zyplux-cerberus 0.2.0__tar.gz

zyplux_cerberus-0.2.0/PKG-INFO

@@ -0,0 +1,64 @@
+Metadata-Version: 2.3
+Name: zyplux-cerberus
+Version: 0.2.0
+Summary: Cross-repo invariant verifier for the zyplux organization
+Requires-Dist: pyyaml>=6.0.3
+Requires-Dist: rust-just>=1.53
+Requires-Dist: typer>=0.20
+Requires-Python: >=3.14
+Description-Content-Type: text/markdown
+
+# cerberus
+
+Verifies repository invariants — CI workflows, branch-protection rulesets, CODEOWNERS, workflow secrets, and justfile conventions. Run it two ways: as a per-repo linter against a checkout (`cerberus`), or as a central scan across every repo in the org (`cerberus org`).
+
+## Requirements
+
+- [`uv`](https://docs.astral.sh/uv/) and Python 3.14
+- [`gh`](https://cli.github.com/), authenticated against the org — only for `cerberus org`
+
+The `justfile` check shells out to `just`, which ships with the package (via [`rust-just`](https://pypi.org/project/rust-just/)) — no separate install.
+
+## Lint a repo
+
+```sh
+uv run cerberus            # lint the current directory
+uv run cerberus PATH       # lint a checkout at PATH
+```
+
+Runs the content checks (`justfile`, `ci-workflow`, `codeowners`) against the checkout and exits non-zero on any failure or error — warnings do not fail the run — so it drops into CI like any linter. Control-plane checks (`ruleset`, `workflow-secrets`) read GitHub org/admin state the checkout cannot see, so they are skipped here and reported by `cerberus org`.
+
+Run `cerberus list` to see every check, its scope, and what it verifies.
+
+| Option          | Description                                          |
+| --------------- | ---------------------------------------------------- |
+| `--check NAME`  | Limit to named check(s); repeatable                  |
+| `--config PATH` | Use a `cerberus.toml` other than the bundled         |
+| `--fix`         | Auto-fix fixable problems (e.g. trailing whitespace) |
+
+## Scan the org
+
+`cerberus org` takes the org as a required argument — a bare name, `github.com/<org>`, or a full URL.
+
+```sh
+uv run cerberus org zyplux                  # scan every repo, report findings
+uv run cerberus org github.com/zyplux       # same, org given as a URL
+uv run cerberus org zyplux --repo api       # scan only the named repo(s)
+```
+
+Runs all checks, including the control-plane ones the local linter skips. Accepts `--repo`/`-r` and `--check`. A failure or error exits non-zero; warnings do not.
+
+## Checks
+
+| ID                 | Scope         | Verifies                                                                            |
+| ------------------ | ------------- | ----------------------------------------------------------------------------------- |
+| `justfile`         | content       | Recipe names, aliases, `check` pipeline, wrapped tool calls, no trailing whitespace |
+| `ci-workflow`      | content       | `ci.yml` exists, exposes a `ci` check, runs on PRs                                  |
+| `workflow-tooling` | content       | Workflows set up only the workspace toolchain (uv, bun), not extra tools            |
+| `codeowners`       | content       | `CODEOWNERS` present and covers `/.github/`                                         |
+| `ruleset`          | control-plane | Default branch protected by the org baseline ruleset                                |
+| `workflow-secrets` | control-plane | Every secret referenced in workflows is provisioned                                 |
+
+## Config
+
+Policy — org name, excluded repos, ruleset name, required recipes and aliases — lives in [`cerberus.toml`](src/cerberus/cerberus.toml). Override it with `--config PATH`.

