From e6820bfa8ce4956f339ff40df911355a9751665c Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 2 Jun 2026 17:56:05 +0000 Subject: [PATCH] ci(no-js): add warn-first no-JS scan workflow Non-blocking companion to hypatia cicd_rules/javascript_detected; reports the hand-authored JS/TS surface for migration. Policy: standards docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc. Warn-first. https://claude.ai/code/session_01CS2BLBL22WTTjmc1UmEGa2 --- .github/workflows/no-js-scan.yml | 96 ++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .github/workflows/no-js-scan.yml diff --git a/.github/workflows/no-js-scan.yml b/.github/workflows/no-js-scan.yml new file mode 100644 index 0000000..93d61f0 --- /dev/null +++ b/.github/workflows/no-js-scan.yml @@ -0,0 +1,96 @@ +# SPDX-License-Identifier: MPL-2.0 +name: No-JS Scan (warn-first) + +# Estate policy: no hand-authored JavaScript/TypeScript source +# (see standards docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc). This workflow is +# WARN-FIRST: it reports the authored-JS surface for migration but never fails +# the build. The authoritative hard-block for NEW JS in non-carve-out paths is +# hypatia (cicd_rules/javascript_detected); this is an additive companion. + +on: + push: + paths: + - '**/*.js' + - '**/*.jsx' + - '**/*.mjs' + - '**/*.cjs' + - '**/*.ts' + - '**/*.tsx' + pull_request: + paths: + - '**/*.js' + - '**/*.jsx' + - '**/*.mjs' + - '**/*.cjs' + - '**/*.ts' + - '**/*.tsx' + +# Estate guardrail: cancel superseded runs (read-only check, no mutation). +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + scan-authored-js: + name: Scan for hand-authored JavaScript/TypeScript + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + + - name: Report authored JS/TS (warn-first, non-blocking) + shell: bash + run: | + # Exclude only things that are NOT hand-authored source: vendored + # (node_modules, deps, vendor, .git), generated/compiled (*.res.js, + # *.res.mjs, lib/{js,es6,bs}, out, dist, .deno, generated/, *.min.js), + # and declaration headers (*.d.ts). Everything else is reported. + mapfile -t hits < <( + find . \ + \( -path './.git' -o -name node_modules -o -path '*/deps/*' \ + -o -path '*/vendor/*' -o -path '*/lib/js/*' -o -path '*/lib/es6/*' \ + -o -path '*/lib/bs/*' -o -path '*/out/*' -o -path '*/dist/*' \ + -o -path '*/.deno/*' -o -path '*/generated/*' \) -prune -o \ + -type f \ + \( -name '*.js' -o -name '*.jsx' -o -name '*.mjs' -o -name '*.cjs' \ + -o -name '*.ts' -o -name '*.tsx' \) \ + ! -name '*.res.js' ! -name '*.res.mjs' ! -name '*.min.js' ! -name '*.d.ts' \ + -print 2>/dev/null | sort || true + ) + + count=${#hits[@]} + + { + echo "# No-JS scan (warn-first)" + echo + echo "Estate policy: **no hand-authored JavaScript/TypeScript source.**" + echo "Destination is AffineScript -> typed-wasm, or Rust + Zig -> wasm." + echo "This check is **non-blocking** — it reports the migration surface only." + echo "Authoritative hard-block for new files: hypatia \`cicd_rules/javascript_detected\`." + echo "Policy: standards \`docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc\`." + echo + echo "**Hand-authored JS/TS files found: ${count}**" + if [ "${count}" -gt 0 ]; then + echo + echo '| # | File |' + echo '|---|------|' + i=0 + for f in "${hits[@]}"; do + i=$((i + 1)) + echo "| ${i} | \`${f#./}\` |" + done + else + echo + echo "No hand-authored JavaScript/TypeScript found. :white_check_mark:" + fi + } >> "${GITHUB_STEP_SUMMARY}" + + if [ "${count}" -gt 0 ]; then + echo "::warning title=No-JS (warn-first)::${count} hand-authored JS/TS file(s) present. Estate target is AffineScript->typed-wasm / Rust+Zig->wasm. See standards docs/NO-JAVASCRIPT-SOURCE-POLICY.adoc (non-blocking)." + fi + + # Warn-first: never fail the build. + exit 0