Documentation
¶
Overview ¶
Package runner orchestrates an audit pass against a single repo. It resolves desired values, fetches live state through the github backend, invokes the diff engine, and writes a structured per-repo stanza.
Index ¶
- Constants
- type EnforceOptions
- type OrgOptions
- type OrgResult
- func Apply(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- func Audit(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- func Enforce(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, ...) (OrgResult, error)
- type Result
- func ApplyOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func ApplyRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
- func AuditOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func AuditRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
- func EnforceOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, ...) (Result, error)
- func EnforceRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, ...) (Result, error)
Constants ¶
const DefaultConcurrency = 8
DefaultConcurrency is the worker-pool size when OrgOptions.Concurrency is zero or negative.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EnforceOptions ¶
type EnforceOptions struct {
// DryRun prints planned set/delete actions and makes zero write API
// calls. The public-key fetch and value resolution are also skipped
// since neither is needed without a real write.
DryRun bool
// Concurrency bounds org-wide enforce iteration the same way
// OrgOptions.Concurrency does for Audit/Apply.
Concurrency int
// Verbose, when true, always emits the per-repo header even if the
// repo had no managed entries to set and no extras to delete. When
// false (default), the header is suppressed for repos with no events.
Verbose bool
}
EnforceOptions controls EnforceRepo behavior.
type OrgOptions ¶
type OrgOptions struct {
// Concurrency bounds the number of repos processed in parallel. Zero
// or negative selects DefaultConcurrency.
Concurrency int
// Verbose, when true, emits per-repo headers and (in audit) match
// entries for every iterated repo. When false (default), repos with
// no events are silent and audit suppresses match entries.
Verbose bool
}
OrgOptions configures org-wide iteration shared by Audit and Apply.
type OrgResult ¶
type OrgResult struct {
// Drift is true if any repo's audit produced drift.
Drift bool
// FailedEntries is the cross-repo sum of per-entry failures (apply/enforce).
FailedEntries int
// OkRepos is the count of repos that completed without a per-repo error.
OkRepos int
// SkippedRepos is the count of repos returned by ListOrgRepos that
// the config does not address (no per-repo entry and no all-repos).
SkippedRepos int
// FailedRepos is the count of repos whose top-level call returned an error.
FailedRepos int
}
OrgResult aggregates per-repo outcomes from an org-wide run.
func Apply ¶
func Apply(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, opts OrgOptions) (OrgResult, error)
Apply runs apply across the org-level scope (when configured) and every repo in the org concurrently. Per-repo errors are reported and the run continues; per-entry write failures are summed into FailedEntries.
func Audit ¶
func Audit(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, showIgnored bool, opts OrgOptions) (OrgResult, error)
Audit runs an audit across the org-level scope (when configured) and every repo in the org concurrently. Per-repo errors are reported and the run continues. The final summary line counts ok, skipped, and failed repos.
func Enforce ¶
func Enforce(ctx context.Context, cfg *config.Config, org string, backend gh.Backend, out io.Writer, opts EnforceOptions) (OrgResult, error)
Enforce runs enforce across the org-level scope (when configured) and every repo in the org concurrently. The provided opts are forwarded to each EnforceRepo / EnforceOrgScope call.
type Result ¶
Result reports the outcome of a single-repo run.
Drift is set by AuditRepo. Failed counts per-entry write failures during ApplyRepo (and could be repurposed for enforce later).
func ApplyOrgScope ¶
func ApplyOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer, verbose bool) (Result, error)
ApplyOrgScope writes org-level managed entries. It never deletes and never touches anything outside the org's `org.managed` block. Returns Result with per-entry write failures counted in Failed. When verbose is false the org-scope header is suppressed if there are no managed entries to write.
func ApplyRepo ¶
func ApplyRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer, verbose bool) (Result, error)
ApplyRepo writes managed values for a single repo. It never deletes and never touches anything outside the repo's `managed` block. A per-entry "ok" or "FAILED: <err>" line is written for each managed entry; a final summary line is written if any entry failed.
When verbose is false the per-repo header is suppressed for repos with nothing to apply (no managed entries). When verbose is true the header is always written.
The repo's Actions and Dependabot public keys are fetched at most once per call (only when the corresponding section has at least one entry) and reused across all set calls.
func AuditOrgScope ¶
func AuditOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer, showIgnored, verbose bool) (Result, error)
AuditOrgScope audits the org-level secrets, variables, and Dependabot secrets defined under the org's `org:` block. It writes a single labeled stanza to out. If the config has no `org:` block for orgName, the call is a no-op (zero-value Result, no stanza, no error).
func AuditRepo ¶
func AuditRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer, showIgnored, verbose bool) (Result, error)
AuditRepo runs an audit against a single repo and writes a labeled stanza to out. showIgnored controls whether ignored entries appear. verbose=false suppresses match entries and skips the stanza entirely when no non-match drift remains.
The repo is resolved via the per-repo > all-repos cascade. A repo with no per-repo block is still valid as long as the org defines all-repos.
func EnforceOrgScope ¶
func EnforceOrgScope(ctx context.Context, cfg *config.Config, orgName string, backend gh.Backend, out io.Writer, opts EnforceOptions) (Result, error)
EnforceOrgScope applies org-level managed entries, then deletes extras.
With DryRun=true, no write API calls are made.
func EnforceRepo ¶
func EnforceRepo(ctx context.Context, cfg *config.Config, org, repo string, backend gh.Backend, out io.Writer, opts EnforceOptions) (Result, error)
EnforceRepo applies managed values and then deletes any "extra" entries — entries present on the repo but not listed in either the managed or ignored block. With DryRun=true, it prints intended set/delete lines without calling any write API. When opts.Verbose is false the per-repo header is suppressed for repos with no events (no managed entries and no extras).
Source Files