Documentation
¶
Overview ¶
Package runner orchestrates an audit pass against a single repo. It resolves desired values, fetches live state through the github backend, invokes the diff engine, and writes a structured per-repo stanza.
Index ¶
- Constants
- type EnforceOptions
- type OrgOptions
- type OrgResult
- func Apply(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- func Audit(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- func Enforce(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- type Result
- func ApplyOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func ApplyRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
- func AuditOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func AuditRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
- func EnforceOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func EnforceRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
Constants ¶
const DefaultConcurrency = 8
DefaultConcurrency is the worker-pool size when OrgOptions.Concurrency is zero or negative.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EnforceOptions ¶
type EnforceOptions struct {
// DryRun prints planned set/delete actions and makes zero write API
// calls. The public-key fetch and value resolution are also skipped
// since neither is needed without a real write.
DryRun bool
// Concurrency bounds org-wide enforce iteration the same way
// OrgOptions.Concurrency does for Audit/Apply.
Concurrency int
// Confirm, if non-nil and DryRun is false, is invoked after the live
// state has been fetched and the extras list computed. The argument
// is a list of "kind/name" strings, one per planned deletion. If
// Confirm returns false, no writes or deletes are performed and
// Result is the zero value. Confirm is ignored when DryRun is true.
Confirm func(extras []string) bool
}
EnforceOptions controls EnforceRepo behavior.
type OrgOptions ¶
type OrgOptions struct {
// Concurrency bounds the number of repos processed in parallel. Zero
// or negative selects DefaultConcurrency.
Concurrency int
}
OrgOptions configures org-wide iteration shared by Audit and Apply.
type OrgResult ¶
type OrgResult struct {
// Drift is true if any repo's audit produced drift.
Drift bool
// FailedEntries is the cross-repo sum of per-entry failures (apply/enforce).
FailedEntries int
// OkRepos is the count of repos that completed without a per-repo error.
OkRepos int
// SkippedRepos is the count of repos returned by ListOrgRepos that
// the config does not address (no per-repo entry and no all-repos).
SkippedRepos int
// FailedRepos is the count of repos whose top-level call returned an error.
FailedRepos int
}
OrgResult aggregates per-repo outcomes from an org-wide run.
func Apply ¶
func Apply(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, opts OrgOptions) (OrgResult, error)
Apply runs apply across the org-level scope (when configured) and every repo in the org concurrently. Per-repo errors are reported and the run continues; per-entry write failures are summed into FailedEntries.
func Audit ¶
func Audit(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, showIgnored bool, opts OrgOptions) (OrgResult, error)
Audit runs an audit across the org-level scope (when configured) and every repo in the org concurrently. Per-repo errors are reported and the run continues. The final summary line counts ok, skipped, and failed repos.
func Enforce ¶
func Enforce(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, opts EnforceOptions) (OrgResult, error)
Enforce runs enforce across the org-level scope (when configured) and every repo in the org concurrently. The provided opts are forwarded to each EnforceRepo / EnforceOrgScope call.
type Result ¶
Result reports the outcome of a single-repo run.
Drift is set by AuditRepo. Failed counts per-entry write failures during ApplyRepo (and could be repurposed for enforce later).
func ApplyOrgScope ¶
func ApplyOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer) (Result, error)
ApplyOrgScope writes org-level managed entries. It never deletes and never touches anything outside the org's `org.managed` block. Returns Result with per-entry write failures counted in Failed.
func ApplyRepo ¶
func ApplyRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer) (Result, error)
ApplyRepo writes managed values for a single repo. It never deletes and never touches anything outside the repo's `managed` block. A per-entry "ok" or "FAILED: <err>" line is written for each managed entry; a final summary line is written if any entry failed.
The repo's Actions and Dependabot public keys are fetched at most once per call (only when the corresponding section has at least one entry) and reused across all set calls.
func AuditOrgScope ¶
func AuditOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer, showIgnored bool) (Result, error)
AuditOrgScope audits the org-level secrets, variables, and Dependabot secrets defined under the org's `org:` block. It writes a single labeled stanza to out. If the config has no `org:` block for orgName, the call is a no-op (zero-value Result, no stanza, no error).
func AuditRepo ¶
func AuditRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer, showIgnored bool) (Result, error)
AuditRepo runs an audit against a single repo and writes a labeled stanza to out. showIgnored controls whether ignored entries appear.
The repo is resolved via the per-repo > all-repos cascade. A repo with no per-repo block is still valid as long as the org defines all-repos.
func EnforceOrgScope ¶
func EnforceOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer, opts EnforceOptions) (Result, error)
EnforceOrgScope applies org-level managed entries, then deletes extras.
With DryRun=true, no write API calls are made. Confirm is invoked exactly once with the list of planned deletions; if it returns false, neither the apply nor the delete phase runs.
func EnforceRepo ¶
func EnforceRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer, opts EnforceOptions) (Result, error)
EnforceRepo applies managed values and then deletes any "extra" entries — entries present on the repo but not listed in either the managed or ignored block. With DryRun=true, it prints intended set/delete lines without calling any write API.
The TTY/--yes confirmation contract is owned by the CLI layer; by the time EnforceRepo is called, the caller has already decided to proceed.
Source Files