zyplux_cerberus-0.2.0/README.md

@@ -0,0 +1,54 @@
+# cerberus
+
+Verifies repository invariants — CI workflows, branch-protection rulesets, CODEOWNERS, workflow secrets, and justfile conventions. Run it two ways: as a per-repo linter against a checkout (`cerberus`), or as a central scan across every repo in the org (`cerberus org`).
+
+## Requirements
+
+- [`uv`](https://docs.astral.sh/uv/) and Python 3.14
+- [`gh`](https://cli.github.com/), authenticated against the org — only for `cerberus org`
+
+The `justfile` check shells out to `just`, which ships with the package (via [`rust-just`](https://pypi.org/project/rust-just/)) — no separate install.
+
+## Lint a repo
+
+```sh
+uv run cerberus            # lint the current directory
+uv run cerberus PATH       # lint a checkout at PATH
+```
+
+Runs the content checks (`justfile`, `ci-workflow`, `codeowners`) against the checkout and exits non-zero on any failure or error — warnings do not fail the run — so it drops into CI like any linter. Control-plane checks (`ruleset`, `workflow-secrets`) read GitHub org/admin state the checkout cannot see, so they are skipped here and reported by `cerberus org`.
+
+Run `cerberus list` to see every check, its scope, and what it verifies.
+
+| Option          | Description                                          |
+| --------------- | ---------------------------------------------------- |
+| `--check NAME`  | Limit to named check(s); repeatable                  |
+| `--config PATH` | Use a `cerberus.toml` other than the bundled         |
+| `--fix`         | Auto-fix fixable problems (e.g. trailing whitespace) |
+
+## Scan the org
+
+`cerberus org` takes the org as a required argument — a bare name, `github.com/<org>`, or a full URL.
+
+```sh
+uv run cerberus org zyplux                  # scan every repo, report findings
+uv run cerberus org github.com/zyplux       # same, org given as a URL
+uv run cerberus org zyplux --repo api       # scan only the named repo(s)
+```
+
+Runs all checks, including the control-plane ones the local linter skips. Accepts `--repo`/`-r` and `--check`. A failure or error exits non-zero; warnings do not.
+
+## Checks
+
+| ID                 | Scope         | Verifies                                                                            |
+| ------------------ | ------------- | ----------------------------------------------------------------------------------- |
+| `justfile`         | content       | Recipe names, aliases, `check` pipeline, wrapped tool calls, no trailing whitespace |
+| `ci-workflow`      | content       | `ci.yml` exists, exposes a `ci` check, runs on PRs                                  |
+| `workflow-tooling` | content       | Workflows set up only the workspace toolchain (uv, bun), not extra tools            |
+| `codeowners`       | content       | `CODEOWNERS` present and covers `/.github/`                                         |
+| `ruleset`          | control-plane | Default branch protected by the org baseline ruleset                                |
+| `workflow-secrets` | control-plane | Every secret referenced in workflows is provisioned                                 |
+
+## Config
+
+Policy — org name, excluded repos, ruleset name, required recipes and aliases — lives in [`cerberus.toml`](src/cerberus/cerberus.toml). Override it with `--config PATH`.

zyplux_cerberus-0.2.0/pyproject.toml

@@ -0,0 +1,18 @@
+[project]
+name = "zyplux-cerberus"
+version = "0.2.0"
+description = "Cross-repo invariant verifier for the zyplux organization"
+readme = "README.md"
+requires-python = ">=3.14"
+dependencies = ["pyyaml>=6.0.3", "rust-just>=1.53", "typer>=0.20"]
+
+[project.scripts]
+cerberus = "cerberus.cli:app"
+
+[build-system]
+requires = ["uv_build>=0.11,<0.12"]
+build-backend = "uv_build"
+
+[tool.uv.build-backend]
+module-name = "cerberus"
+module-root = "src"

zyplux_cerberus-0.2.0/src/cerberus/__init__.py

@@ -0,0 +1,8 @@
+"""Cross-repo invariant verifier for the zyplux organization."""
+
+from importlib.metadata import PackageNotFoundError, version
+
+try:
+    __version__ = version("zyplux-cerberus")
+except PackageNotFoundError:  # running from a source tree that was never installed
+    __version__ = "0+unknown"

