$output" == *"gh run watch"* ]]
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
@test "gh pr merge tells agent to create release:watch when no package.json" {
|
|
69
|
+
local empty_dir="$(mktemp -d)"
|
|
70
|
+
|
|
71
|
+
INPUT=$(build_input "gh pr merge 4 --merge")
|
|
72
|
+
run bash -c "cd '$empty_dir' && echo '$INPUT' | '$HOOK'"
|
|
73
|
+
[ "$status" -eq 0 ]
|
|
74
|
+
[[ "$output" == *"permissionDecision"* ]]
|
|
75
|
+
[[ "$output" == *"deny"* ]]
|
|
76
|
+
# Should tell agent to create the script
|
|
77
|
+
[[ "$output" == *"no release:watch script"* ]]
|
|
78
|
+
[[ "$output" == *"gh pr merge"* ]]
|
|
79
|
+
[[ "$output" == *"gh run watch"* ]]
|
|
80
|
+
|
|
81
|
+
rm -rf "$empty_dir"
|
|
82
|
+
}
|
package/package.json
CHANGED