From 9d4854b3a6186f6290a6e7a0655ff5fd013688c8 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 16 Jun 2026 14:56:30 -0400 Subject: [PATCH 1/3] feat(ci): add APM audit enforcement workflow Add apm-audit.yml that runs `apm audit --ci --no-cache --no-drift` on PRs, merge queue, and push to main. Uses microsoft/apm-action@v1 which handles APM CLI installation and runs `apm install` before the audit script. The summary job ("APM Audit CI Gate") follows the try-enqueue pattern for auto-merge integration. Uses --no-drift initially since existing drift from the APM adoption PR needs to be resolved separately. Co-Authored-By: Claude --- .github/scripts/try-enqueue.sh | 2 +- .github/workflows/apm-audit.yml | 61 +++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/apm-audit.yml diff --git a/.github/scripts/try-enqueue.sh b/.github/scripts/try-enqueue.sh index 4d0c81f3..43d6118a 100755 --- a/.github/scripts/try-enqueue.sh +++ b/.github/scripts/try-enqueue.sh @@ -28,7 +28,7 @@ if ! echo "$LABELS" | grep -qE "auto-merge-pending|auto-merge-queue"; then exit 0 fi -GATES=("Lint CI Gate" "Unit Tests CI Gate" "SDD boundary check" "Build CI Gate") +GATES=("Lint CI Gate" "Unit Tests CI Gate" "SDD boundary check" "Build CI Gate" "APM Audit CI Gate") CHECKS=$(gh pr checks "$PR_NUMBER" --repo "$REPO" 2>/dev/null || true) diff --git a/.github/workflows/apm-audit.yml b/.github/workflows/apm-audit.yml new file mode 100644 index 00000000..b2c98a80 --- /dev/null +++ b/.github/workflows/apm-audit.yml @@ -0,0 +1,61 @@ +name: APM Audit + +on: + push: + branches: [main] + + pull_request: + + merge_group: + branches: [main] + + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: apm-audit-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + audit: + name: APM Audit + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Run APM audit + uses: microsoft/apm-action@e5650fb81c4b5965090a17bd1ed1956071e95d17 # v1.9.1 + with: + script: audit --ci --no-cache --no-drift + + summary: + name: APM Audit CI Gate + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + checks: read + needs: [audit] + if: always() + steps: + - name: Check overall status + run: | + if [ "${{ needs.audit.result }}" == "failure" ] || [ "${{ needs.audit.result }}" == "cancelled" ]; then + echo "APM audit failed" + exit 1 + fi + echo "APM audit passed!" + + - name: Checkout code + if: github.event_name == 'pull_request' + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Try enqueue + if: github.event_name == 'pull_request' + env: + GH_TOKEN: ${{ secrets.AUTO_MERGE_PAT }} + run: bash .github/scripts/try-enqueue.sh "${{ github.event.pull_request.number }}" "APM Audit CI Gate" From 35ad670e9f2c4cd179e26f228031745dd1fdf888 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 16 Jun 2026 15:29:55 -0400 Subject: [PATCH 2/3] fix(ci): use setup-only mode for APM audit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The agentic-sdlc dependency is private — apm install fails in CI without auth. Use setup-only to install just the CLI, then run apm audit directly as a shell command. The audit checks lockfile integrity, content integrity, and ref consistency without needing to clone the dependency. Co-Authored-By: Claude --- .github/workflows/apm-audit.