src-auth-perms-sync 0.2.1__tar.gz → 0.3.0__tar.gz

src_auth_perms_sync-0.3.0/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @marcleblanc2

src_auth_perms_sync-0.3.0/.github/workflows/ci.yml

@@ -0,0 +1,17 @@
+name: CI
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    name: Validate
+    uses: ./.github/workflows/validate.yml

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.3.0}/.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: Build customer release
+name: Build release
 
 on:
   push:
@@ -6,16 +6,17 @@ on:
       - "v*"
   workflow_dispatch:
     inputs:
-      tag:
-        description: "Existing release tag to publish, for example v0.1.0"
+      version:
+        description: "Package version to publish, for example 0.1.0 or v0.1.0"
         required: true
         type: string
 
 permissions:
-  contents: write
+  contents: read
+  pull-requests: read
 
 concurrency:
-  group: release-${{ github.event.inputs.tag || github.ref_name }}
+  group: release-${{ github.event_name == 'workflow_dispatch' && inputs.version || github.ref_name }}
   cancel-in-progress: false
 
 defaults:
@@ -23,13 +24,44 @@ defaults:
     shell: bash
 
 jobs:
+  release_ref:
+    name: Resolve release tag
+    runs-on: ubuntu-24.04
+    outputs:
+      tag: ${{ steps.release.outputs.tag }}
+      version: ${{ steps.release.outputs.version }}
+
+    steps:
+      - name: Resolve release tag
+        id: release
+        env:
+          RELEASE_INPUT: ${{ github.event_name == 'workflow_dispatch' && inputs.version || github.ref_name }}
+        run: |
+          release_input="${RELEASE_INPUT}"
+          if [[ ! "${release_input}" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error title=Invalid release version::Use MAJOR.MINOR.PATCH or vMAJOR.MINOR.PATCH, got '${release_input}'."
+            exit 1
+          fi
+
+          release_version="${release_input#v}"
+          release_tag="v${release_version}"
+          echo "tag=${release_tag}" >> "${GITHUB_OUTPUT}"
+          echo "version=${release_version}" >> "${GITHUB_OUTPUT}"
+
+  validate:
+    name: Validate
+    needs: release_ref
+    uses: ./.github/workflows/validate.yml
+    with:
+      ref: ${{ needs.release_ref.outputs.tag }}
+      build-package: false
+
   wheelhouse:
     name: ${{ matrix.platform }}-py311 wheelhouse
+    needs: release_ref
     runs-on: ${{ matrix.runs_on }}
     strategy:
       fail-fast: false
-      # The first matrix leg creates the release; later legs upload more assets.
-      max-parallel: 1
       matrix:
         include:
           - platform: linux-x86_64
@@ -55,23 +87,30 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-          ref: ${{ github.event.inputs.tag || github.ref }}
+          ref: ${{ needs.release_ref.outputs.tag }}
 
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          cache: pip
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
 
       - name: Install build tools
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install "uv==${UV_VERSION}"
+        run: python -m pip install "uv==${UV_VERSION}"
 
       - name: Validate release inputs
         id: release
+        env:
+          RELEASE_TAG: ${{ needs.release_ref.outputs.tag }}
         run: |
-          release_tag="${{ github.event.inputs.tag || github.ref_name }}"
+          release_tag="${RELEASE_TAG}"
           if [[ ! "${release_tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "::error title=Invalid release tag::Use a vMAJOR.MINOR.PATCH tag, got '${release_tag}'."
             exit 1
@@ -89,21 +128,10 @@ jobs:
             exit 1
           fi
 
-          project_version=$(uv run --frozen python - <<'PY'
-          import tomllib
-
-          with open("pyproject.toml", "rb") as pyproject_file:
-              print(tomllib.load(pyproject_file)["project"]["version"])
-          PY
-          )
-          if [[ "v${project_version}" != "${release_tag}" ]]; then
-            echo "::error title=Version mismatch::pyproject.toml version '${project_version}' does not match tag '${release_tag}'."
-            exit 1
-          fi
-
           echo "tag=${release_tag}" >> "${GITHUB_OUTPUT}"
+          echo "version=${release_tag#v}" >> "${GITHUB_OUTPUT}"
 