zyplux_cerberus-0.2.0/src/cerberus/cerberus.toml

@@ -0,0 +1,25 @@
+org = "zyplux"
+exclude_repos = [".github", "client-roadmap-feedback", "zyplux-ai-pages"]
+ruleset_name = "default-branch-baseline"
+default_recipe_marker = "just --list"
+
+[aliases.required]
+i = "install"
+k = "knip"
+tc = "typecheck"
+l = "lint"
+t = "test"
+c = "check"
+
+[aliases.recommended]
+u = "upgrade"
+ui = "upgrade-interactive"
+
+[recipes]
+required = ["default", "install", "knip", "typecheck", "lint", "test", "check"]
+recommended = ["upgrade", "upgrade-interactive", "clean"]
+check_pipeline = ["install", "knip", "typecheck", "lint", "test"]
+wrapped_tools = ["ruff", "pyrefly", "pytest", "rumdl", "vulture", "cerberus", "eslint", "prettier", "knip", "tsc"]
+
+[ci]
+allowed_setup_actions = ["astral-sh/setup-uv", "oven-sh/setup-bun"]

zyplux_cerberus-0.2.0/src/cerberus/checks/__init__.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+
+from collections.abc import Callable
+from dataclasses import dataclass
+
+from cerberus.checks import (
+    ci_workflow_check,
+    codeowners_check,
+    justfile_check,
+    ruleset_check,
+    secrets_check,
+    workflow_tooling_check,
+)
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+
+@dataclass(frozen=True)
+class Check:
+    id: str
+    summary: str
+    scope: Scope
+    run: Callable[[Repo, Context], CheckResult]
+
+
+ALL: tuple[Check, ...] = tuple(
+    Check(module.ID, module.SUMMARY, module.SCOPE, module.run)
+    for module in (
+        justfile_check,
+        ci_workflow_check,
+        workflow_tooling_check,
+        ruleset_check,
+        secrets_check,
+        codeowners_check,
+    )
+)
+
+BY_ID: dict[str, Check] = {check.id: check for check in ALL}
+
+CONTENT: tuple[Check, ...] = tuple(c for c in ALL if c.scope is Scope.CONTENT)

zyplux_cerberus-0.2.0/src/cerberus/checks/ci_workflow_check.py

@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+from typing import Any
+
+import yaml
+
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "ci-workflow"
+SUMMARY = "ci.yml exists, exposes a `ci` check, runs on PRs (push to main recommended)"
+SCOPE = Scope.CONTENT
+
+YamlMapping = dict[str | bool, Any]
+ON_KEY_AS_PYYAML_BOOL = True
+
+
+def _triggers(workflow: YamlMapping) -> set[str]:
+    raw = workflow.get("on", workflow.get(ON_KEY_AS_PYYAML_BOOL))
+    if isinstance(raw, dict):
+        return set(raw.keys())
+    if isinstance(raw, list):
+        return set(raw)
+    if isinstance(raw, str):
+        return {raw}
+    return set()
+
+
+def _exposes_ci_job(workflow: YamlMapping) -> bool:
+    jobs = workflow.get("jobs", {})
+    if not isinstance(jobs, dict):
+        return False
+    return any(job_id == "ci" or (j or {}).get("name") == "ci" for job_id, j in jobs.items())
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+    content = ctx.file(repo, ".github/workflows/ci.yml") or ctx.file(
+        repo, ".github/workflows/ci.yaml"
+    )
+    if content is None:
+        res.fail("no .github/workflows/ci.yml")
+        return res
+
+    try:
+        workflow = yaml.safe_load(content)
+    except yaml.YAMLError as err:
+        res.error(f"ci.yml is not valid YAML: {err}")
+        return res
+    if not isinstance(workflow, dict):
+        res.error("ci.yml did not parse to a mapping")
+        return res
+
+    if not _exposes_ci_job(workflow):
+        res.fail("no job named `ci` (the required status-check context)")
+
+    triggers = _triggers(workflow)
+    if "pull_request" not in triggers and "pull_request_target" not in triggers:
+        res.fail("ci.yml does not trigger on pull_request")
+    if "push" not in triggers:
+        res.warn("ci.yml does not trigger on push (to main)")
+
+    if not res.problems:
+        res.ok("ci workflow present and wired")
+    return res