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/apm-audit.yml b/.github/workflows/apm-audit.yml index b2c98a80..c1d06fe4 100644 --- a/.github/workflows/apm-audit.yml +++ b/.github/workflows/apm-audit.yml @@ -27,10 +27,13 @@ jobs: - name: Checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - name: Run APM audit + - name: Install APM CLI uses: microsoft/apm-action@e5650fb81c4b5965090a17bd1ed1956071e95d17 # v1.9.1 with: - script: audit --ci --no-cache --no-drift + setup-only: 'true' + + - name: Run APM audit + run: apm audit --ci --no-cache --no-drift summary: name: APM Audit CI Gate From 45840bc8027247942c5a2bfadc9f29d7ac82e8ff Mon Sep 17 00:00:00 2001 From: user Date: Tue, 16 Jun 2026 15:32:34 -0400 Subject: [PATCH 3/3] fix(ci): commit APM lockfile for CI audit Un-ignore apm.lock.yaml and commit the generated lockfile so apm audit --ci can verify lockfile-exists, ref-consistency, and other structural checks in CI. Co-Authored-By: Claude --- .gitignore | 2 +- apm.lock.yaml | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 apm.lock.yaml diff --git a/.gitignore b/.gitignore index 0759271d..3de69ea0 100644 --- a/.gitignore +++ b/.gitignore @@ -154,5 +154,5 @@ components/credential-sidecars/entrypoint/entrypoint # APM (Agent Package Manager) apm_modules/ -apm.lock.yaml +# apm.lock.yaml is committed — CI needs it for apm audit .local/ diff --git a/apm.lock.yaml b/apm.lock.yaml new file mode 100644 index 00000000..b9ce749b --- /dev/null +++ b/apm.lock.yaml @@ -0,0 +1,146 @@ +lockfile_version: '1' +generated_at: '2026-06-16T18:54:54.994050+00:00' +apm_version: 0.20.0 +dependencies: +- repo_url: OpenShift-Fleet/agentic-sdlc + host: github.com + resolved_commit: 4fb95430eeaca1ecf3e78f38c8629fb26f1c6db0 + package_type: marketplace_plugin + deployed_files: + - .claude/commands/README.md + - .claude/commands/check.agent.md + - .claude/commands/finish-work.md + - .claude/commands/ignite.agent.md + - .claude/commands/myissues.md + - .claude/commands/ship.md + - .claude/commands/start-work.md + - .claude/commands/summary.md + - .claude/skills/bug-specialist + - .claude/skills/bug-specialist/SKILL.md + - .claude/skills/bug-specialist/template.md + - .claude/skills/epic-specialist + - .claude/skills/epic-specialist/SKILL.md + - .claude/skills/epic-specialist/template.md + - .claude/skills/f2f-daily-summary + - .claude/skills/f2f-daily-summary/SKILL.md + - .claude/skills/f2f-epic-specialist + - .claude/skills/f2f-epic-specialist/SKILL.md + - .claude/skills/feature-specialist + - .claude/skills/feature-specialist/SKILL.md + - .claude/skills/feature-specialist/template.md + - .claude/skills/finish-work + - .claude/skills/finish-work/SKILL.md + - .claude/skills/init-context-docs + - .claude/skills/init-context-docs/SKILL.md + - .claude/skills/init-context-docs/checklists/agents-md-checklist.md + - .claude/skills/init-context-docs/checklists/claude-md-checklist.md + - .claude/skills/init-context-docs/checklists/guideline-checklist.md + - .claude/skills/init-context-docs/checklists/readme-checklist.md + - .claude/skills/init-context-docs/scripts/automated-checks.sh + - .claude/skills/initiative-specialist + - .claude/skills/initiative-specialist/SKILL.md + - .claude/skills/initiative-specialist/template.md + - .claude/skills/jira-create + - .claude/skills/jira-create/SKILL.md + - .claude/skills/jira-report + - .claude/skills/jira-report/SKILL.md + - .claude/skills/jira-report/issue-review-template.md + - .claude/skills/jira-report/listing-by-component-template.md + - .claude/skills/jira-report/listing-by-team-template.md + - .claude/skills/jira-report/listing-by-worktype-template.md + - .claude/skills/jira-specialist + - .claude/skills/jira-specialist/SKILL.md + - .claude/skills/jira-specialist/activity-types.md + - .claude/skills/opencode-setup + - .claude/skills/opencode-setup/SKILL.md + - .claude/skills/outcome-specialist + - .claude/skills/outcome-specialist/SKILL.md + - .claude/skills/outcome-specialist/strategic-goal-template.md + - .claude/skills/outcome-specialist/template.md + - .claude/skills/pr-fix + - .claude/skills/pr-fix/SKILL.md + - .claude/skills/pr-review + - .claude/skills/pr-review/README.md + - .claude/skills/pr-review/SKILL.md + - .claude/skills/pr-review/scripts/prepare-worktree.py + - .claude/skills/pr-review/scripts/summarize-pr.py + - .claude/skills/presentation-task + - .claude/skills/presentation-task/SKILL.md + - .claude/skills/repo-content-audit + - .claude/skills/repo-content-audit/SKILL.md + - .claude/skills/risk-specialist + - .claude/skills/risk-specialist/SKILL.md + - .claude/skills/risk-specialist/template.md + - .claude/skills/spike-specialist + - .claude/skills/spike-specialist/SKILL.md + - .claude/skills/spike-specialist/template.md + - .claude/skills/start-work + - .claude/skills/start-work/SKILL.md + - .claude/skills/story-specialist + - .claude/skills/story-specialist/SKILL.md + - .claude/skills/story-specialist/template.md + - .claude/skills/task-specialist + - .claude/skills/task-specialist/SKILL.md + - .claude/skills/task-specialist/subtask-template.md + - .claude/skills/task-specialist/template.md + - .claude/skills/ticket-specialist + - .claude/skills/ticket-specialist/SKILL.md + - .claude/skills/ticket-specialist/template.md + deployed_file_hashes: + .claude/commands/README.md: sha256:16590c1ab4d3d7951a45c658820f7c4c0a15614c097036e755db19d507101b54 + .claude/commands/check.agent.md: sha256:52b16cecb3d6bf6eab22719ad5dd38b48c6d256999357380030d94c63aa5722b + .claude/commands/finish-work.md: sha256:f691b40f23d7448cadd401f4ac1f4decb949bac5fdf613f1ef4f99eeb4d25551 + .claude/commands/ignite.agent.md: sha256:9a4ad41ecfd1dcdc0869915c78ef83d1d83ba84468823cc61422a5e0aa92b2be + .claude/commands/myissues.md: sha256:c5362d404b414889f7ac1164dd02e7e724035ddfc4649b8fe4107a91636dcfdb + .claude/commands/ship.md: sha256:07c5c6fbbc435f4ca6e483ec194315048232169cd73a726943f5d4ebc4dbc510 + .claude/commands/start-work.md: sha256:ab478063f91186f9c699bb078c6f882af1d91062e5a63e1446389461cf8571bd + .claude/commands/summary.md: sha256:b24e88903ff264b5372e6da1ba35bf1e6cdb1c92991ecd1dc7748850ce47de14 + .claude/skills/bug-specialist/SKILL.md: sha256:8e495543432b1dca2bcecca779f22ba99ad54ba3b3cfe64324b2ea301457f395 + .claude/skills/bug-specialist/template.md: sha256:89a9a84336a9b4ba9b3c8f99b84290d740bfec3f3e5cac08df4a340821e86883 + .claude/skills/epic-specialist/SKILL.md: sha256:6de0adee82bb948b2c66226ab69be629fc45385c1260a19f864d1cb13e77eff4 + .claude/skills/epic-specialist/template.md: sha256:3af6fce02318b34367b0457bdd94a8b1a3b32d1255a02c18bcf23337f3401aee + .claude/skills/f2f-daily-summary/SKILL.md: sha256:aa19a7de684a83d311db7458606a57782fddce722b335afdb34956366b977214 + .claude/skills/f2f-epic-specialist/SKILL.md: sha256:46a9849c0d6c0291afe1a60f523a90c7065a89dfffa0cab7c8efe0182a114a62 + .claude/skills/feature-specialist/SKILL.md: sha256:75d066970df1fcecf0c235b0a895074fba721deca1be8d55ddf9fca826dea597 + .claude/skills/feature-specialist/template.md: sha256:b2ccbcc39b804926374860462805cf22386f7faa83b091f9a76c0bfa95724fe6 + .claude/skills/finish-work/SKILL.md: sha256:917ed4cfe492e21c1561e6e0ffd75e93aff1db03c6ea39ae986535c99c9414da + .claude/skills/init-context-docs/SKILL.md: sha256:5b21d07553143d07ea10d76f36660113b59505827ec82b6c09e66b22cf03a8a9 + .claude/skills/init-context-docs/checklists/agents-md-checklist.md: sha256:5742c40b4da8efda31ca53dab654f6f808a9108f8ca4da9e9daa834c4d750870 + .claude/skills/init-context-docs/checklists/claude-md-checklist.md: sha256:a3a2558f71713492ae16afdd5a57d07219247ecb173f43a83d6966c203311e5e + .claude/skills/init-context-docs/checklists/guideline-checklist.md: sha256:21112ba1387ff72875e391cb5557b880e3bb36f96c59e54373615cbc43156861 + .claude/skills/init-context-docs/checklists/readme-checklist.md: sha256:729ca7358922ab15523b49446686062f8e7f6179de8fa5fa31645c1eba80a43b + .claude/skills/init-context-docs/scripts/automated-checks.sh: sha256:147a6ee18ba6eed2b44524f972036bb5f0b2f31636381410ef723423a29bf3b3 + .claude/skills/initiative-specialist/SKILL.md: sha256:b8d2ffdf9d0b1bfba65ffe07afe931e97eda97a6eed28d6b53504d821c825be0 + .claude/skills/initiative-specialist/template.md: sha256:4347f823a0adb3a1849527e01795c587bc2433fa19e65b811ff4642cdbc8e4c1 + .claude/skills/jira-create/SKILL.md: sha256:ecc03788672c8d70d03894b7261ad607697eb6e9f33d05a3b23d347ca86fe762 + .claude/skills/jira-report/SKILL.md: sha256:361ecf61240446387863cc76b1fefe8ac44606c0534dcae5030411c37ba982dd + .claude/skills/jira-report/issue-review-template.md: sha256:95158326b8481d85c2dcdc2d623f56cfdc937fbcfe0736deab535bb204132b17 + .claude/skills/jira-report/listing-by-component-template.md: sha256:05eb9bd545ca234a51dfc0a10d3f75fe375af08937903948e3baccbe9df266f6 + .claude/skills/jira-report/listing-by-team-template.md: sha256:6f79e956a04fa86d6e778140116016ca05e49f90d892162313219ab20b2b2859 + .claude/skills/jira-report/listing-by-worktype-template.md: sha256:5c2a150447d5dd135c5f4e3e5abe166888ffee1eb62f3babdf8d4e6cafc1482f + .claude/skills/jira-specialist/SKILL.md: sha256:113863a874d14fd14b32e67cc0bf8c1deb0793b175983f2cafb5b3d3f280a5c7 + .claude/skills/jira-specialist/activity-types.md: sha256:5dd68c83020ef65e149b327045f2dcab4ebce34f631137f6870c91e27be63771 + .claude/skills/opencode-setup/SKILL.md: sha256:8b5e583db11153de441e06d67c51640339baee4410f871d7bf4e3e987dc41065 + .claude/skills/outcome-specialist/SKILL.md: sha256:3fe80670715a7ebc9c4b075483ecc5a4b461cec73d05bbefd14d08abcc6fad94 + .claude/skills/outcome-specialist/strategic-goal-template.md: sha256:12c57fd6290eb910cf71ab9f01eb423f3e673123fc2959472570c9721dc771bc + .claude/skills/outcome-specialist/template.md: sha256:540e172fe747e2e3e88e3ca524631253a3143eca22847c50dea3943678b8112b + .claude/skills/pr-fix/SKILL.md: sha256:c8cee134766c2a3fd6aa3049cacadf9195f9021811cd6f4c5631de15c684932c + .claude/skills/pr-review/README.md: sha256:6ca51a6dd33ec6e2daeae8e51542192965b528e2e6066ef5abe7cbf2211011d8 + .claude/skills/pr-review/SKILL.md: sha256:5e329fd1b6061ca7c28e73bbe4db7c0b0ca4cf084302dcf3b91f0b3a855fe456 + .claude/skills/pr-review/scripts/prepare-worktree.py: sha256:b7d5f8ca10bf2ffaa628e1756c6ff41f6688206e4f621308c8c93d34b0ddb29e + .claude/skills/pr-review/scripts/summarize-pr.py: sha256:9e9cffab19c616c42d3968f9e5202a1e81ba5b70e3f05f3ed83f55d98fa61b60 + .claude/skills/presentation-task/SKILL.md: sha256:aeae529c226b1ad827ec61b7455d6994c68181de769596a1a4c490858d7a454d + .claude/skills/repo-content-audit/SKILL.md: sha256:aed2caca2137d6ce29813c8c19577b518e92084b0a034526fd2edc87c28bdc74 + .claude/skills/risk-specialist/SKILL.md: sha256:4171d2d9bf6f9c89087c19db44075fa6fde5d0be04a05766fb63f17be556ebf3 + .claude/skills/risk-specialist/template.md: sha256:ed8bff435cf6999c52feaa3161f3dbaa534d8ce53df539793969af90b6158ddb + .claude/skills/spike-specialist/SKILL.md: sha256:1f1a045a92511b64eded58f49e4664cedf70f3bea921461ed03f15e6944c7b30 + .claude/skills/spike-specialist/template.md: sha256:71bd154b37bcd44741b973a577240cf37c59478f8ad80f211585e0932cece030 + .claude/skills/start-work/SKILL.md: sha256:ccf46077032f9c7d1297157db42ba911a425e2082481c263a40e9fb0ce2474fd + .claude/skills/story-specialist/SKILL.md: sha256:34b72416b7ad08781a2fb6d3601f5bf7463b8e8a8f1f068e1ad55425c831b54a + .claude/skills/story-specialist/template.md: sha256:8aa43d41295e8a6a7de2aee09efa8a5af8190fba1ff0c311e084f639a5d9c025 + .claude/skills/task-specialist/SKILL.md: sha256:a224f6ab25a4ee9ab38674e1ef21cf72f91777e0061c387601cdaf0c65dd8ca7 + .claude/skills/task-specialist/subtask-template.md: sha256:00d2d012be08757f8a3e8d27df2a487c3eaecb6e952e59555a91f186e2d67334 + .claude/skills/task-specialist/template.md: sha256:f58aaf8096e2c2ed1a7454e110ba724b648c66ed3bbf5e1d58eb6ebc0a0ef858 + .claude/skills/ticket-specialist/SKILL.md: sha256:73d8e779389ed48f0b4171d74affb6ad6b0654022d522265742c8cb82ee9a55a + .claude/skills/ticket-specialist/template.md: sha256:f4d89d4744136ea61c82e505922319e8c1969fdb00aa28ef57fb30150ad85f07 + content_hash: sha256:95881c265284aae336a8030d5240adf3f319ae4a567b415faf702b9730b18b90