-      - name: Validate package
+      - name: Validate runner architecture
         run: |
           actual_machine=$(uv run --frozen python - <<'PY'
           import platform
@@ -116,16 +144,11 @@ jobs:
             exit 1
           fi
 
-          uv lock --check
-          uv run --frozen ruff check src/src_auth_perms_sync/
-          uv run --frozen ruff format --check src/src_auth_perms_sync/
-          uv run --frozen pyright
-          uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
-
       - name: Build wheelhouse tarball
         id: build
         run: |
           release_tag="${{ steps.release.outputs.tag }}"
+          release_version="${{ steps.release.outputs.version }}"
           release_dir="build/release/${ASSET_BASENAME}"
           wheelhouse_dir="${release_dir}/wheelhouse"
           dist_dir="build/release/dist"
@@ -136,32 +159,67 @@ jobs:
 
           rm -rf build/release
           mkdir -p "${wheelhouse_dir}" "${dist_dir}"
+          shopt -s nullglob
 
-          uv build --wheel --out-dir "${dist_dir}" --no-create-gitignore
+          uv build --wheel --sdist --out-dir "${dist_dir}" --no-create-gitignore
           project_wheels=("${dist_dir}"/*.whl)
           if [[ "${#project_wheels[@]}" -ne 1 ]]; then
             echo "::error title=Unexpected wheel count::Expected one project wheel, found ${#project_wheels[@]}."
             exit 1
           fi
+          project_source_distributions=("${dist_dir}"/*.tar.gz)
+          if [[ "${#project_source_distributions[@]}" -ne 1 ]]; then
+            echo "::error title=Unexpected source distribution count::Expected one project source distribution, found ${#project_source_distributions[@]}."
+            exit 1
+          fi
           project_wheel_path="${project_wheels[0]}"
           project_wheel_name="$(basename "${project_wheel_path}")"
+          project_source_distribution_path="${project_source_distributions[0]}"
+          project_source_distribution_name="$(basename "${project_source_distribution_path}")"
+          case "${project_wheel_name}" in
+            src_auth_perms_sync-"${release_version}"-*.whl)
+              ;;
+            *)
+              echo "::error title=Wheel version mismatch::Expected wheel version ${release_version}, got '${project_wheel_name}'."
+              exit 1
+              ;;
+          esac
+          case "${project_source_distribution_name}" in
+            src_auth_perms_sync-"${release_version}".tar.gz)
+              ;;
+            *)
+              echo "::error title=Source distribution version mismatch::Expected source distribution version ${release_version}, got '${project_source_distribution_name}'."
+              exit 1
+              ;;
+          esac
+          project_wheel_checksum_path="${project_wheel_path}.sha256"
+          project_source_distribution_checksum_path="${project_source_distribution_path}.sha256"
           if [[ ! -f "${project_wheel_path}" ]]; then
             echo "::error title=Missing project wheel::Expected ${project_wheel_path} to exist."
             exit 1
           fi
 
-          uv export \
-            --no-dev \
-            --no-emit-project \
-            --no-hashes \
-            --no-header \
-            --no-annotate \
-            --frozen \
-            --output-file "${requirements_file}"
+          dependency_metadata_dir="$(mktemp -d)"
+          git clone --no-hardlinks . "${dependency_metadata_dir}" >/dev/null
+          (
+            cd "${dependency_metadata_dir}"
+            git checkout --detach "${release_tag}" >/dev/null
+            mkdir -p "$(dirname "${requirements_file}")"
+            uv export \
+              --no-sources \
+              --no-dev \
+              --no-emit-project \
+              --no-hashes \
+              --no-header \
+              --no-annotate \
+              --output-file "${requirements_file}"
+          )
 