zyplux_cerberus-0.2.0/src/cerberus/checks/codeowners_check.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "codeowners"
+SUMMARY = "CODEOWNERS present and covers /.github/"
+SCOPE = Scope.CONTENT
+
+_LOCATIONS = (".github/CODEOWNERS", "CODEOWNERS", "docs/CODEOWNERS")
+
+
+def _covers_github(pattern: str) -> bool:
+    if pattern == "*":
+        return True
+    top = pattern.lstrip("/").split("/", 1)[0]
+    return top == ".github"
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+
+    content = next((c for path in _LOCATIONS if (c := ctx.file(repo, path)) is not None), None)
+    if content is None:
+        res.fail("no CODEOWNERS file")
+        return res
+
+    owned_lines = [
+        line
+        for line in content.splitlines()
+        if line.strip() and not line.lstrip().startswith("#") and "@" in line
+    ]
+    if not owned_lines:
+        res.fail("CODEOWNERS has no ownership rules")
+    elif not any(_covers_github(line.split()[0]) for line in owned_lines):
+        res.warn("CODEOWNERS does not cover `/.github/`")
+
+    if not res.problems:
+        res.ok("CODEOWNERS present, covers /.github/")
+    return res

zyplux_cerberus-0.2.0/src/cerberus/checks/justfile_check.py

@@ -0,0 +1,120 @@
+from __future__ import annotations
+
+import re
+from collections.abc import Iterable
+
+from cerberus import justfile
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "justfile"
+SUMMARY = "recipe names, aliases, check pipeline, wrapped tool calls, no trailing whitespace"
+SCOPE = Scope.CONTENT
+
+_SEGMENT_SPLIT = re.compile(r"&&|\|\||[|;]")
+_RECIPE_LINE_PREFIXES = "@-"
+_TRAILING_WS = re.compile(r"[ \t]+(?=\r?\n|\Z)")
+
+
+def _trailing_ws_lines(content: str) -> list[int]:
+    return [n for n, line in enumerate(content.splitlines(), start=1) if line != line.rstrip(" \t")]
+
+
+def _strip_trailing_ws(content: str) -> str:
+    return _TRAILING_WS.sub("", content)
+
+
+def _leading_command(segment: str) -> str | None:
+    tokens = segment.split()
+    while tokens and "=" in tokens[0] and not tokens[0].startswith("-"):
+        tokens = tokens[1:]
+    if not tokens:
+        return None
+    return tokens[0].lstrip(_RECIPE_LINE_PREFIXES)
+
+
+def _bare_tool_calls(bodies: dict[str, str], wrapped_tools: Iterable[str]) -> list[tuple[str, str]]:
+    """Find recipes that invoke a managed tool directly instead of through its runner.
+
+    A managed tool (`ruff`, `rumdl`, ...) must run via `uv run`/`bunx`, so a recipe
+    line whose leading command is the tool itself relies on an ambient install and
+    breaks on a fresh checkout. Wrappers like `uv run ruff` lead with `uv`, so they
+    are accepted; only a denylisted tool in command position is flagged.
+    """
+    tools = set(wrapped_tools)
+    seen: set[tuple[str, str]] = set()
+    calls: list[tuple[str, str]] = []
+    for recipe, body in bodies.items():
+        for line in body.split("\n"):
+            for segment in _SEGMENT_SPLIT.split(line):
+                command = _leading_command(segment)
+                if command is None or command not in tools:
+                    continue
+                if (recipe, command) not in seen:
+                    seen.add((recipe, command))
+                    calls.append((recipe, command))
+    return calls
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+    content = ctx.file(repo, "justfile")
+    if content is None:
+        res.fail("no justfile at repo root")
+        return res
+
+    ws_lines = _trailing_ws_lines(content)
+    if ws_lines:
+        if ctx.fix:
+            ctx.write_file(repo, "justfile", _strip_trailing_ws(content))
+        else:
+            res.fail(f"trailing whitespace on line(s) {', '.join(map(str, ws_lines))}")
+
+    try:
+        jf = justfile.parse(content)
+    except justfile.JustfileError as err:
+        res.error(f"could not parse justfile: {err}")
+        return res
+
+    cfg = ctx.config
+
+    for alias, target in cfg.required_aliases.items():
+        actual = jf.aliases.get(alias)
+        if actual is None:
+            res.fail(f"missing alias `{alias} := {target}`")
+        elif actual != target:
+            res.fail(f"alias `{alias}` targets `{actual}`, expected `{target}`")
+
+    for alias, target in cfg.recommended_aliases.items():
+        actual = jf.aliases.get(alias)
+        if actual is None:
+            res.warn(f"missing recommended alias `{alias} := {target}`")
+        elif actual != target:
+            res.warn(f"alias `{alias}` targets `{actual}`, expected `{target}`")
+
+    for name in cfg.required_recipes:
+        if name not in jf.recipes:
+            res.fail(f"missing required recipe `{name}`")
+
+    for name in cfg.recommended_recipes:
+        if name not in jf.recipes:
+            res.warn(f"missing recommended recipe `{name}`")
+
+    if "default" in jf.recipes and cfg.default_recipe_marker not in jf.bodies.get("default", ""):
+        res.fail(f"`default` recipe should run `{cfg.default_recipe_marker}`")
+
+    if "check" in jf.recipes:
+        deps = jf.recipes["check"]
+        if not justfile.is_subsequence(list(cfg.check_pipeline), deps):
+            res.fail(
+                f"`check` dependencies {deps} must contain {list(cfg.check_pipeline)} in order"
+            )
+
+    for recipe, tool in _bare_tool_calls(jf.bodies, cfg.wrapped_tools):
+        res.fail(
+            f"recipe `{recipe}` runs `{tool}` directly; managed tools must run via `uv run`/`bunx`"
+        )
+
+    if not res.problems:
+        res.ok("justfile conforms")
+    return res

zyplux_cerberus-0.2.0/src/cerberus/checks/ruleset_check.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+from typing import Any
+
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "ruleset"
+SUMMARY = "default branch protected by the org baseline ruleset"
+SCOPE = Scope.CONTROL_PLANE
+
+
+def _by_type(rules: list[dict[str, Any]]) -> dict[str, dict[str, Any]]:
+    return {rule["type"]: rule for rule in rules}
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+    cfg = ctx.config
+
+    if not ctx.ruleset_active(cfg.ruleset_name):
+        res.fail(f"org ruleset `{cfg.ruleset_name}` is absent or not active")
+
+    rules = _by_type(ctx.branch_rules(repo))
+
+    pr = rules.get("pull_request")
+    if pr is None:
+        res.fail("default branch does not require a pull request")
+    else:
+        params = pr.get("parameters", {})
+        if params.get("required_approving_review_count", 0) < 1:
+            res.fail("pull requests do not require an approving review")
+        if not params.get("require_code_owner_review"):
+            res.warn("code-owner review not required")
+
+    checks = rules.get("required_status_checks")
+    if checks is None:
+        res.fail("no required status checks on default branch")
+    else:
+        contexts = [
+            c.get("context") for c in checks.get("parameters", {}).get("required_status_checks", [])
+        ]
+        if "ci" not in contexts:
+            res.fail(f"required status checks {contexts} do not include `ci`")
+
+    if "required_linear_history" not in rules:
+        res.warn("linear history not enforced")
+    if "non_fast_forward" not in rules:
+        res.warn("force-pushes not blocked")
+    if "deletion" not in rules:
+        res.warn("branch deletion not blocked")
+
+    if not res.problems:
+        res.ok("default branch baseline enforced")
+    return res

zyplux_cerberus-0.2.0/src/cerberus/checks/secrets_check.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+import re
+
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "workflow-secrets"
+SUMMARY = "every secret referenced in workflows is provisioned"
+SCOPE = Scope.CONTROL_PLANE
+
+_SECRET_REF = re.compile(r"secrets\.([A-Za-z_][A-Za-z0-9_]*)")
+_ALWAYS_PRESENT = frozenset({"GITHUB_TOKEN"})
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+    workflows = ctx.workflows(repo)
+    if not workflows:
+        res.skip("no workflows")
+        return res
+
+    referenced: set[str] = set()
+    for content in workflows.values():
+        referenced.update(_SECRET_REF.findall(content))
+    referenced -= _ALWAYS_PRESENT
+
+    if not referenced:
+        res.ok("no external secrets referenced")
+        return res
+
+    for name in sorted(referenced):
+        if ctx.secret_available(repo, name):
+            res.ok(f"`{name}` provisioned")
+        else:
+            res.fail(f"`{name}` referenced in workflows but not set at repo or org scope")
+    return res