+          cp "${dependency_metadata_dir}/${requirements_file}" "${requirements_file}"
           cp "${requirements_file}" "${runtime_requirements_file}"
-          if grep -q '^\./' "${runtime_requirements_file}"; then
+          if grep -Eq '(^-e[[:space:]]|^(\.\.?/)|(^|[[:space:]])file:| @ (\.\.?/|file:))' "${runtime_requirements_file}"; then
             echo "::error title=Unexpected local dependency::Runtime requirements must resolve from PyPI."
+            cat "${runtime_requirements_file}"
             exit 1
           fi
 
@@ -197,7 +255,7 @@ jobs:
           pip install "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
           EOF
 
-          (cd "${wheelhouse_dir}" && shasum -a 256 *.whl > WHEELS.sha256)
+          (cd "${wheelhouse_dir}" && shasum -a 256 ./*.whl > WHEELS.sha256)
 
           test -f "${project_wheel_path}"
           test -f "${wheelhouse_dir}"/src_auth_perms_sync-*.whl
@@ -211,16 +269,28 @@ jobs:
             exit 1
           fi
 
+          (
+            cd "$(dirname "${project_wheel_path}")"
+            shasum -a 256 "${project_wheel_name}" > "$(basename "${project_wheel_checksum_path}")"
+            shasum -a 256 "${project_source_distribution_name}" > "$(basename "${project_source_distribution_checksum_path}")"
+          )
+
           tar -C "${release_dir}" -czf "${asset_path}" wheelhouse
           (
             cd "$(dirname "${asset_path}")"
             shasum -a 256 "$(basename "${asset_path}")" > "$(basename "${checksum_path}")"
           )
 
-          echo "asset_path=${asset_path}" >> "${GITHUB_OUTPUT}"
-          echo "checksum_path=${checksum_path}" >> "${GITHUB_OUTPUT}"
-          echo "project_wheel_path=${project_wheel_path}" >> "${GITHUB_OUTPUT}"
-          echo "project_wheel_name=${project_wheel_name}" >> "${GITHUB_OUTPUT}"
+          {
+            echo "asset_path=${asset_path}"
+            echo "checksum_path=${checksum_path}"
+            echo "project_wheel_path=${project_wheel_path}"
+            echo "project_wheel_name=${project_wheel_name}"
+            echo "project_source_distribution_path=${project_source_distribution_path}"
+            echo "project_source_distribution_name=${project_source_distribution_name}"
+            echo "project_wheel_checksum_path=${project_wheel_checksum_path}"
+            echo "project_source_distribution_checksum_path=${project_source_distribution_checksum_path}"
+          } >> "${GITHUB_OUTPUT}"
 
       - name: Validate offline install from tarball
         run: |
@@ -244,6 +314,7 @@ jobs:
         run: |
           release_tag="${{ steps.release.outputs.tag }}"
           project_wheel_name="${{ steps.build.outputs.project_wheel_name }}"
+          project_source_distribution_name="${{ steps.build.outputs.project_source_distribution_name }}"
           notes_path="build/release/release-notes.md"
           cat > "${notes_path}" <<EOF
           ## Customer install
@@ -273,7 +344,9 @@ jobs:
           \`\`\`
 
           The tarball includes this project, \`src-py-lib\`, and all runtime wheels.
-          Verify the download with the matching \`.sha256\` file.
+          Verify the tarball downloads with the matching \`.sha256\` files.
+          The GitHub release also includes the same \`${project_wheel_name}\` and
+          \`${project_source_distribution_name}\` files uploaded to PyPI, plus matching checksums.
 
           ### Connected PyPI install
 
@@ -296,29 +369,72 @@ jobs:
           path: |
             ${{ steps.build.outputs.asset_path }}
             ${{ steps.build.outputs.checksum_path }}
+
+      - name: Upload project distribution release artifact
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v7
+        with:
+          name: src-auth-perms-sync-project-distributions
+          path: |
             ${{ steps.build.outputs.project_wheel_path }}
-            ${{ steps.notes.outputs.path }}
+            ${{ steps.build.outputs.project_source_distribution_path }}
+            ${{ steps.build.outputs.project_wheel_checksum_path }}
+            ${{ steps.build.outputs.project_source_distribution_checksum_path }}
+
+      - name: Upload release notes artifact
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v7
+        with:
+          name: release-notes
+          path: ${{ steps.notes.outputs.path }}
 
       - name: Upload PyPI artifact
         if: matrix.platform == 'linux-x86_64'
         uses: actions/upload-artifact@v7
         with:
           name: pypi-distributions
-          path: ${{ steps.build.outputs.project_wheel_path }}
+          path: |
+            ${{ steps.build.outputs.project_wheel_path }}
+            ${{ steps.build.outputs.project_source_distribution_path }}
+
+  github-release:
+    name: Publish GitHub release assets
+    needs: [release_ref, validate, wheelhouse]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download wheelhouse artifacts
+        uses: actions/download-artifact@v8
+        with:
+          pattern: src-auth-perms-sync-*
+          path: release-assets
+          merge-multiple: true
+
+      - name: Download release notes
+        uses: actions/download-artifact@v8
+        with:
+          name: release-notes
+          path: release-notes
 
       - name: Publish GitHub release assets
         env:
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          RELEASE_TAG: ${{ needs.release_ref.outputs.tag }}
         run: |
-          release_tag="${{ steps.release.outputs.tag }}"
-          asset_path="${{ steps.build.outputs.asset_path }}"
-          checksum_path="${{ steps.build.outputs.checksum_path }}"
-          project_wheel_path="${{ steps.build.outputs.project_wheel_path }}"
-          notes_path="${{ steps.notes.outputs.path }}"
-          release_assets=("${asset_path}" "${checksum_path}")
-
-          if [[ "${{ matrix.platform }}" == "linux-x86_64" ]]; then
-            release_assets+=("${project_wheel_path}")
+          release_tag="${RELEASE_TAG}"
+          notes_path="$(find release-notes -name release-notes.md -print -quit)"
+          mapfile -t release_assets < <(find release-assets -type f | sort)
+
+          if [[ -z "${notes_path}" ]]; then
+            echo "::error title=Missing release notes::release-notes.md was not found in release artifact."
+            exit 1
+          fi
+          if [[ "${#release_assets[@]}" -eq 0 ]]; then
+            echo "::error title=Missing release assets::No release assets were downloaded."
+            exit 1
           fi
 
           if gh release view "${release_tag}" >/dev/null 2>&1; then
@@ -334,7 +450,7 @@ jobs:
 
   pypi:
     name: Publish PyPI package
-    needs: wheelhouse
+    needs: [validate, wheelhouse]
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -345,7 +461,7 @@ jobs:
 
     steps:
       - name: Download built distribution
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: pypi-distributions
           path: dist
@@ -354,3 +470,4 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: dist
+          skip-existing: true