zyplux_cerberus-0.2.0/src/cerberus/checks/workflow_tooling_check.py

@@ -0,0 +1,86 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+import yaml
+
+from cerberus.context import Context
+from cerberus.model import CheckResult, Repo, Scope
+
+ID = "workflow-tooling"
+SUMMARY = "workflows set up only the workspace toolchain (uv, bun), not extra tools"
+SCOPE = Scope.CONTENT
+
+_SETUP_ACTION = re.compile(r"^(setup-|.*-toolchain$)", re.IGNORECASE)
+
+_INSTALL_COMMANDS = (
+    re.compile(r"\bapt(?:-get)?\s+(?:install|add)\b", re.IGNORECASE),
+    re.compile(r"\bpip3?\s+install\b", re.IGNORECASE),
+    re.compile(r"\bpipx\s+install\b", re.IGNORECASE),
+    re.compile(r"\bcargo\s+install\b", re.IGNORECASE),
+    re.compile(r"\bgo\s+install\b", re.IGNORECASE),
+    re.compile(r"\bbrew\s+install\b", re.IGNORECASE),
+    re.compile(r"\bnpm\s+(?:install|i)\b[^\n]*?\s(?:-g|--global)\b", re.IGNORECASE),
+    re.compile(r"\b(?:pnpm|yarn)\b[^\n]*?\bglobal\b", re.IGNORECASE),
+)
+
+
+def _action_repo(uses: str) -> str:
+    identity = uses.split("@", 1)[0].strip()
+    parts = identity.split("/")
+    return parts[1] if len(parts) >= 2 else identity
+
+
+def _is_setup_action(uses: str) -> bool:
+    repo = _action_repo(uses)
+    return bool(_SETUP_ACTION.match(repo)) or "install-action" in repo.lower()
+
+
+def _steps(workflow: dict[str, Any]) -> list[dict[str, Any]]:
+    jobs = workflow.get("jobs")
+    if not isinstance(jobs, dict):
+        return []
+    steps: list[dict[str, Any]] = []
+    for job in jobs.values():
+        job_steps = job.get("steps") if isinstance(job, dict) else None
+        if isinstance(job_steps, list):
+            steps.extend(step for step in job_steps if isinstance(step, dict))
+    return steps
+
+
+def run(repo: Repo, ctx: Context) -> CheckResult:
+    res = CheckResult(ID, repo.name)
+    workflows = ctx.workflows(repo)
+    if not workflows:
+        res.skip("no workflow files to scan")
+        return res
+
+    allowed = set(ctx.config.allowed_setup_actions)
+    for name, content in sorted(workflows.items()):
+        try:
+            workflow = yaml.safe_load(content)
+        except yaml.YAMLError as err:
+            res.warn(f"{name}: not valid YAML ({err})")
+            continue
+        if not isinstance(workflow, dict):
+            continue
+
+        for step in _steps(workflow):
+            uses = step.get("uses")
+            if isinstance(uses, str) and _is_setup_action(uses):
+                identity = uses.split("@", 1)[0].strip()
+                if identity not in allowed:
+                    res.fail(f"{name}: installs a tool via `{identity}`; the toolchain is uv + bun")
+
+            script = step.get("run")
+            if isinstance(script, str):
+                for pattern in _INSTALL_COMMANDS:
+                    hit = pattern.search(script)
+                    if hit is not None:
+                        res.fail(f"{name}: installs a tool with `{hit.group(0).strip()}`")
+                        break
+
+    if not res.problems:
+        res.ok("workflows install no extra tools")
+    return res