src_auth_perms_sync-0.3.0/.github/workflows/validate.yml

@@ -0,0 +1,267 @@
+name: Validate
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to validate. Defaults to the caller's ref."
+        required: false
+        type: string
+      build-package:
+        description: "Build and smoke-test package artifacts. Release builds do this separately."
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  changes:
+    name: Detect changed paths
+    runs-on: ubuntu-24.04
+    outputs:
+      github_actions: ${{ steps.changed_paths.outputs.github_actions }}
+      markdown: ${{ steps.changed_paths.outputs.markdown }}
+      python: ${{ steps.changed_paths.outputs.python }}
+      package: ${{ steps.changed_paths.outputs.package }}
+
+    steps:
+      - name: Detect changed paths
+        id: changed_paths
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          github_actions_changed=false
+          markdown_changed=false
+          python_changed=false
+          package_changed=false
+
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            github_actions_changed=true
+            markdown_changed=true
+            python_changed=true
+            package_changed=true
+          else
+            changed_files="$(mktemp)"
+            gh api --paginate \
+              "repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}/files" \
+              --jq '.[].filename' > "${changed_files}"
+
+            while IFS= read -r changed_file; do
+              case "${changed_file}" in
+                .github/workflows/*)
+                  github_actions_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                *.md|.markdownlint-cli2.yaml)
+                  markdown_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|pyproject.toml|uv.lock|dev/*|src/*|tests/*)
+                  python_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|LICENSE|README.md|maps-example.yaml|pyproject.toml|uv.lock|src/*)
+                  package_changed=true
+                  ;;
+              esac
+            done < "${changed_files}"
+          fi
+
+          {
+            echo "github_actions=${github_actions_changed}"
+            echo "markdown=${markdown_changed}"
+            echo "python=${python_changed}"
+            echo "package=${package_changed}"
+          } >> "${GITHUB_OUTPUT}"
+
+  github_actions:
+    name: Lint GitHub Actions
+    needs: changes
+    if: needs.changes.outputs.github_actions == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      ACTIONLINT_VERSION: "1.7.12"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Install actionlint
+        run: |
+          mkdir -p "${HOME}/.local/bin"
+          asset="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          checksums="actionlint_${ACTIONLINT_VERSION}_checksums.txt"
+          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
+
+          curl -fsSLO "${base_url}/${asset}"
+          curl -fsSLO "${base_url}/${checksums}"
+          grep "  ${asset}$" "${checksums}" | sha256sum --check
+          tar -xzf "${asset}" -C "${HOME}/.local/bin" actionlint
+          chmod 0755 "${HOME}/.local/bin/actionlint"
+
+      - name: Lint GitHub Actions
+        run: |
+          "${HOME}/.local/bin/actionlint"
+
+  markdown:
+    name: Lint Markdown
+    needs: changes
+    if: needs.changes.outputs.markdown == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      MARKDOWNLINT_CLI2_VERSION: "0.22.1"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Cache npm
+        uses: actions/cache@v5
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-markdownlint-cli2-${{ env.MARKDOWNLINT_CLI2_VERSION }}
+
+      - name: Lint Markdown
+        run: npx --yes "markdownlint-cli2@${MARKDOWNLINT_CLI2_VERSION}"
+
+  python:
+    name: Validate Python
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Validate lockfile
+        run: uv lock --check
+
+      - name: Lint Python
+        run: uv run --frozen ruff check .
+
+      - name: Check Python formatting
+        run: uv run --frozen ruff format --check .
+
+      - name: Type check
+        run: uv run --frozen pyright
+
+      - name: Run tests
+        run: uv run --frozen python -m unittest discover -s tests
+
+      - name: Smoke test source checkout CLI
+        run: uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
+
+  package_build:
+    name: Build and smoke-test package
+    needs: changes
+    if: inputs.build-package && needs.changes.outputs.package == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      PACKAGE_NAME: src-auth-perms-sync
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Build distributions
+        run: uv build --wheel --sdist --out-dir dist --no-create-gitignore
+
+      - name: Smoke test installed wheel
+        run: |
+          python -m venv build/ci-venv
+          . build/ci-venv/bin/activate
+          python -m pip install dist/src_auth_perms_sync-*.whl
+          src-auth-perms-sync --help >/tmp/src-auth-perms-sync-installed-help.txt
+          python -m src_auth_perms_sync --help >/tmp/src-auth-perms-sync-module-help.txt
+
+  package:
+    name: Validate package
+    needs: [changes, github_actions, markdown, python, package_build]
+    if: always()
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Confirm validation results
+        run: |
+          for validation_result in \
+            "${{ needs.changes.result }}" \
+            "${{ needs.github_actions.result }}" \
+            "${{ needs.markdown.result }}" \
+            "${{ needs.python.result }}" \
+            "${{ needs.package_build.result }}"
+          do
+            case "${validation_result}" in
+              success|skipped)
+                ;;
+              *)
+                echo "::error title=Validation failed::At least one validation job ended with '${validation_result}'."
+                exit 1
+                ;;
+            esac
+          done